Configuration Compliance assignment rules overview

  • Release version: Xanadu
  • Updated August 1, 2024
  • 3 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Configuration Compliance assignment rules overview

    Configuration Compliance assignment rules allow you to automatically assign test results to specific assignment groups for remediation within ServiceNow. This automation streamlines the process of managing remediation tasks by linking test results to the appropriate teams based on defined criteria.

    Show full answer Show less

    Note that starting from version 14.9, several terms have been updated for clarity, such as “Test Result Group” renamed to “Remediation Task Group” and “Rules” renamed to “Remediation Task Rules.”

    Key Features

    • Default Assignment Rule: The system includes a default rule, "Assign to CI support group," which assigns test results to the CI Support Group. This rule is inactive by default.
    • Assignment Methods: You can assign test results using three options:
      • Assignment group: Select any existing ServiceNow AI Platform® user group.
      • Assignment Group Field: Choose from predefined assignment group fields related to the configuration item (CI), such as Approval Group, Assignment Group, or Support Group.
      • Script: Define custom assignment logic using scripts, requiring advanced ServiceNow expertise.
    • Role-Based Access: Users with the snvulc.remediationowner role can view and update test results and remediation tasks assigned to them or their groups. This role can be assigned directly or automatically via the itil role.
    • Assignment Rule Evaluation: Rules are evaluated when a test result is imported or reopened, after CI matching and risk scoring. The rules are processed in order, and once a match is found, the test result is assigned accordingly. If no rule matches, the test result remains unassigned.
    • Reapplying Rules: When assignment rules are changed, you can manually reapply them to active open test results (excluding those manually assigned) using the Apply Changes button. A scheduled job exists to run this periodically but is inactive by default.
    • Efficient Updates: Administrators and analysts can update assignments for selected test results more efficiently using the Vulnerability Manager Workspace rather than reapplying rules globally in the classic UI.
    • Remediation Task Assignment: Typically, remediation tasks inherit the assignment group from their test results. Changing the assignment group at the remediation task level updates all test results sharing that group and marks them as manually assigned, preventing further rule evaluation.
    • Clearing Assignments: You can clear assignment information from remediation tasks and their test results if they were incorrectly assigned, directly from the respective records.

    Key Outcomes

    • Automates the assignment of test results to appropriate groups, improving remediation workflow efficiency.
    • Ensures clear ownership and accountability by linking remediation tasks to designated groups based on test result assignments.
    • Provides flexibility through multiple assignment options, including scripted rules for complex criteria.
    • Enables controlled reapplication of assignment rules to keep assignments up to date without overwriting manual changes.
    • Empowers users with the appropriate roles to manage and update remediation tasks and assignments effectively.

    Define the criteria by which test results are automatically assigned to an assignment group for remediation.

    Note:
    Starting with v14.9 of Configuration Compliance, the following terms have been renamed:
    Table 1. Changes in terminology
    Terminology prior to v14.9 Terminology v14.9 onwards
    Test Result Group Remediation Task
    Group Rules Remediation Task Rules
    Policy Test group

    A default assignment rule, Assign to CI support group, is included in the base system assigning test results to the CI Support Group. Inactive by default.

    The Assignment groups set by the Assignment Rules are used by Remediation Task Rules to assign owners to remediation tasks (RTs).

    Assigning test results automatically

    There are three different ways to assign test results using Assign using:
    • Assignment group: This option allows you to select any of the existing ServiceNow AI Platform® user groups.
    • Assignment Group Field: This option allows you to choose any assignment group field available using the cmdb_ci table. By default you see the following three group fields:
      • None: Indicates no default value for this mandatory field
      • Configuration Item: Approval Group
      • Configuration Item: Assignment Group
      • Configuration Item: Support Group
    • Script: This option allows you to define the conditions using a script. This option requires coding or advanced ServiceNow® expertise.
    See Create or edit Configuration Compliance assignment rules for more information on creating assignment rules.

    With the sn_vulc.remediation_owner role, you can view and update test results and remediation tasks that are assigned to them or to their assignment groups. To view the modules, navigate to All > Configuration Compliance > Test Results > My Open Test Results, or Configuration Compliance > Remediation Tasks > My Open Tasks.

    The sn_vulc.remediation_owner role can be assigned directly to a user, or, it is automatically assigned when you assign a user the itil role.

    Assignment rule evaluation process

    When a new test result is imported, or reopened after being closed, the assignment rules are evaluated against it. The assignment rules are evaluated after CI matching, and Risk Score calculations. A test result is only automatically evaluated upon initial import and when a rule is changed, unless it is reopened after being closed. You can manually reapply rules after changes.

    The following process is used for each new or reopened test result:
    • For each test result assignment rule, the test result is compared to the assignment filter, lowest order rule first.
    • Where the condition matches, the test result is assigned an assignment group. The lookup stops.
    • Where the conditions do not find a match among all the rules, the test result remains unassigned.

    Reapplying assignment rules

    When you change an assignment rule, use the Apply Changes button on the Assignment Rules list page to rerun all the changed rules on all active Open test results, except those that were manually assigned.
    Note:
    The assignment rules do not reevaluate manually created assignments.
    The scheduled job [Reapply all assignment rules] is inactive, by default. When activated, it evaluates all the open test results against all active rules except those manually assigned. It can run Daily, Weekly, Monthly, Periodically, Once or On Demand.
    Important:
    As an admin and analyst, you can obtain the latest assignments for selected test results in the Vulnerability Manager Workspace. This method is more efficient than reapplying the Assignment Rules for all test results in the classic UI, which is a time-consuming process. For more information, see Re-evaluate the remediation properties of the records in the Vulnerability Manager Workspace.

    Assignment rules and remediation task assignment

    Usually, you would assign your remediation task (RT) to the same assignment group as the test results in it. That is what the remediation task rules do, by default.

    For example, if your RT groups by configuration item class, the remediation task created can be broken apart by the different assignment groups. An Oracle Database TRG can be assigned to Group 1, and an Oracle Database TRG assigned to Group 2.

    When the assignment group is changed at the remediation task level, all the test results in that remediation task which have same assignment group are updated to the new assignment group. The test results are marked as manually assigned and are not eligible for further rule evaluation.