Fine Grained Waivers

Fine Grained Waivers were introduced with the Nexus IQ Server 53 release. For a general explanation of waivers prior to that release, please review the general documentation on waivers.

Fine grained waivers allow policy violations to be waived at a more granular level than the previous waiver mechanism. Waivers prior to the Nexus IQ Server 53 release were too general for some use cases, taking into account only the policy, owner, and potentially the component. Fine grained waivers also take into account the underlying conditions that generated the specific policy violation so that the waiver is more specific. The notion is broadly similar to the enhancements made to the policy violation comparison behavior released in the Nexus IQ Server 50 release, except that in this case the detailed information is used to match the waiver to an applicable policy violation rather than comparing two policy violations.

Adding a Fine Grained Waiver

Fine grained waivers have replaced the earlier policy waiver mechanism for newly created waivers as of Nexus IQ Server 53. Most of these changes are internal to the product and the user experience is very similar to adding a waiver in previous releases. The exact behavior of the waiver is different because of the more specific granularity.

For example, in the following application report, four violations appear for the Security-High policy on a specific component in the Component Information Panel.

We can create a waiver for any one of these by clicking the Waive button. This brings up the Add Waiver Page, which is very similar to the Add Violation Waiver modal in previous releases.

Fined Grained Waivers can also be added from the Waivers for Violation page.

Note that this waiver can also be scoped to a particular application or organization as well as to a specific component. These act as additional restrictions on the applicability of a waiver to a policy violation.

In this case, we will go with the defaults, and limit the waiver to only this application and component. Clicking the Waive button will add the waiver. Once added, we can also verify that the waiver has been added by clicking the View Existing Waivers button in the Component Information Panel.

The report for a subsequent evaluation for the same application (with no dependency changes) will include only three policy violations related to the Security-High policy. The other policy violation has been waived as a result of creating the waiver in the previous step.

The specific policy violation was waived as a result of the waiver we created, but other policy violations for the same policy, application, and component still remain. This demonstrates the utility of fine grained waivers relative to previous releases of Nexus IQ Server, where all of the Security-High policy violations would have been waived for this component.