CloudCenter 4.8 has reached End of Life (EOL) as of November 14, 2018. See End of Support Notices for additional context.

Governance Rules

Overview

The Governance Rules page lets you enable or disable rules-based governance by clicking the ON/OFF toggle button.

Once Governance Mode is enabled:

  • Only a tenant admin can create policies, associate the policy to tags and make it available to users.
  • Users cannot create new policies or view existing policies.
  • Promoted admins can only see their own resource instead of the tenant resources.

Rules-Based Governance

Rules-based governance lets you configure various automatic actions that the system takes based on system tags and system tag matching rules.

When rules-based governance is enabled, this page also displays the following information for each system tag matching rule that has been added:

  • Rule–Description of the rule. For example:

    • The rule "has tag ( Dev )" describes a rule that would be enforced against a resource with which the tag Dev is associated

    • The rule "has tag ( Dev AND Prod )" describes a rule that would be enforced against a resource with which the tags Dev and Prod are associated

    • The rule "has tag ( Dev OR Prod )" describes a rule that would be enforced against a resource with which the tag Dev or the tag Prod (or both tags) is associated

  • Resource Name–Name of the resource to which the rule has been added.

  • Resource Type–Type of resource to which the rule has been added.

Best Practices

Adhere to the best practices that the following table describes when using the Governance mode feature:

No.DoDon't
1

Give logical meaningful tag names that maps to the deployment environment, security profiles, and scaling policies. These meaningful names helps tenant users to understand and use these tags appropriately.

For example, use a Prod1 tag to indicate a deployment environment that is in Production.

Do not use  bland tags.


For example, do not use a P1 tag to indicate a deployment environment that is in Production.

2Use the security profiles update and delete commands to directly update/delete security profiles rules that are used by jobs.Do not use any of the cloud consoles  to directly update/delete security profiles rules that are used by jobs.
3Assign different tags (or combination of tags) for different environments and policies. The CloudCenter platform always picks the first environment or policy to attach to a submitted deployment. Do not use the same tags (or combination of tags) for different environments and policies.
4To attach multiple rule sets for a security profile, map them to same tag. The CloudCenter platform always selects all matched security profiles to attach them to a deployment.
5

Effective CloudCenter 4.10.0, Governance Mode is deprecated and replaced with Tagless Governance. See the Administration and Governance > Tagless Governance section for details.

To simplify migration to a tagless governance environment in the future, consider designing your tag associations and governance rules to adhere to the Simple use case and avoid the Unaddressed use case as defined in the Post-Upgrade Use Cases section in the Migrate to Tagless Governance section.


Governance Rules Creation by Tenant Admins

  1. In Gov Mode ON, then:

    1. Only a tenant admin can create a rule.

    2. Co-admins are allowed to create a Scaling Policy.

    3. Standard users and co-admins are allowed to use resources (like policies) when creating deployments using tags – even if these users do not have READ access for the resource.

  2. When creating rules, the tenant admins:

    1. Can also use tags created co-admin – even if the tag is not shared.

    2. Cannot use resources (for example, policy) owned by other users – shared resources are not assigned a priority

  3. Co-admins cannot create rules.

  4. After creating rules, the rule continues to work even if tags are unshared.

  5. Any user cannot delete the following resources:

    1. A system tag – if it is used by any rule.

    2. A policy – if it is used by any deployment.

User Policy Permissions

This section identifies the possible user actions when Governance is enabled (ON) or disabled (OFF).

Policy Notes

  1. A policy should not be in use by any deployment, to update, delete, and disable that policy.
  2. If GOV mode is ON (enabled) then policies created by standard users and shared with admin cannot be used – this is because policies created by standard users do not have any assigned priorities.

The following table describes the possible user actions when Governance is enabled (ON) or disabled (OFF).

User PermissionsGovernance ONGovernance OFF
Create, Update, Delete, and Disable Policy
Tenant AdminYes

Yes

A user must have at least one role that provides the required permission to create a policy.

Co-AdminNo
Standard UserNo
Sub-tenant adminYes – for sub-tenant
Change Priority
Tenant AdminYes





No

Co-AdminNo
Standard UserNo

Sub-tenant Admin

Only a sub-tenant admin can only arrange the priorities of polices owned by a sub-tenant.

Yes

Cannot change the priority of policies that are shared by the parent admin.

The parent admin's policies  have a higher priority.

User Policy Permission for Deployments

A user must have access to the deployment via the deployment environment.

The following table identifies the possible user actions for deployments when Governance is enabled (ON) or disabled (OFF).

User PermissionsGovernance ONGovernance OFF

Attach Policy

Tenant AdminYesYes
Co-AdminYesYes
Standard UserNoYes
Sub-tenant Admin

Yes

If user has access to a deployment, then this operation is currently allowed at the sub-tenant level as well – this is because the CloudCenter platform does not check the tenant under which this job was launched.

Detach and Replace Policy
Even if a user does not have access to the policy

Tenant AdminYes


Yes

Co-AdminYes
Standard UserNo
Sub-tenant Admin

Yes

If user has access to a deployment, then this operation is currently allowed at the sub-tenant level as well – this is because the CloudCenter platform does not check the tenant under which this job was launched.

Extension Request
Tenant AdminYes



Yes

Co-AdminNo
Standard UserNo
Sub-tenant AdminYes



  • No labels
© 2017-2019 Cisco Systems, Inc. All rights reserved