Platform

Executive dashboard

The Executive dashboard is Vigilo's cross-workspace rollup view designed for platform administrators who need a single screen to answer "how is the whole…

Last updated

Overview

The Executive dashboard is Vigilo's cross-workspace rollup view designed for platform administrators who need a single screen to answer "how is the whole org doing?" rather than "how is this one workspace doing?". It aggregates DORA delivery metrics, incident health, SLO attainment, compliance posture, certificate health, and vendor risk across every workspace in the installation and presents them as a tiled scorecard with per-workspace breakdown cards underneath.

The page lives at /ws/{slug}/platform/executive and is backed by GET /api/v1/platform/executive-dashboard/ (delivered in WD.1). Unlike workspace-scoped endpoints, this view deliberately reaches beyond the active workspace — the caller's session workspace is used only for layout and theming; the data span is the set of workspaces the caller is a platform-admin of (typically: all of them).

Why it exists

A workspace owner runs one team and needs operational depth on that team. A platform admin runs the platform and needs to spot the workspace that is drifting before it becomes an outage. Examples of questions the dashboard answers in seconds:

  • Which workspace has the worst change-failure rate this quarter?
  • Which workspace is closest to a SOC2 control falling out of compliance?
  • Which workspace is hoarding 80% of the about-to-expire certificates?
  • Which workspace has incident MTTR climbing for three sprints in a row?

Without the rollup, the only way to answer any of these is to log into each workspace one by one. The dashboard collapses that to a single GET.

Key concepts

  • Cross-workspace aggregation — The endpoint loops over WorkspaceMembership.objects.filter(user=request.user, role__in=['platform_admin']), runs the per-domain aggregator inside a temporary RLS context for each workspace, then unions the results. RLS context is restored on exit so the caller does not accidentally retain elevated visibility.
  • Six KPI domains — DORA (deploy_frequency, lead_time_for_changes, change_failure_rate, mttr), incidents (open, MTTA, MTTR, postmortem coverage), SLOs (objectives in budget, fastest burn), compliance (control pass rate per framework), certificate health (expiring in 7/30/90 days), vendor risk (tier 1 vendors out of review).
  • Per-workspace breakdown cards — Each domain tile is clickable; clicking expands a small-multiples view, one card per workspace with sparkline + delta vs previous period. Cards are sorted worst-first by default so the drift surfaces at the top.
  • PDF export — The Export PDF button (top right) renders the same data through a server-side reportlab template. The PDF is one page per domain, cover page with org name + period, and an appendix with raw numbers per workspace. Useful for board packs.
  • Period selector — Default is rolling 28 days. Options include 7 / 28 / 90 / 365 days and "custom range". The selector is persisted to localStorage so it survives reloads.

Common workflows

1. Spot the worst-performing workspace this quarter

  1. Open Platform → Executive.
  2. Set the period to 90 days.
  3. Click the Change failure rate tile to expand the per-workspace breakdown.
  4. The top-left card is your worst performer. Click the workspace name to deep-link into that workspace's own DORA dashboard with the same period applied.

2. Board-ready PDF for the quarterly review

  1. Set the period to 90 days (or the custom date range your board uses).
  2. Click Export PDF.
  3. The browser downloads vigilo-executive-{YYYYMMDD}.pdf. Pages 1-6 are the domain summaries, page 7 is the appendix with raw rollups per workspace.
  4. The PDF watermark includes the requesting user's email and the export timestamp so it can be traced if it leaks.

3. Triage cert expiry across the org

  1. Click the Certificates tile.
  2. The expansion shows three columns: expiring in 7 days, 30 days, 90 days, per workspace.
  3. Cells over a threshold light up red; click the cell to jump to /ws/{slug}/monitor/certs?within=7&status=expiring in that workspace.

4. Spot a compliance control that is about to fail

  1. Click the Compliance tile.
  2. Each workspace card shows control pass rate per framework (SOC2, ISO27001, HIPAA — whichever are configured).
  3. A workspace whose pass rate dropped >5 points in the period gets a red trend chevron. Click it to land on that workspace's /governance/frameworks page.

Permissions

The dashboard is gated by a single check: the caller must hold the platform_admin role on at least one workspace. The endpoint returns 403 with code='platform_admin_required' otherwise. Workspace admins and owners do NOT see this page, by design — it would expose data from peer workspaces they do not belong to.

Action Required role
View the dashboard platform_admin
Export PDF platform_admin
Click through to a workspace card platform_admin (any membership in that workspace also works)

Workspace-scoped RLS still applies inside each per-workspace aggregator — the platform admin sees aggregates, not individual rows, until they click into a workspace.

Troubleshooting

The page shows "no workspaces in scope". You are not a platform_admin on any workspace, or your membership rows were recently revoked. Check Admin → Members in any workspace you own.

Some workspaces are missing from the breakdown. Workspaces with is_active=False are skipped. Workspaces in a different region than the platform-admin's home region are also skipped when VIGILO_STRICT_RESIDENCY=true (see the GDPR + residency article).

PDF export hangs or times out. Each domain runs its own aggregator query; if any workspace has millions of audit rows the PDF render can take >30s. The endpoint enqueues a Celery job and emails you the link when it exceeds the synchronous threshold. Check your inbox.

The compliance tile is empty. No workspace in scope has set up a framework yet. See the compliance frameworks article to seed SOC2/ISO27001/HIPAA controls per workspace.

The numbers do not match what I see in the workspace dashboards. The Executive dashboard uses end-of-day snapshots from WorkspaceUsageSnapshot and ComplianceSnapshotHistory rather than live counts, so it lags the in-workspace views by up to 24 hours. Hover any tile to see the snapshot timestamp.

Related articles