Documentation Nexus IQ Server 1.18

Our documentation site has moved. For the most current version, please see http://help.sonatype.com

Chapter 7. Basic Policy Management

[Tip]

The topics discussed in this chapter require IQ Server with one of the following licenses: Lifecycle, Firewall, or Auditor.

For purposes in this documentation, we’ve established that policy is a broad term used to encapsulate rules and actions for identifying and preventing risk associated with the components used in your applications. This can include components that enter your repository, or those that already exists in your applications. However, in some ways, rules as a description is a bit generic. Ultimately rules have conditions, much in the same way an If/Then statement would.

In fact, that’s one of the easiest ways to break down the various elements of a policy. That is, a policy simply says that if something happens, then perform a certain action. In the case of IQ Server a policy determines what to do if a component meets a set of criteria. For example, a certain action could be taken (e.g. quarantine a component in the repository or fail a build), or in some cases, take no action at all.

If it’s still a bit fuzzy, an example will probably help. Let’s say we have a known rule in our development organization that says if a component used in an application has a security vulnerability, the application can not be released. To do this, we tell our development team to review components before release and if a component has a security issue, we don’t promote the release.

Congratulations, you have formed, at least in the aether, your first policy. Of course, you’re still very likely exposed to quite of bit of risk, and need to improve the policy so it works throughout the development lifecycle. From this point forward, we’ll refer to this process as policy management.