Skip to main content

Configuring Policies

Viewing Policies

You can view policies, including those imported with the Reference Policy Set by following these steps:

  1. Log into IQ Server using an account that has permission to "View IQ Elements" for repositories or specific organizations or applications. At a minimum, the account should be assigned the role of Owner or Developer for repositories or specific organizations or applications.

  2. Click the Organization & Policies button on the IQ Server toolbar.

  3. Click the Repositories or select the desired organization or application in the sidebar.

  4. When a specific organization or application is selected, click the Policies button in the menubar near the top of the page to scroll to the Policies section. When Repositories is clicked, directly scroll down to the Policies section.

  5. Click the desired policy to view policy details.

Note that policies are grouped according to where they are located in the system hierarchy:

  • Local - The policy was added at the level of repositories or the selected organization or application.

  • Inherited From [organization name] - The policy was added at some level higher in the system hierarchy.

When you open an inherited policy, the view is read-only. You can expand collapsed sections in the view to see details, but you cannot make changes to the policy settings.

Creating Policies

Before you begin, you need to decide which level in the system hierarchy to use for new policies:

  • Root Organization - Policies at this level are inherited by all repositories, organizations, and applications. Use this level when you want to apply policies to every repository, application, and organization.

  • Organization - Policies at this level are inherited by all applications attached to the organization. Use this level when you want to narrow the implementation of policies to a particular set of applications.

  • Application - Policies at this level apply to an individual application only. Use this level when you want to apply policies to a single, unique application.

  • Repository Managers - Policies applied to all repository managers. Use this level to scope policies for all your repository managers.

  • Repository Manager - Policies applied to a specific repository manager. Use this level to apply policies to specific repository manager. RELEASE 171

Note

Repository Firewall policies are managed at the Root Organization or the Repository Managers level. As of release 171, policies may also be configured for a specific repository manager.

Tip

At the Root Organization and organization levels, you can use application categories to customize the implementation of policies across applications. Application categories provide a way to apply policies to a subset of select applications in an organization.

Once you decide at which level to apply policies, you can proceed with creating custom policies. The overall process is only a few steps. However, the extent of customizable settings available to you can complicate the process.

To create policies:

  1. Log into IQ Server using an account that has permission to create policies for repositories or a particular organization or application (including the Root Organization). At a minimum, the account should be assigned to the Owner role of the organization or application or repositories.

  2. Click the Manage Applications and Organizations icon

    334590.png

    on the IQ Server toolbar.

  3. In the Policies section, click Add a Policy.

    A New Policy view will be displayed.

  4. Enter a name for the policy.

  5. Select a threat level (from 10-0: 10 is the most severe threat, 0 is no threat).

  6. If the policy is being created at the organization level, select which applications in the organization the policy should apply to: all applications or only applications with selected application categories. If the latter, then click the specific application categories to select them. Note that this setting is not available when creating a policy for an application.

  7. Create a constraint with conditions.

  8. Add actions and/or notifications at a desired stage in the development lifecycle.

  9. Click Create to save the policy.

After at least one policy is created (or imported), you can run an evaluation of an application to gather intelligence about its components and identify any vulnerabilities. The evaluation results, which include policy violations, are displayed in the Application Composition Report.

178716877.png

Editing Policies

At some point, you may want to edit an existing policy. For example, you’d like to modify a policy in the reference policy set to suit the needs of your development team. The process for editing a policy is almost the same as creating one; it’s only a few steps. However, the extent of customization you can do may make the process more complicated.

Edit Policy at root organization or specific organization or application level

To edit policies:

  1. Log into IQ Server using an account that has permission to edit policies in repositories or a particular application or organization. At a minimum, the account should be assigned to the Owner role of repositories or the organization or application.

  2. Click the Manage Applications and Organizations icon on the IQ Server toolbar.

  3. In the sidebar, click Repositories or select the organization or application in which the policy was created.

  4. In the Policies section under Local, click the policy you want to edit. If the policy is listed in an Inherited From section, then it was created at a higher level in the system hierarchy; you must go to the level in which it was created to edit it.

  5. In the Edit Policy view, you can change the following settings:

    1. Enter a new name.

    2. Select a different threat level.

    3. If at the organization level, change which applications the policy applies to: all applications or only applications with selected application categories. If the latter, then click the specific application categories to select them.

    4. Add or modify a constraint with conditions.

    5. Add or modify actions and/or notifications.

  6. Click Update to save the policy changes.

Edit Policy at the Repository Manager level

fw-creating policy at repository level

Deleting Policies

To delete policies:

  1. Log into IQ Server using an account that has permission to delete policies in repositories or a particular application or organization. At a minimum, the account should be assigned to the Owner role of repositories or the organization or application.

  2. Click the Manage Applications and Organizations icon on the IQ Server toolbar.

  3. In the sidebar, select the organization or application in which the policy was created.

  4. In the Policies section under Local, click the policy you want to delete. If the policy is listed in an Inherited From section, then it was created at a higher level in the system hierarchy; you must go to the level in which it was created to delete it.

  5. In the Edit Policy view, click the Delete Policy button.

  6. In the confirmation dialog box, click Continue to permanently delete the policy or Cancel to keep the policy.

Warning

Once you delete a policy, the action cannot be undone.

Override Policy Actions

It is possible to override policy actions for inherited policies without affecting the reference policy set at the parent level.