Managing Service Compliance

You can ensure that required attributes are assigned to services by configuring the Compliance policy, so that you can keep track of who is incurring service costs. When configuring the attributes required for compliance, you can choose from:

all configured custom attributes (except those that apply only to request forms)

Expiry Date

Primary Owner

A service is compliant in the following situations:

when no Compliance policy has been configured

when a Compliance policy has been configured and the required attributes have been set

when a Compliance policy has been configured, a VM has been cloned, and the required attributes on the VM have been verified

Compliant

You are notified that a service is non-compliant in the following situations:

when a Compliance policy has been configured and the values for required attributes are not set (Non-compliant: Incomplete)

when a Compliance policy has been configured and a VM has been cloned (Non-compliant: Unverified). In this case, although the VM has the same attributes as its parent, the VM must be verified, as detailed in the next section.

How does the Compliance policy affect templates?

The Compliance policy changes the compliance state for templates, and policy actions are are also performed on templates. It's possible to deploy a VM from a template in the Non-compliant state.

Verifying a service to make it compliant

Access through:

Views menu > Operational, VMs and Templates, or Datastore

Available to:

Administrator and All Operator Levels of Access Rights

To make a service compliant if you are notified that it is Non-compliant: Incomplete or Non-compliant: Unverified:

1.Navigate to a service in the tree or in a table, and do one of the following.

For a VM, right-click and choose Policy Enforcement > Set Compliance Data.

For all other service types, right-click and choose Set Compliance Data.

2.In the Set Compliance Data dialog, provide a value for each attribute.

3.Click Verify/Save.

Warning messages for "Set Compliance Data"

This message:

Occurs when:

Action to take:

No Compliance policy is defined.

You have selected a service that is not governed by a compliance policy.

To set compliance data for the service, configure a Compliance policy as shown below.

Selected services are not governed by the same compliance policy.

You have selected a group of services that are governed by different compliance policies.

Select only those services that are governed by the same compliance policy.

If you have selected templates  in the Operational view, deselect the templates.

Configuring the Compliance policy

Access through:

Configuration menu > Policies

Available to:

vCommander Role of Superuser and Enterprise Admin

Administrator Access Rights

Use this policy to identify services that do not have required attributes assigned to them. The policy can notify administrators of issues about the service and can take automatic actions on the service.

NotePencil-smallAny configuration of this policy on a system-wide basis can affect all managed systems that are managed by vCommander now and can affect all managed systems that are added to vCommander in the future. If you do not want any managed system to be automatically affected by this policy, configure the policy by selected infrastructure elements only, instead of the root Operational view or root VMs and Templates view.

Setting metadata through command workflows: You can create a command workflow to set values for attributes that you require for services to be deemed compliant. You can then attach that command workflow to a compliance policy. Whenever a service becomes non-compliant, the compliance policy will run the command workflow to reset the attribute values, automatically ensuring compliance.

1.On the Policies tab, click Add.

2.On the Choose a Policy page, choose Compliance from the list of policies, then click Next.

3.On the Policy Name/Description page, enter a name and an optional description, then click Next.

4.On the Choose a Target page, from the Target View Type list, select Operational or VMs and Templates.

NotePencil-smallIf a VM is deployed into a location where multiple policies target the Operational view and the VMs and Templates view, the policy targeting the Operational view takes precedence.

5.To select the target you want the policy to apply to, expand the Operational or VMs and Templates tree if required, and select the infrastructure elements you want.

6.On the Compliance page, select one or more attributes from the list. You can choose from all configured custom attributes (except those that apply only to request forms), plus Expiry Date and Primary Owner.

7.On the Configure the Policy page, to configure the policy but keep it turned off until you are ready to enable it, make sure Enable policy is unchecked.

8.From the Take Action drop-down menu, select from the options.

When you click:

After you enable the policy and if the policy is triggered, the result is:

To consider:

Notification Only

No action is taken for the service. An alert is created, notifying you that the policy has triggered. See also Subscribing to Policy Alerts.

Quarantine

The VM is quarantined if the policy is triggered.

Note: If you include this action in a policy targeting services in a managed system other than vCenter, the action will fail.

Suspend

The service is suspended.

When a service is suspended, you are saving it in its current state so that you can work with it later in the same state.

Not supported for VMs in public cloud managed systems. If you include this action in a policy targeting services in a public cloud managed system, the action will fail.

Stop

The Guest OS is shut down.

Run [Workflow]

Run the selected workflow.

Existing command workflows appear for selection. If the policy is triggered, the selected workflow is run.

Click Add Workflow to set up a new command workflow.

9.Choose either or both of the following options to send alerts:

To send an alert to an SNMP trap listener if you have SNMP configured, enable Send Alert via SNMP.

To generate an alert in vCenter, enable Generate vCenter Alerts.

10.Select the number of hours for the Grace Period.

The grace period is the period of time that is allowed to elapse before the Compliance policy acts on a service. For example, if a grace period of 18 hours is selected and if a new service is created without all the required attributes, 18 hours will elapse before the Compliance policy acts on the service.

11.Decide whether to allow children of the targets to have their own instance of the policy and optionally disable this setting.

If you enable this option, other instances of this policy can be applied to any infrastructure elements and services that are children of the parent infrastructure element you have selected (an override).

12.On the Summary page, the summary of your policy options appears.

If you have enabled the policy and as a result, any services are going to be immediately affected by it, vCommander displays the number of affected services.

To see what services are affected by the policy actions you selected, click Review, then click OK to return to the summary.

13.Click Finish to complete the configuration.

Your policy options are now set in vCommander.