CliQr is now part of Cisco Learn More About Cisco

Governance Rules

Overview

The Governance Rules page lets you enable or disable rules-based governance by clicking the ON/OFF toggle button.

Icon

Once Governance Mode is enabled:

  • Only a tenant admin can create policies, associate the policy to tags and make it available to users.
  • Users cannot create new policies or view existing policies.
  • Promoted admins can only see their own resource instead of the tenant resources.

Rules-Based Governance

Rules-based governance lets you configure various automatic actions that the system takes based on system tags and system tag matching rules.

When rules-based governance is enabled, this page also displays the following information for each system tag matching rule that has been added:

  • Rule–Description of the rule. For example:
    • The rule "has tag ( Dev )" describes a rule that would be enforced against a resource with which the tag Dev is associated
    • The rule "has tag ( Dev AND Prod )" describes a rule that would be enforced against a resource with which the tags Dev and Prod are associated
    • The rule "has tag ( Dev OR Prod )" describes a rule that would be enforced against a resource with which the tag Dev or the tag Prod (or both tags) is associated
  • Resource Name–Name of the resource to which the rule has been added.
  • Resource Type–Type of resource to which the rule has been added.

Best Practices

Adhere to the following best practices when using the Governance mode feature:

No.DoDon't
1

Give logical meaningful tag names that maps to the deployment environment, security profiles, and scaling policies. These meaningful names helps tenant users to understand and use these tags appropriately.

For example, use a Prod1 tag to indicate a deployment environment that is in Production.

Do not use  bland tags.

For example, do not use a P1 tag to indicate a deployment environment that is in Production.

2Use the security profiles update and delete commands to directly update/delete security profiles rules that are used by jobs.Do not use any of the cloud consoles  to directly update/delete security profiles rules that are used by jobs.
3Assign different tags (or combination of tags) for different environments and policies. The CloudCenter platform always picks the first environment or policy to attach to a submitted deployment. Do not use the same tags (or combination of tags) for different environments and policies.
4To attach multiple rule sets for a security profile, map them to same tag. The CloudCenter platform always selects all matched security profiles and attach them to attach them to a deployment
  • No labels