Configuring Policies

Viewing Policies

You can view policies, including those imported with the Reference Policy Set, by following these steps:

  1. Log into IQ Server using an account that has permission to "View IQ Elements" for repositories or specific organization or application. At a minimum, the account should be assigned the role of Owner or Developer for repositories or specific organization or application.
  2. Click the Organization & Policies button  on the IQ Server toolbar.
  3. Click the Repositories or select the desired organization or application in the sidebar.
  4. When specific organization or application is selected, click the Policies button in the menubar near the top of the page to scroll to the Policies section. When Repositories is clicked, directly scroll down to the Policies section.
  5. Click the desired policy to view policy details.

Note that policies are grouped according to where they are located in the system hierarchy:

  • Local - The policy was added at the level of repositories or the selected organization or application.
  • Inherited From [organization name] - The policy was added at some level higher in the system hierarchy.

When you open an inherited policy, the view is read-only. You can expand collapsed sections in the view to see details, but you cannot make changes to the policy settings. For information on how to modify a policy, see Editing Policies.

Creating Policies

Before you begin, you need to decide which level in the system hierarchy to use for new policies:

  • Root Organization - Policies at this level are inherited by all repositories, organizations and applications. Use this level when you want to apply policies to every repository, application and organization.
  • Organization - Policies at this level are inherited by all applications attached to the organization. Use this level when you want to narrow the implementation of policies to a particular set of applications.
  • Application - Policies at this level apply to an individual application only. Use this level when you want to apply policies to a single, unique application.
  • Repositories - Policies at this level apply to all repositories. Use this level when you want to apply policies only to repositories.

If you have access to the Audit and Quarantine features of IQ for Nexus Repository Manager, policies for your repositories can be managed at the Root Organization level or Repositories level. They do not require a specific application or organization.

At the Root Organization and organization levels, you can use application categories to customize the implementation of policies across applications. Application categories provide a way to apply policies to a subset of select applications in an organization. For more details about application categories, see Application Categories.

Once you decide at which level to apply policies, you can proceed with creating custom policies. The overall process is only a few steps. However, the extent of customizable settings available to you can complicate the process. This section lists the basic steps for creating a policy and includes links to more detailed information about each step in the Understanding the Parts of a Policy topic.

To create policies:

  1. Log into IQ Server using an account that has permission to create policies for repositories or a particular organization or application (including the Root Organization). At a minimum, the account should be assigned to the Owner role of the organization or application or repositories.
  2. Click the Manage Applications and Organizations icon  on the IQ Server toolbar.
  3. In the Policies section, click Add a Policy
    A New Policy view will be displayed.
  4. Enter a name for the policy. For more details, see Policy Name.
  5. Select a threat level (from 10-0: 10 is the most severe threat, 0 is no threat). For more information, see Threat Level.
  6. If the policy is being created at the organization level, select which applications in the organization the policy should apply to: all applications or only applications with selected application categories. If the latter, then click the specific application categories to select them. For more details, see Inheritance. Note that this setting is not available when creating a policy for an application.
  7. Create a constraint with conditions. For detailed information, see Constraints and Conditions.
  8. Add actions and/or notifications at a desired stage in the development lifecycle. For more information, see Actions and Notifications.
  9. Click Create to save the policy.

After at least one policy is created (or imported), you can run an evaluation of an application to gather intelligence about its components and identify any vulnerabilities. The evaluation results, which include policy violations, are displayed in the Application Composition Report. For more information, see the Manual Application Evaluation and the Application Composition Report sections.

Editing Policies

At some point, you may want to edit an existing policy. For example, you’d like to modify a policy in the Reference Policy Set to suit the needs of your development team. The process for editing a policy is almost the same as creating one; it’s only a few steps. However, the extent of customization you can do may make the process more complicated. This section lists the overall steps for editing a policy, and includes links to more detailed information in the Understanding the Parts of a Policy topic.

Edit Policy at root organization or specific organization or application level

To edit policies:

  1. Log into IQ Server using an account that has permission to edit policies in repositories or a particular application or organization. At a minimum, the account should be assigned to the Owner role of repositories or the organization or application.
  2. Click the Manage Applications and Organizations icon  on the IQ Server toolbar.
  3. In the sidebar, click Repositories or select the organization or application in which the policy was created.
  4. In the Policies section under Local, click the policy you want to edit. If the policy is listed in an Inherited From section, then it was created at a higher level in the system hierarchy; you must go to the level in which it was created to edit it.
  5. In the Edit Policy view, you can change the following settings:
    1. Enter a new name. 
    2. Select a different threat level. 
    3. If at the organization level, change which applications the policy applies to: all applications or only applications with selected application categories. If the latter, then click the specific application categories to select them. 
    4. Add or modify a constraint with conditions. 
    5. Add or modify actions and/or notifications. 
  6. Click Update to save the policy changes.

Edit Policy at Repositories level

Deleting Policies

To delete policies:

  1. Log into IQ Server using an account that has permission to delete policies in repositories or a particular application or organization. At a minimum, the account should be assigned to the Owner role of repositories or the organization or application.
  2. Click the Manage Applications and Organizations icon  on the IQ Server toolbar.
  3. In the sidebar, select the organization or application in which the policy was created.
  4. In the Policies section under Local, click the policy you want to delete. If the policy is listed in an Inherited From section, then it was created at a higher level in the system hierarchy; you must go to the level in which it was created to delete it.
  5. In the Edit Policy view, click the Delete Policy button.
  6. In the confirmation dialog box, click Continue to permanently delete the policy or Cancel to keep the policy.

Once you delete a policy, the action cannot be undone.

Override Policy Actions

NEW IN RELEASE 140

With release 140 onwards, it's possible to override policy actions for inherited policies without affecting the reference policy set at the parent level.