Documentation Nexus IQ Server 1.30

Our documentation site has moved. For the most current version, please see http://help.sonatype.com

9.4. Creating Policies

Before you begin, you need to decide which level in the system hierarchy to use for new policies:

  • Root Organization - Policies at this level are inherited by all organizations and applications. Use this level when you want to apply policies to every application and organization.
  • Organization - Policies at this level are inherited by all applications attached to the organization. Use this level when you want to narrow the implementation of policies to a particular set of applications.
  • Application - Policies at this level apply to an individual application only. Use this level when you want to apply policies to a single, unique application.
[Note]

If you have access to the Audit and Quarantine features of IQ for Nexus Repository Manager, policies for your repositories are managed at the Root Organization level only. They do not require a specific application or organization.

[Tip]

At the Root Organization and organization levels, you can use application categories to customize the implementation of policies across applications. Application categories provide a way to apply policies to a subset of select applications in an organization. For more details about application categories, see Application Categories in the Advanced Policy Management chapter.

Once you decide at which level to apply policies, you can proceed with creating custom policies. The overall process is only a few steps. However, the extent of customizable settings available to you can complicate the process. This section lists the basic steps for creating a policy, and includes links to more detailed information about each step in the Understanding the Parts of a Policy section of this chapter.

To create policies:

  1. Log into IQ Server using an account that has permission to create policies in a particular organization or application (including the Root Organization). At a minimum, the account should be assigned to the Owner role of the organization or application.
  2. Click the Manage Applications and Organizations icon figs/web/clm-server-manage-app-org-icon.png on the IQ Server toolbar.
  3. In the Policies section, click Add a Policy. A New Policy view will be displayed.
  4. Enter a name for the policy. For more details, see Policy Name.
  5. Select a threat level (from 10-0: 10 is the most severe threat, 0 is no threat). For more information, see Threat Level.
  6. If the policy is being created at the organization level, select which applications in the organization the policy should apply to: all applications or only applications with selected application categories. If the latter, then click the specific application categories to select them. For more details, see Inheritance. Note that this setting is not available when creating a policy for an application.
  7. Create a constraint with conditions. For detailed information, see Constraints and Conditions.
  8. Add actions and/or notifications at a desired stage in the development lifecycle. For more information, see Actions and Notifications.
  9. Click Create to save the policy.

After at least one policy is created (or imported), you can run an evaluation of an application to gather intelligence about its components and identify any vulnerabilities. The evaluation results, which include policy violations, are displayed in the Application Composition Report. For more information, see the Manual Application Evaluation and The Application Composition Report chapters.

figs/web/server-policy-example.png

Figure 9.2. New Policy View