Evaluating import rules
It is highly recommended that you test import rules before running auto discovery to ensure that they are configured correctly.
Import rules can be manually evaluated against one or more discovered objects (systems or accounts). You can evaluate:
You can then choose to apply the evaluation results to manage systems that pass all the conditions.
You can set all enabled import rules to be re-evaluated and applied on the next auto discovery , by clicking Force a re-evaluation of all enabled import rules on the next auto discovery on the Import rules page.
You can also carry out a trial run to evaluate an import rule against all discovered objects.
Managed system and Managed account import rules must be associated with at least one managed system policy before they can be tested.
Ensure that discovered systems have already been configured and that accounts have been listed before evaluating import rules.
Evaluating one import rule
You can evaluate one import rule against discovered objects; Target system and Managed system rules are evaluated against computers, and Managed account rules are evaluated against accounts.
To evaluate a single import rule against discovered objects:
Navigate to the page.
In the Test conditions section, select which objects to evaluate:
Leave the field blank to evaluate all discovered objects.
You can override the TEST IMPORT RULE MAX LENGTH by entering a value in the Maximum number of systems to run the test against field.
Click the search icon, select the objects to evaluate, and click Select... .
Type a space-delimited list of discovered object names.
Click Test .
Optionally, you can manage objects that passed all conditions .
The evaluation only runs if there is at least one enabled condition for the rule being evaluated.
Evaluating multiple import rules
You can evaluate multiple import rules and their conditions simultaneously. You can evaluate all import rules to simulate all rules running automatically during auto discovery .
To evaluate multiple import rules:
Navigate to the page.
Enable the checkboxes for the rules you want to evaluate.
Click Test.
Optionally, you can manage objects that passed all conditions .
Applying evaluation results
After an evaluation is complete Bravura Security Fabric displays the results including which objects (systems and accounts) have passed all the conditions, and which objects have failed. If they failed, Bravura Security Fabric indicates which conditions caused them to fail; however, if an import rule’s conditions is set to “Match any expression”, then the results cannot include an explanation of why an object failed the evaluation.
On production systems, or with a large set of test matches, run auto discovery to process discovered objects and make them into managed systems and managed accounts.
Alternatively, on a test system, you can click Apply on the Import rules page to make all objects that passed all conditions into managed systems and managed accounts.
Warning
It is not recommended to use the Apply button with production systems, or with a large set of Test matches. It is intended only for testing.
Once an import rule has processed all discovered objects, either by running auto discovery or by evaluating the rule and clicking Apply, then those objects are not re-evaluated against the same import rule again. This includes both passed and failed results.
Discovered systems which pass all conditions for a target systems import rule but fail to obtain valid credentials on subsequent connections are re-evaluated against the import rule, unless they pass and obtain valid credentials from another rule. This process for local service mode discovered systems will occur over a few intervals where the client connects to the server.
Use the TEST IMPORT RULE MAX LENGTH system variable (Manage the system > Resources> Options, or from the Import rules tab in Manage the system > Privileged access > Options) to limit the number of computers or accounts to evaluate a rule against. The default number of objects is 10. You can increase this value to evaluate the import rules on more discovered objects.
On the test section of each import rule you can override the TEST IMPORT RULE MAX LENGTH value by entering a new value in the Maximum number of systems to run test rule against field.
Executing a trial run
You can execute a trial run to test all objects that have not already been evaluated against a rule. The difference between a test and a trial run is that:
A trial run is run against all objects, regardless of the TEST IMPORT RULE MAX LENGTH value.
A report on a trial run is emailed to a designated address.
To execute a trial run on an import rule:
Navigate to the Import rules page .
Select the Trial run tab.
Type an email address to receive results of the test.
Click Trial run.
To cancel a trial run, click Cancel on the Import rule < rule type > page for the rule. You can only cancel a trial run from the instance on which it was started.
Import rule events
The following options can be accessed from Manage the system > Maintenance > System variables , Manage the system > Resources> Options, or from the Import rules tab in Manage the system > Privileged access > Options:
Option | Description |
|---|---|
IMPORT RULE TRIAL RUN BEGIN | An import rule trial starts. |
IMPORT RULE TRIAL RUN END | An import rule trial ends. |
Re-evaluating import rules
Import rules are only run once on each discovered object. They are not re-run on objects that have already been evaluated.
If the import rule changes, or if the attributes being used in an import rule are changed, then the import rule is re-evaluated against the discovered objects. You can also manually re-evaluate an import rule by clicking Update on the Import rules < rule type > page. This resets the rule and re-evaluates all discovered objects.
Discovered objects can be re-evaluated manually through the import rules test page or when changes are detected during an auto discovery . Local service mode discovered objects can also be re-evaluated when they connect to the Bravura Security Fabric server after it has detected a change in an attribute used by an import rule.
The behavior when re-evaluating import rules is different for each rule type:
Target systems import rules
Discovered systems that satisfy Target systems import rules and become managed systems are not re-evaluated by any import rules, regardless of changes to the managed systems or import rules.
To modify the settings for a managed system, you can:
Click Manage the System > Resources > Target systems > Automatically discovered and manually change settings.
Or,
Delete the target system (manually or with an import rule), then re-evaluate it.
Managed systems import rules
Managed system import rules are re-evaluated against managed systems whenever a change is detected in the managed system during auto discovery , or when the import rules have changed.
If a change is made to a managed system that causes the system to fail the import rule, depending on the configuration of the managed system import rule, it may archive the system. If there are managed accounts on this system, the password changes no longer occur, but regular users can still request access to these accounts, and product administrators can still access them.
Managed accounts import rules
Managed accounts import rules are re-evaluated against discovered accounts whenever a change is detected:
In the accounts during auto discovery
In member system attributes that were used to define conditions
In the import rules, such as:
Services, tasks, IIS, or DCOM objects that have been added, removed, or set up for use by a new user
Modifications to attributes that are being used by managed accounts import rules
Modifications to conditions and associated policies on managed accounts import rules
All accounts managed by a managed system policy are evaluated, including discovered accounts that were manually added to the policy and those added to the policy by an import rule.
If a change is made to a managed account that causes the account to fail the import rule, depending on the configuration of the managed account import rule, it may archive the account. If this account’s password is being managed, the password changes no longer occur, but regular users can still request access to this account, and product administrators can still access it. If the managed system is removed from the policy the system’s managed account passwords are archived.