Creating pre-emptive policies

Pre-emptive compliance is a mechanism whereby proposed configuration changes can be checked for compliance before being provisioned on the device, allowing you to evaluate the impact of configuration changes against pre-defined compliance policies for a device. In order to run a pre-emptive compliance, you first create or modify existing policies to make them suitable for execution in a pre-emptive manner. You then create a compliance process to apply the pre-emptive policy to a device.

Before you begin

Pre-emptive compliance can only be applied to 'Apply Commandset' and 'Submit Configuration' workflows, as it can only be applied to a modelled configuration. Pre-emptive compliance can only be applied to devices which have smart model driver support. By using the smart model we can project what the device configuration will look like if the changes were applied, and hence we can run compliance checks against this projected configuration.
Note: Any policy that contains native command line checks will be rejected, and result in a status of 'Not Assessed'.

About this task

All policy configurations are implemented through the Netcool Configuration Manager - Compliance UI.

Procedure

  1. Create a pre-emptive compliance policy, or edit an existing compliance policy, to be pre-emptive.
  2. Create a Compliance Process to apply the pre-emptive policy to a device.
    A process is an existing compliance entity normally used as the execution vehicle for compliance checks.
    When a pre-emptive execution is initiated from the Netcool Configuration Manager workflow, it queries any potential association, and locates which policies need to be applied. Since pre-emptive compliance can only be applied to a modelled configuration, only the 'Apply Commandset' and 'Submit Configuration' workflows are affected.
  3. Optional: To view the pre-emptive policies that have been defined for a device, perform the following actions:
    1. On the Netcool Configuration Manager - Compliance Devices tab, right-click a device to select it.
    2. Select View Pre-emptive Policies for device.
    A dialog displays a list of the applicable pre-emptive policies.
  4. Optional: To view pre-emptive policy results from the Queue Manager, perform the following actions:
    1. Select the unit of work (UOW) in the Queue Manager from either the 'Work That is Finished' or the 'Work Pending Approval' column (if approvals are enabled).
    2. Select the Resources tab, and choose a device from the Resource list.
    The pre-emptive compliance policy results are displayed on the following two tabs:
    Work log
    The Work log shows the pre-emptive compliance result for both the current configuration and the projected configuration.
    Pre-emptive Compliance
    Shows the pre-emptive compliance results.
  5. Optional: To view pre-emptive policy results form the Resource Browser, perform the following actions:
    1. Right-click the device to select it.
    2. Select the UOW from the Work tab.
    The pre-emptive compliance policy results are displayed on the following two tabs:
    Audit log
    The Audit log displays the pre-emptive compliance result for both the current configuration and the projected configuration.
    Pre-emptive Compliance
    Shows the pre-emptive compliance results for ‘Apply Command set' and ‘Submit configuration work types'.
    You can drill down into the Validation detail by double-clicking on the individual policy, or by selecting the Policy row and then clicking View Policy Result Detail.

Results

If the user submitting the work requires approval, the work will execute pre-emptive checks first before pushing the work into the Approval queue. The approver of the work can then view the pre-emptive results before approving or rejecting the work. Once approved the work will be applied to the device without running pre-emptive checks.

What to do next

Note:
Please be aware of the following default properties in /opt/ IBM/tivoli/netcool/ncm/compliance/config/properties/WorkFlowManager.properties.

WorkFlowManager/usePolicyCache=false - This can be set so that policies may be cached to enable faster execution. This is off by default.

WorkFlowManager/clearPolicyCacheAfter=1800 - Cache is cleared after the specified number of seconds.

Compliance/policies.find.mode=all - Search mode can be all, xpath or name. “All” is a search conducted regardless of xpath or name, “xpath” will only run on xpath matches, “name” searches when a policy has the same name as the config being applied.