Managing Service Compliance

You can ensure that required attributes are assigned to services by configuring the Compliance policy, so that you can keep track of who is incurring service costs. When configuring the attributes required for compliance, you can choose from:

  • all configured custom attributes (except those that apply only to request forms)
  • Expiry Date
  • Primary Owner

A service is compliant in the following situations:

  • when no Compliance policy has been configured
  • when a Compliance policy has been configured and the required attributes have been set
  • when a Compliance policy has been configured, a VM has been cloned, and the required attributes on the VM have been verified

Compliant

You're notified that a service is non-compliant in the following situations:

  • when a Compliance policy has been configured and the values for required attributes aren't set (Non-compliant: Incomplete)
  • when a Compliance policy has been configured and a VM has been cloned (Non-compliant: Unverified). In this case, although the VM has the same attributes as its parent, the VM must be verified, as detailed in the next section.

How the Compliance policy affects templates

The Compliance policy changes the compliance state for templates, and policy actions are are also performed on templates. It's possible to deploy a VM from a template in the Non-compliant state.

Verifying a service to make it compliant

Access through:

Views menu > Inventory > Infrastructure, Applications, or Storage

Available to:

Administrator and All Operator Levels of Access Rights

To make a service compliant if you're notified that it's Non-compliant: Incomplete or Non-compliant: Unverified:

  1. Navigate to a service in the tree or in a table, and do one of the following.
    • For a VM, right-click and choose Policy Enforcement > Set Compliance Data.
    • For all other service types, right-click and choose Set Compliance Data.
  2. In the Set Compliance Data dialog, provide a value for each attribute.
  3. Click Verify/Save.

Warning messages for "Set Compliance Data"

This message:

Occurs when:

Action to take:

No Compliance policy is defined.

You've selected a service that isn't governed by a compliance policy.

To set compliance data for the service, configure a Compliance policy as shown below.

Selected services are not governed by the same compliance policy.

You've selected a group of services that are governed by different compliance policies.

Select only those services that are governed by the same compliance policy.

If you've selected templates  in the Infrastructure view, deselect the templates.

Configuring the Compliance policy

Access through:

Configuration menu > Policies

Available to:

Commander Role of Superuser and Enterprise Admin

Administrator Access Rights

Use this policy to identify services that don't have required attributes assigned to them. The policy can notify administrators of issues about the service and can take automatic actions on the service.

Any configuration of this policy on a system-wide basis can affect all managed systems that are managed by Commander now and can affect all managed systems that are added to Commander in the future. If you don't want any managed system to be automatically affected by this policy, configure the policy by selected infrastructure elements only, instead of the root Infrastructure view or root Applications view.

Setting metadata through command workflows: You can create a command workflow to set values for attributes that you require for services to be deemed compliant. You can then attach that command workflow to a compliance policy. Whenever a service becomes non-compliant, the compliance policy will run the command workflow to reset the attribute values, automatically ensuring compliance.

  1. On the Policies tab, click Add.
  2. On the Choose a Policy page, choose Compliance from the list of policies, then click Next.
  3. On the Policy Name/Description page, enter a name and an optional description, then click Next.
  4. On the Choose a Target page, from the Target View Type list, select Infrastructure or Applications.

    If a VM is deployed into a location where multiple policies target the Infrastructure view and the Applications view, the policy targeting the Infrastructure view takes precedence.

  5. To select the target you want the policy to apply to, expand the Infrastructure or Applications tree if required, and select the infrastructure elements you want.
  6. On the Compliance page, select one or more attributes from the list.

    You can choose from all configured custom attributes (except those that apply only to request forms), plus Expiry Date and Primary Owner.

  7. On the Configure the Policy page, to configure the policy but keep it turned off until you're ready to enable it, make sure Enable policy is unchecked.
  8. From the Take Action drop-down menu, select from the options.

    When you click:

    After you enable the policy and if the policy is triggered, the result is:

    To consider:

    Notification Only

    No action is taken for the service. An alert is created, notifying you that the policy has triggered. See also Subscribing to Policy Alerts.

    Quarantine

    The VM is quarantined if the policy is triggered.

    Note: If you include this action in a policy targeting services in a managed system other than vCenter, the action will fail.

    Suspend

    The service is suspended.

    When a service is suspended, you're saving it in its current state so that you can work with it later in the same state.

    Not supported for VMs in public cloud managed systems. If you include this action in a policy targeting services in a public cloud managed system, the action will fail.

    Stop

    The Guest OS is shut down.

    Run [Workflow]

    Run the selected workflow.

    Existing command workflows appear for selection. If the policy is triggered, the selected workflow is run.

    Click Add Workflow to set up a new command workflow.

  9. Choose either or both of the following options to send alerts:
    • To send an alert to an SNMP trap listener if you have SNMP configured, enable Send Alert via SNMP.
    • To generate an alert in vCenter, enable Generate vCenter Alerts.
  10. Select the number of hours for the Grace Period.

    The grace period is the period of time that is allowed to elapse before the Compliance policy acts on a service. For example, if a grace period of 18 hours is selected and if a new service is created without all the required attributes, 18 hours will elapse before the Compliance policy acts on the service.

  11. Decide whether to allow children of the targets to have their own instance of the policy and optionally disable this setting.

    If you enable this option, other instances of this policy can be applied to any infrastructure elements and services that are children of the parent infrastructure element you've selected (an override).

  12. On the Summary page, the summary of your policy options appears.

    If you've enabled the policy and as a result, any services are going to be immediately affected by it, Commander displays the number of affected services.

    To see what services are affected by the policy actions you selected, click Review, then click OK to return to the summary.

  13. Click Finish to complete the configuration.

    Your policy options are now set in Commander.