Configuring Policies

Viewing Policies

You can view policies, including those imported with the Reference Policy Set, by following these steps:

  1. Log into IQ Server using an account that has permission to "View IQ Elements" for the specific organization or application. At a minimum, the account should be assigned the role of Owner or Developer for that organization or application.
  2. Click the Organization & Policies button  on the IQ Server toolbar.
  3. Select the desired organization or application in the sidebar.
  4. Click the Policies button in the menubar near the top of the page to scroll to the Policies section.
  5. Click the desired policy to view policy details.

Note that policies are grouped according to where they are located in the system hierarchy:

  • Local - The policy was added at the level of the selected organization or application.
  • Inherited From [organization name] - The policy was added at some level higher in the system hierarchy.

When you open an inherited policy, the view is read-only. You can expand collapsed sections in the view to see details, but you cannot make changes to the policy settings. For information on how to modify a policy, see Editing Policies.

Creating Policies

Before you begin, you need to decide which level in the system hierarchy to use for new policies:

  • Root Organization - Policies at this level are inherited by all organizations and applications. Use this level when you want to apply policies to every application and organization.
  • Organization - Policies at this level are inherited by all applications attached to the organization. Use this level when you want to narrow the implementation of policies to a particular set of applications.
  • Application - Policies at this level apply to an individual application only. Use this level when you want to apply policies to a single, unique application.

If you have access to the Audit and Quarantine features of IQ for Nexus Repository Manager, policies for your repositories are managed at the Root Organization level only. They do not require a specific application or organization.

At the Root Organization and organization levels, you can use application categories to customize the implementation of policies across applications. Application categories provide a way to apply policies to a subset of select applications in an organization. For more details about application categories, see Application Categories in the Advanced Policy Management chapter.

Once you decide at which level to apply policies, you can proceed with creating custom policies. The overall process is only a few steps. However, the extent of customizable settings available to you can complicate the process. This section lists the basic steps for creating a policy, and includes links to more detailed information about each step in the Understanding the Parts of a Policy topic.

To create policies:

  1. Log into IQ Server using an account that has permission to create policies in a particular organization or application (including the Root Organization). At a minimum, the account should be assigned to the Owner role of the organization or application.
  2. Click the Manage Applications and Organizations icon  on the IQ Server toolbar.
  3. In the Policies section, click Add a Policy
    A New Policy view will be displayed.
  4. Enter a name for the policy. For more details, see Policy Name.
  5. Select a threat level (from 10-0: 10 is the most severe threat, 0 is no threat). For more information, see Threat Level.
  6. If the policy is being created at the organization level, select which applications in the organization the policy should apply to: all applications or only applications with selected application categories. If the latter, then click the specific application categories to select them. For more details, see Inheritance. Note that this setting is not available when creating a policy for an application.
  7. Create a constraint with conditions. For detailed information, see Constraints and Conditions.
  8. Add actions and/or notifications at a desired stage in the development lifecycle. For more information, see Actions and Notifications.
  9. Click Create to save the policy.

After at least one policy is created (or imported), you can run an evaluation of an application to gather intelligence about its components and identify any vulnerabilities. The evaluation results, which include policy violations, are displayed in the Application Composition Report. For more information, see the Manual Application Evaluation and the Application Composition Report sections.

Editing Policies

At some point, you may want to edit an existing policy. For example, you’d like to modify a policy in the Reference Policy Set to suit the needs of your development team. The process for editing a policy is almost the same as creating one; it’s only a few steps. However, the extent of customization you can do may make the process more complicated. This section lists the overall steps for editing a policy, and includes links to more detailed information in the Understanding the Parts of a Policy topic.

To edit policies:

  1. Log into IQ Server using an account that has permission to edit policies in a particular application or organization. At a minimum, the account should be assigned to the Owner role of the organization or application.
  2. Click the Manage Applications and Organizations icon  on the IQ Server toolbar.
  3. In the sidebar, select the organization or application in which the policy was created.
  4. In the Policies section under Local, click the policy you want to edit. If the policy is listed in an Inherited From section, then it was created at a higher level in the system hierarchy; you must go to the level in which it was created to edit it.
  5. In the Edit Policy view, you can change the following settings:
    1. Enter a new name. 
    2. Select a different threat level. 
    3. If at the organization level, change which applications the policy applies to: all applications or only applications with selected application categories. If the latter, then click the specific application categories to select them. 
    4. Add or modify a constraint with conditions. 
    5. Add or modify actions and/or notifications. 
  6. Click Update to save the policy changes.

Deleting Policies

To delete policies:

  1. Log into IQ Server using an account that has permission to delete policies in a particular application or organization. At a minimum, the account should be assigned to the Owner role of the organization or application.
  2. Click the Manage Applications and Organizations icon  on the IQ Server toolbar.
  3. In the sidebar, select the organization or application in which the policy was created.
  4. In the Policies section under Local, click the policy you want to delete. If the policy is listed in an Inherited From section, then it was created at a higher level in the system hierarchy; you must go to the level in which it was created to delete it.
  5. In the Edit Policy view, click the Delete Policy button.
  6. In the confirmation dialog box, click Continue to permanently delete the policy or Cancel to keep the policy.

Once you delete a policy, the action cannot be undone.