Pre-emptive compliance is a mechanism whereby proposed
configuration changes can be checked for compliance before being provisioned
on the device, allowing you to evaluate the impact of configuration
changes against pre-defined compliance policies for a device. In order
to run a pre-emptive compliance, you first create or modify existing
policies to make them suitable for execution in a pre-emptive manner.
You then create a compliance process to apply the pre-emptive policy
to a device.
Before you begin
Pre-emptive compliance can only be applied to 'Apply Commandset'
and 'Submit Configuration' workflows, as it can only be applied to
a modelled configuration. Pre-emptive compliance can only be applied
to devices which have smart model driver support. By using the smart
model we can project what the device configuration will look like
if the changes were applied, and hence we can run compliance checks
against this projected configuration. Note: Any policy that contains
native command line checks will be rejected, and result in a status
of 'Not Assessed'.
About this task
All policy configurations are implemented through the Netcool Configuration
Manager - Compliance UI.
Procedure
- Create a pre-emptive compliance policy, or edit an existing
compliance policy, to be pre-emptive.
- Create a Compliance Process to apply the pre-emptive policy
to a device.
A process is an existing compliance entity
normally used as the execution vehicle for compliance checks.
When a pre-emptive execution is
initiated from the Netcool Configuration
Manager workflow,
it queries any potential association, and locates which policies need
to be applied. Since pre-emptive compliance can only be applied to
a modelled configuration, only the 'Apply Commandset' and 'Submit
Configuration' workflows are affected.
- Optional: To view the pre-emptive policies
that have been defined for a device, perform the following actions:
- On the Netcool Configuration
Manager - Compliance Devices
tab, right-click a device to select it.
- Select View Pre-emptive Policies for device.
A dialog displays a list of the applicable pre-emptive
policies.
- Optional: To view pre-emptive policy results
from the Queue Manager, perform the following actions:
- Select the unit of work (UOW) in the Queue Manager from
either the 'Work That is Finished' or the 'Work Pending
Approval' column (if approvals are enabled).
- Select the Resources tab, and choose a device from the
Resource list.
The pre-emptive compliance policy results are displayed
on the following two tabs:
- Work log
- The Work log shows the pre-emptive compliance result for both
the current configuration and the projected configuration.
- Pre-emptive Compliance
- Shows the pre-emptive compliance results.
- Optional: To view pre-emptive policy results
form the Resource Browser, perform the following actions:
- Right-click the device to select it.
- Select the UOW from the Work tab.
The pre-emptive compliance policy results are displayed
on the following two tabs:
- Audit log
- The Audit log displays the pre-emptive compliance result for both
the current configuration and the projected configuration.
- Pre-emptive Compliance
- Shows the pre-emptive compliance results for ‘Apply Command set'
and ‘Submit configuration work types'.
- You can drill down into the Validation detail by double-clicking
on the individual policy, or by selecting the Policy row
and then clicking View Policy Result Detail.
Results
If the user submitting the work requires approval, the work
will execute pre-emptive checks first before pushing the work into
the Approval queue. The approver of the work can then view the pre-emptive
results before approving or rejecting the work. Once approved the
work will be applied to the device without running pre-emptive checks.
What to do next
Note:
Please be aware of the following default properties
in /opt/ IBM/tivoli/netcool/ncm/compliance/config/properties/WorkFlowManager.properties.
WorkFlowManager/usePolicyCache=false
- This can
be set so that policies may be cached to enable faster execution.
This is off by default.
WorkFlowManager/clearPolicyCacheAfter=1800
-
Cache is cleared after the specified number of seconds.
Compliance/policies.find.mode=all
-
Search mode can be all, xpath or name. “All” is a search conducted
regardless of xpath or name, “xpath” will only run on xpath matches,
“name” searches when a policy has the same name as the config being
applied.