Editing an existing compliance definition
A compliance definition captures the device characteristics that must be validated as part of a specific policy. The scope of a compliance definition may range from a single configuration line that must evaluated to a complex evaluation of multiple configuration snippets with regular expression logic and parameters. Use this procedure to edit an existing compliance definition.
Before you begin
Users have the option of editing an existing compliance definition at any time. When all changes have been saved, the user can activate the policy component as a new version. The previous version becomes inactive.
About this task
Follow these steps to edit an existing compliance definition.
Procedure
- Select the Policy Definitions tab, and select Definitions.
- Right-click on the definition you want to edit, and select Edit
Definition. Alternatively, select the definition and click
the Edit Definition icon on the toolbar.
The Edit Definition Details window displays.
- Make any necessary edits to the compliance definition.
Use the following descriptions as a guide to editing the fields displayed
in the Edit Definition Details window.
- Evaluation Line
- The value or expression on which you want to search.
- Parameters
- This is an optional field. This field provides a drop down list
for the type of parameter you want. There is also an Insert
Parameter button used to insert the parameter.Note: Placing a parameter inside another parameter is not supported.
- Match Criteria
- Specifies a drop down list for the criteria used to match the
device configuration. The following table describes the options in
the drop down list:
Match option Description Match All
Matches all evaluations added to the Compliance Definition.
Match Any
Matches any of the evaluations added to the Compliance Definition.
Match None
Matches none of the evaluations added must be found in the Device Configuration.
Match One
Matches only one of the evaluations added to the Compliance Definition. If more than one of the evaluations are matched, the match fails.
Match Exactly
Find and match all evaluations, and only these evaluations. If any found outside this criteria, the test result will Fail.
Match Specific Number
Matches a specific number of evaluations as defined by the user. For example, Match 2 out of the 6 evaluations listed. This choice activates an integer field called Specific Number.
- Number
- This is activated when the Match Specific Number option is chosen. An integer must be entered here.
- Evaluation Result if Context not found
- You can opt to choose the result you wish to receive if the context
is not found. The options are: Fail, Pass, Not Assessed, Not Applicable.
If there are a number of different results, the overall result will be Pass as long as there are no Fails in the result. For example you may have two Not Applicable result and one Pass, or all Not Applicable; the overall result will be Pass.
- Evaluation List Criteria
- Used to match evaluations shown in the list.
See Match Criteria (for Group/Extraction Parameter values) above for explanation of choices available.
- Regex Tool
- You use the regex tool to test native definition regular expressions
against a device configuration or a snippet of CLI. The regex tool
is available for both definitions using native CLI configuration lines,
and using native commands. You can either create your regex in the
tool, or edit it using the text in the evaluation field.
Regex Tool window elements Description Tabs
You can add as many tabs as your memory allows. The regex in the Regex Pattern field is applied to each tab and the matches are highlighted.- To create a new tab, click the green plus (+).
- To delete a tab, click the red X.
- To rename a tab, double-click the name.
Note: The test tabs are only available when the wizard is open.Regex Test Data evaluation field Configurations are displayed here, as are any matches when the regex is run.
Matches are alternately highlighted in yellow and blue.
The Import Device icon is displayed under the first tab. Using this, you can import a configuration from a device into the Regex Test Data field.
When you click this option, the Device Select dialog opens. Drill down into the device realms and select a device. Click OK to populate the Regex Test Data field
This icon is displayed next to the Device tree icon. Using this, you can import a configuration from a text file into the Regex Test Data field.
When you click this option, a standard file selection dialog opens. Drill down into your folders and select a file.Note: You can only select a text file.Click Open to populate the Regex Test Data field with the contents of the selected text file.These icons are displayed next to the Import File icon.
Once you have obtained matches, the arrow icons are enabled and you can use them to move from match to match.
Matches in the evaluation window are alternately highlighted in yellow and blue.
Currently selected matches are highlighted in grey.
These are enabled if there are matches on the selected tab. Up arrow highlights the previous match, down arrow highlights the next match. Current highlight matches are highlighted in grey
Regex Pattern field
Enter the regular expression for testing into the Regex Pattern field.
Match
Execute the test against all open tabs, and highlight the matches in each tab with a count of the number of matches returned on each tab.
Clear Matches
Clear the matches highlighted, as well as the Match count on each tab.
OK
Move the regular expression in the Regex Pattern field into the Regex Test Data field.
Cancel
Closes the Regex Tool window.
Menu bar All options described are also available from the menu bar (File, Edit, Regex, Tabs):- Edit
- In addition to the button options, you can access the cut, copy and paste functionality from the Edit menu.
- Regex
- In addition to the Regex button options, you can access a History dropdown from the Regex menu.
- The last ten successful matches are stored as history, with the most recent one at the top.
Note: If the regex is over a certain length, the History dropdown list displays a truncated version of it. - Add
- Adds another selection.
- Update
- Updates screen.
- Edit
- Edits current selection.
- Delete
- Deletes current selection.
- Test
- The definition test button is enabled when editing or creating a definition, but not when opening a definition. Also, it is only available for modeled and native definitions (not scripts).
- You use the definition test functionality to execute a definition against all open tabs, and view the results.
- You can test definitions using native CLI configuration lines,
native commands or device models. You can view results in the evaluation
list either in detail, or as a summary.
Definition Test window elements Description Definition Test window When you click Test, the Definition Test window is displayed (it resembles the Regex Tool window).
When you import definitions from a device, the type of definition you are creating determines what content is imported from the device:- For modeled definitions
- Imports the xml configuration from the device.
- For native CLI definitions
- Imports the CLI configuration for the device.
- For native commands definitions
- Imports the show commands from the device into the text area in the tab.
Warning: Importing a text file from a file with an xml extension may result in an error when you execute the test.Tabs
You can add as many tabs as your memory allows. The definition is applied to each tab and the results are flagged on the tabs.- Green flag
- Passed
- Red flag
- Failed
- Yellow flag
- Not assessed
Evaluation list Results are displayed in the Evaluation list under a number of columns.- Evaluation
- 532: Is the same as XPath
- 533: Is the same as Evaluation Line
- 534: Is the same as Evaluation Line
- This is the search criteria for the Definition or the XPath to search for in the case of Device Models
- Match Criteria
- The criteria used to match the device configuration: Match All, Match Any, None, One, Exactly, Specific Number
- Match Criteria Argument
- 532: Is the same as Number
- 533: Is the same as Number
- 534: Is the same as Number
- Only available on group parameters and extractions. Same as Match Specific Number.
- Default Result
- The default result is the value defined in the Evaluation
Result if Context not found option, that is, one of Fail,
Pass, Not Assessed, and Not Applicable.Note: If there are a number of different results, the overall result will be Pass as long as there are no Fails in the result. For example you may have two Not Applicable result and one Pass, or all Not Applicable; the overall result will be Pass.
- User can opt to choose the result they wish to receive if the context is not found. The options are: Fail, Pass, Not Assessed, Not Applicable.
- If there are a number of different results, the overall result will be Pass as long as there are no Fails in the result. For example you may have two Not Applicable result and one Pass, or all Not Applicable; the overall result will be Pass.
- Result
- Green text = Pass, Red text = Fail, Yellow text = Not Assessed/Not Applicable, Blue text =Error
Restriction: Script parameters and extractions are not supported. If any are found in the evaluation they will not be assessed during the test, and the overall definition result will be not assessed.Details mode You can toggle between Details and Summary mode to select the level of detail displayed in the test results. When in Summary mode, you can click on each evaluation to display detailed results. Clear all Clears the results from the Evaluation List and tabs. Test Click to run the test Close Closes the Definition Test window.Note: The test tabs are only available when the window is open.Menu bar All options described are also available from the menu bar (File, Edit, Mode, Tabs).
- Click Finish to complete the editing of the specified compliance definition.
What to do next
The revision number on the modified compliance definition will have been incremented by one, and the compliance definition can now be activated.
It is not necessarily the compliance definition with the highest revision number that is active, as you can return to a previous version and activate it.