Policies scattered and attestations by email; SharePoint hub with Okta single sign-on and role-targeted attestations

Overview

Policy documents lived across many SharePoint sites without consistent version control or attestations. Employees searched old links, used outdated PDFs, and asked Legal which version applied. Attestations arrived by email or not at all, and audits required scavenging for who saw what. Intelligex centralized policies in a governed repository with Okta single sign?on, standardized versioning and metadata, targeted attestations tied to HR attributes, and permission?aware search with Q&A. Employees found the current policy quickly, Legal tracked who acknowledged which version, and audits referenced a single record—while SharePoint, Okta, and existing tools stayed in place.

Client Profile

• Industry: Global technology and services
• Company size (range): Multi?region workforce with shared services and regional operations
• Stage: Multiple SharePoint sites and file shares; mixed policy templates; no canonical taxonomy; ad hoc acknowledgements in email; inconsistent retention and access
• Department owner: Legal & Compliance (Policy Governance and Legal Operations)
• Other stakeholders: HR/HRIS, IT/Collaboration Platforms, Security/Identity, Privacy, Internal Audit, Communications, Regional Compliance Leads

The Challenge

Employees struggled to answer basic questions: which travel policy applied, what the latest code of conduct said about gifts, or whether a regional addendum existed. Search returned duplicate files across sites with similar names. PDFs circulated in chat, and some divisions bookmarked old locations. When policy owners issued updates, links broke and orphaned versions stayed visible. Without consistent versioning and metadata, it was difficult to tell which file was current.

Attestations were manual. Some policy owners sent email requests and tracked replies in spreadsheets; others asked managers to confirm verbally. New hires and transfers were missed, and exemptions were handled off?system. During audits, Legal reconstructed who saw which version and when. Retention and access controls varied by site, so sensitive policies had broader visibility than intended.

Search confused more than it helped. Results mixed draft and final policies, regional variants appeared without context, and employees lacked confidence that they had the right document. Policy Q&A lived in chat channels, so repeat questions consumed time. There was no permission?aware way to answer “What is the policy on X for my region and role?” without exposing content beyond need?to?know.

Why It Was Happening

Policy management was not treated as a governed process. SharePoint library features existed but were not applied consistently. There was no canonical taxonomy, no draft?review?publish workflow, and no single repository with enforced version control. Attestations were disconnected from the content lifecycle, so acknowledgements did not reliably point to a specific version.

Identity and audience data were not integrated. HR knew who was in which department and region, but policy owners selected audiences manually. Without role?based access and targeting at the platform level, owners duplicated content across sites and maintained parallel lists for attestations, which guaranteed drift.

The Solution

Intelligex built a centralized policy repository on SharePoint with governed content types, versioning, and draft?to?publish workflows. Okta single sign?on enforced role?based access. Targeted attestations routed to the right audiences from HR attributes, and completions wrote back to the policy record. A permission?aware search and Q&A layer surfaced only current and audience?appropriate results. The design used SharePoint library versioning (SharePoint versioning), Okta SSO (Okta SSO), and search that respected permissions through security trimming (Security?trimmed search). Retention aligned to Microsoft governance capabilities (Microsoft Purview retention), and attestations referenced applicable controls for policies and procedures under recognized frameworks.

• Integrations: SharePoint Online as the policy repository; Okta for SSO and role mapping; HRIS for department, region, and employment status (for targeting and exemptions); acknowledgement service for attestations and reminders; analytics for dashboards.
• Content model: Canonical policy content types with fields for owner, effective date, jurisdiction, audience, supersedes, and related procedures; draft?review?publish workflow with Legal approvals.
• Versioning and retention: Major/minor versions with publish gates; prior versions retained and marked superseded; retention labels applied by category.
• Targeted attestations: Audience selection driven by HR attributes; reminders and escalations to managers; exemptions and offline acknowledgements recorded with reason codes.
• Permission?aware search and Q&A: Security?trimmed search index; curated answers linked to the current policy; regional variants surfaced by locale; minimal personal data in queries and logs.
• Access and privacy: Role?based permissions for owners, editors, and viewers; restricted access for sensitive policies; immutable logs of publishes, edits, and attestations.
• Dashboards and evidence: Attestation status by policy and audience; aging acknowledgements and escalations; search trends and common questions; exportable packets with version history, approvals, and completion events.

Implementation

• Discovery: Inventoried policies across sites and shares; mapped owners, audiences, and regional variants; reviewed current versioning and access patterns; sampled attestation methods; gathered Legal, Privacy, and Audit requirements for approvals, evidence, and retention.
• Design: Authored the content model and taxonomy (category, jurisdiction, audience); defined draft?review?publish workflows and approval paths; selected targeting logic from HR attributes; planned attestation flows and reminders; designed permission?aware search and curated Q&A; outlined dashboards and exportable evidence; set change control.
• Build: Created the SharePoint policy hub and libraries with content types and metadata; configured versioning and publish gates; integrated Okta SSO and role mapping; built audience targeting from HRIS; implemented attestation service with reminders and escalations; enabled search index with security trimming and Q&A; instrumented logs, retention labels, and dashboards.
• Testing/QA: Migrated a representative set of policies into a pilot library; validated versioning and publish approvals; exercised audience targeting and exemptions; tested acknowledgement routing and evidence capture; verified search results and curated answers by region and role; tuned metadata, filters, and templates from feedback.
• Rollout: Launched the policy hub with high?impact policies first; redirected legacy links to canonical pages; enabled attestations in waves by policy category and region; kept legacy repositories read?only during transition; tightened permissions after stable cycles and archived superseded locations.
• Training/hand?off: Delivered author and owner guides for drafting, publishing, and versioning; trained HR and managers on attestation dashboards and escalations; briefed employees on finding policies and using Q&A; updated SOPs and playbooks; transferred ownership of taxonomy, workflows, and dashboards to Legal Operations under change control.
• Human?in?the?loop review: Established a monthly council with Legal, HR, Privacy, and regional leads to review new policy requests, audience changes, and search trends; recorded decisions with rationale and effective dates; updated taxonomy, Q&A, and routing rules accordingly.

Results

Employees found current policies without chasing links. The policy hub presented one authoritative page per policy with effective dates, regional variants, and related procedures. Search returned only the current version based on the employee’s permissions, and curated Q&A answered common questions with links to the policy text.

Attestations became reliable and auditable. Audiences updated automatically from HR, new hires and transfers received outstanding acknowledgements, and managers saw where follow?ups were needed. Legal reviewed dashboards that showed completion status and escalations, and evidence packets included version history, approvals, and attestations. Core tools remained in place; the change added governance, targeting, and permission?aware search between them.

What Changed for the Team

• Before: Policies were scattered across sites with duplicate PDFs. After: A centralized hub held governed versions with clear effective dates.
• Before: Attestations were tracked in emails and sheets. After: Targeted acknowledgements routed from HR attributes with reminders and manager escalations.
• Before: Search returned drafts and outdated files. After: Permission?aware search and curated Q&A surfaced only current, audience?appropriate content.
• Before: Approvals and retention varied by site. After: Draft?review?publish and retention labels were enforced consistently.
• Before: Audits reconstructed who saw what. After: Exportable packets showed version history, approvals, and attestations by audience.
• Before: Owners used different templates. After: A common content model and taxonomy standardized titles, categories, and fields.

Key Takeaways

• Centralize policy content with governed versioning; one hub reduces drift and broken links.
• Target attestations from HR attributes; automate audiences, reminders, and exemptions with evidence.
• Make search permission?aware; security?trimmed indexing and curated Q&A reduce confusion.
• Encode draft?to?publish; approvals, effective dates, and retention should live in the workflow, not email.
• Keep identity at the core; Okta SSO and role mapping protect access and simplify adoption.
• Integrate, don’t replace; keep SharePoint, HRIS, and identity—add governance, targeting, and search controls between them.

FAQ

What tools did this integrate with? SharePoint Online served as the centralized policy repository with versioning (SharePoint versioning). Okta provided single sign?on and role mapping (Okta SSO). HRIS data supplied audiences for targeted attestations, and the search layer respected permissions using security trimming (Security?trimmed search). Retention aligned to Microsoft Purview.

How did you handle quality control and governance? Policies moved through a draft?review?publish workflow with Legal approvals. The content model and taxonomy were owned under change control with effective dates and release notes. Attestation rules and audiences were versioned, and every publish, edit, acknowledgement, and exemption wrote to immutable logs. Prior versions were retained and marked superseded.

How did you roll this out without disruption? The hub launched with high?impact policies first. Legacy locations were set to read?only and redirected to canonical pages. Attestations turned on by category and region in waves, and reminders began after owners confirmed audiences. Search indexes were tuned alongside pilot groups before broader rollout.

How did permission?aware search and Q&A work? The index ingested policy pages and metadata while honoring access controls. Queries returned results the requester was allowed to see, and curated Q&A entries linked directly to current policies with regional filters applied. Logs captured queries and clicks to refine answers without storing unnecessary personal data.

How were regional variants and sensitive policies handled? Regional variants used the same content type with locale fields and audience tags. Sensitive policies had restricted access groups in Okta and SharePoint. Search respected those permissions, and attestations routed only to eligible audiences, with exemptions recorded under reason codes.

What about retention and records requirements? Retention labels applied by category, and legal hold was available when necessary. Evidence packets for audits included version history, approvals, sends, and completions. Superseded versions were archived under policy with visible lineage.