SAM assigned_to not populated on cmdb_sam_sw_install for Tanium/Zscaler records
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
yesterday
Hi Community,
We are investigating why assigned_to is empty on many records in the Software Installation table (cmdb_sam_sw_install), mainly for discovery_source = Tanium. even though the assgined to on CI is not empty.
We found the scheduled job “SAM - Set 'assigned_to' Field on Licensable Install Records”. Based on the Script Include, the job only updates assigned_to when all of these conditions are met:
- installed_on is not empty
- installed_on.assigned_to is not empty
- install assigned_to is empty
- norm_publisher is not empty
- norm_product is not empty
Before the job ran, we had over 700k records matching these conditions. After the job completed, the same query returned 0, so it looks like the job processed all eligible records.
We also reviewed the software install normalization logic. From what we observed, norm_product and norm_publisher are only populated on cmdb_sam_sw_install when the related discovery model/product has a normalized product, the product type is licensable, and ignore_installs = false. Otherwise, the install-level normalized fields appear to be cleared.
Most remaining Tanium records with empty assigned_to seem to be outside the job scope because they are missing norm_product/norm_publisher, have product type other than licensable, or have ignore_installs = true.
We narrowed the remaining actionable issue to Zscaler. The Zscaler discovery models show as normalized, with product type Licensable and ignore_installs = false, but some Zscaler install records were not getting norm_product / norm_publisher populated on cmdb_sam_sw_install. After manually reverting and re-normalizing one Zscaler discovery model in TEST, the install-level norm_product and norm_publisher populated correctly, and then the scheduled job populated assigned_to. We created a Pattern Normalization Rule for Zscaler in TEST and are validating that approach.
My questions are:
Does this investigation and conclusion look correct? Specifically, if the assigned_to job has 0 records left matching its required conditions after it runs, is it fair to say the remaining empty assigned_to records are outside the job scope?
Main question: If a product’s type is not licensable, but ignore_installs = false, is it expected/acceptable for assigned_to to remain empty on cmdb_sam_sw_install? can i safely ignore remaining millions of installations which are either production type non licensible, child or ignore install True.
Our current assumption is that assigned_to is mainly needed for licensable / user-based SAM reconciliation. So if the product type is not licensable, an empty assigned_to should not create a compliance issue. Is that correct? If not, what compliance impact should we expect, and what is the recommended remediation?
Thanks in advance , trying to confirm whether the remaining empty assigned_to records are valid exclusions or need remediation.
