Configuration Change Console provides features for auditing applications for authorized and unauthorized events. As a major function of its compliance-auditing feature, Configuration Change Console compares planned changes to the IT infrastructure, as approved through your Change Management system, with the actual changes detected by Configuration Change Console.
Detected changes that can be matched with an approved change request are considered authorized. Authorized changes are reported back to your Change Management system as a record of the work done to carry out the planned change. Detected changes that cannot be matched to an approved change are considered unauthorized. Configuration Change Console opens a new ticket in your Change Management system each time it detects unauthorized actions and reports the time, location, user, and application associated with the unauthorized change.
Configuration Change Console matches monitored events against a ticket categorization. The structure of a ticket categorization depends on the Change Management server being used. For instance, BMC Remedy uses a categorization structure of Category/Type/Item.
Example of a Category/Type/Item definition:
Category: Software
Type: Finance
Item: Application Server
To audit authorized and unauthorized events against the Change Management Server, follow these steps:
Configure the connection parameters for the Change Management Server. This allows Configuration Change Console to communicate with the Change Management server.
Configure a Default Outbound Ticket Definition using Categorizations from the Change Management Server. This configuration determines how tickets will be created in the Change Management server by Configuration Change Console when unauthorized changes are detected.
Map Categorizations to the component instances or applications that you want to monitor for authorized or unauthorized change events.
Configure Audit Actions to audit specific events (file, process or application-internal changes) on the component instances or applications.
Note:
If steps 1 through 3 are completed successfully, a default audit policy is created automatically for all new components so the only part of step 4 that must be completed is assignment of the audit action to the component instance.In addition to managing authorized/unauthorized changes following normal processes, the product also can work in an environment where IT staff may create emergency tickets to fix a problem without having authorization.
The following chart depicts the event-detection and ticket-generation process flow.
Important:
Before configuring Change Management integration through the user interface, you must customize your Change Management Server by following the instructions in the Configuration Change Console Installation guide.Configuring your Change Management Server is a two-step process handled through a single screen. First, specify the type of Change Management Server used along with all necessary connection parameters. Then indicate the default Categorization definition used to create a ticket for detected unauthorized changes. Using the Change Management Server screen, you can specify the type of Change Management server used, provide necessary connection information for the agent to connect to the server, and set up the default Outbound Ticket Configuration used in Auditing.
To access this screen, navigate to Administration --> Server Configuration --> Change Management Server.
To configure Change Management integration, follow these steps:
Ticket Management Type. Select the type of Change Management application used from the Ticket Management Type drop-down menu.
Device. Select the device whose agent will be used to connect to the ticket management server from the Device drop-down menu.
Server IP. Enter the IP address or hostname of the Change Management server. The agent does not have to be installed on this machine. If the agent is installed on the device where the application is running, you can enter localhost in the Server IP field.
Username and Password. Provide the username and password for the Change Management server. Be sure to specify the correct password. If an invalid password is used, the password must be corrected on this screen before categorization information can be collected. If you do not see the bottom half of the configuration screen appear after some time, the connection to the server most likely has failed either due to network connectivity or authentication.
Consolidate CTI. Specify whether to consolidate Change Ticket Information for change events. Specify the Consolidate CTI settings to control the number of unauthorized tickets created in your Change Management System. The field can accept a value of CT (one ticket will be generated per unique unauthorized Change Ticket combination and the ticket will be updated until the ticket is closed or the stop ticket update flag is set on the Change Management software), CT+D (one ticket will be generated per unique category and type combination and the device the change happened on), or None (each unauthorized change will generate one new ticket).
Ticket Correlation Criteria. Select the following criteria by clicking the associated check boxes. Correlation enables you to gather details about whether a change was authorized or unauthorized. Note that the CTI to Component Mapping is selected by default and is not configurable.
CTI to Component Mapping. Checks the Change Management server for a CTI for the current event application and a ticket state of Open or Emergency.
Time Window for Required Change (from Ticket). Checks whether the event change time is between the ticket's planned start and end times.
Devices(s) Where Change is to be Executed (from Ticket). Checks whether the event change device is in the ticket's device list.
User Assigned to Make Specified Changes (from Ticket). Checks whether the event change user is in the ticket's user list.
Approval timeout status for emergency ticket. Checks for an emergency ticket that has an expired approval status.
Click Save. Note that other configuration tabs Outbound Ticket, Ticket Expiry, and Emergency Ticket-can be configured at a later time.
Click the Update Agents button (to the right of the toolbar at the top of the screen) to update the agent on the device specified in step 2.
After you provide the connection parameters and update the Configuration Change Console agent, the agent will collect all categorization attributes from the Change Management server and save them within the Configuration Change Console database.
Depending on which Change Management Server with which you are integrating, you may have additional parameters that must be set in addition to the ones above. Here are some descriptions of these fields:
Risk Level (used by the Remedy 7 adapter). The value you must set here needs to be a defined risk level in your Remedy 7 instance, such as “Risk Level 1”
Impact (used by the Remedy 7 adapter). The value you must set here needs to be a defined impact in your Remedy 7 instance, such as “4-Minor/Localized”
Location Company (used by Remedy 7 adapter). The value you must set here needs to be a defined company in your Remedy 7 instance, such as “Oracle Enterprise Manager” as given as an example in the installation guide on integrating with Remedy 7.
Support Company (used by Remedy 7 adapter). The value you must set here needs to be a defined company in your Remedy 7 instance, such as “Oracle Enterprise Manager” as given as an example in the installation guide on integrating with Remedy 7.
Configuration Change Console detects an unauthorized event for any monitored application, and if CT consolidation is not enabled, it creates a ticket on the Change Management server using the Outbound Ticket template. The outbound ticket template must be filled out before the server can create tickets for unauthorized events.
Note that Outbound Tickets are sent to the Change Management server with an "open" status. You can view a list of all Outbound Tickets from the Visualization ' Change Visualization ' Outbound Ticket History screen.
There are three ways to close a ticket created by the Configuration Change Console:
An administrator closes the ticket on the Change Management server.
The ticket expires upon reaching the ticket's planned end date. Unauthorized tickets have a default planned end date set to 24 hours following the ticket's creation.
An administrator sets the "stop ticket update" flag on the Change Management server.
To access this screen, navigate to Administration --> Server Configuration --> Change Management Server.
Tabs at the bottom of the Change Management Server screen enable the three types of outbound ticket and emergency ticket settings.
To update the Outbound Ticket Configuration, follow these steps:
In the Outbound Ticket Configuration section of the screen, enter the following information:
Category Definition. The Categorization that the ticket being created for unauthorized events will receive. Drop-downs will be populated with the categorizations available from the Change Management System. This means that the Unauthorized/Unauthorized/Unauthorized categorization must be created on the Change Management Server.
Supervisor. The user on the Change Management server who will own the tickets created by Configuration Change Console. The list of users is populated by the users from the Change Management server that have the Send-to-AR flag checked on the user form.
Group. Optional field which allows you to assign the newly-created tickets to a group of people. The group name you enter here must exist on the Change Management Server.
Urgency. The urgency to which you want to set newly created unauthorized tickets. The urgency must be a valid value that is available in the Change Management server. Note that this field is case sensitive.
Priority. The priority to which you want to set newly created unauthorized tickets. The priority must be a valid value that is available in the Change Management server. Note that this field is case sensitive.
Note:
If you delete a setting on which the Outbound Ticket is dependent, such as a Categorization, ticket server or a specified supervisor, the Outbound Ticket will become invalid. The Audit Actions will not generate tickets for unauthorized activities until the Default Outbound Ticket is reconfigured.Click Save to save the Outbound Ticket Configuration.
Click the Update Agents button (to the right of the toolbar at the top of the screen) to update the agent for the Change Management server.
After setting up the Change Management Server and Outbound Ticket Configuration, you must assign categorizations to all component instances on which you want to audit authorized or unauthorized events.
Assign categorizations from the Category Component Assignments screen. Use the Category View to display a list of categorizations to which you can assign component instances. Alternatively, you can filter the screen output with the Component View, which displays a list of component instances to which you can assign categorizations.
To access this screen, navigate to Policy --> Operations Management --> Category Component Assignment.
To assign categorizations to a Component Instance (Category View), follow these steps:
Select the Category screen display mode from the Selection Mode.
Select the Change Management Server.
Filter the Category, Type and Item drop-down options or select All and then click Apply Filters.
From the categorization options shown in the table, select the checkbox for the ones you want to assign and click Assign New Component Instances.
From the Assign New Component Instances screen, select all component instances that should be associated with the categorization and click Save.
The last step in setting up auditing against the Change Management Server is to configure Audit Actions to perform Change Management actions on authorized/unauthorized events. The Audit Actions specify for certain component instances/applications if you want to create tickets for unauthorized events and/or update tickets for authorized events. Refer to the Configuring Audit Actions section to configure an audit action.
The created audit action will check events on the associated application against their mapped categorizations under the following circumstances:
If detected changes are authorized, the tickets are updated in the Change Management Server with the event details.
If Categorization Consolidation is disabled, a ticket will be created in the Change Management Server using the Outbound Ticket Template for each event that is unauthorized.
If Consolidation is enabled, the unauthorized ticket with a categorization matching that of the unauthorized change event will be appended with the information for the change event. If no matching unauthorized ticket with matching categorization consolidation rules is found, a new ticket will be created using the Default Outbound Ticket configuration.
When an emergency ticket is received from a Change Management system, the Change Management Server retains the status of emergency (rather than open), to indicate that the ticket has not yet gone through the standard approval process. For the following 24 hours, any changes associated with this emergency ticket are treated as authorized. During this 24-hour timeframe, if no authorization action is taken and the emergency changes do not get approved, all changes associated with the emergency ticket are set to unauthorized and Configuration Change Console generates a new unauthorized ticket and populates it with relevant unauthorized events. The time out period of 24 hours can be configured when setting up the Change Management Integration.
A Ticket can have three states: Open, Closed, and Emergency. The following table lists the ticket states to the Configuration Change Console as they relate to Emergency Change Requests. Your Change Management server may have hundreds of possible states, but the definitions that are loaded at integration time will translate those states to one of these three states.
| Ticket State | What this means . . . |
|---|---|
|
Open |
The emergency ticket was approved on the Change Management server and changes are authorized. |
|
Closed |
The emergency ticket was rejected by the Change Management server and therefore any authorized changes will be changed to unauthorized. |
|
Emergency |
Ticket has not yet gone through the approval process within the initial 24-hour window. |
This emergency ticket feature is optional and can be enabled/disabled via the Change Management Server screen.
To enable emergency ticket configuration and also to configure emergency tickets, navigate to Administration --> Server Administration --> Change Management Server.
View the Outbound Ticket History for a list of authorized and unauthorized changes. Each entry shows the emergency ticket number, change event, application instance, and device. Navigate to Visualization --> Change Visualization --> Outbound Ticket History.
Once you have configured the ticket management integration, use the Inbound Ticket History and Outbound Ticket History screens to view the tickets sent between the ticketing server and the Configuration Change Console.
The Inbound Ticket History screen shows all tickets sent from the Change Management Server that may be used to determine whether events are authorized. This screen can also show unauthorized tickets that were created by the Configuration Change Console. The Outbound Ticket History screen shows the tickets sent to the Change Management Server for either authorized or unauthorized events.
The Inbound Ticket History screen displays a list of all tickets sent from the Change Management server. To access this screen, navigate to Visualization --> Change Visualization --> Inbound Ticket History.
Use the filters to restrict the incoming tickets that are displayed. Click on the link in the Ticket Number column to view a record of any events detected by Configuration Change Console that were mapped to this ticket.
To access tickets sent from the Configuration Change Console to the Change Management Server, use the Outbound Ticket History screen. To access this screen, navigate to Visualization --> Change Visualization --> Outbound Ticket History.
Click the link in the Event column to view additional details of the change detected by the Configuration Change Console.
In the Outbound Ticket History screen, certain options are available based on the authorized/unauthorized status. If the value in the Authorized column is "Yes", then clicking on the link displays the ticket number to which the change was mapped and a complete history of all events that have mapped to that ticket. If the value in the Authorized column is "No", then clicking the link displays details of the application associated with the change.
Note:
Overriding the unauthorized status applies only to reporting within the Configuration Change Console. The change that is overridden will appear as authorized only in the Configuration Change Console dashboards and related reports. It will not affect the ticket's authorization status in the Ticket Management application where the ticket originated.There are three fields of note on this screen:
Override Authorized/Unauthorized status. Check the box for one or more tickets and click the Override Checked button. You can use override an authorized event to make it unauthorized or vice-versa. Also ticket status can be overridden many times.
View Inbound Ticket History. Click the Authorized link for the selected ticket to view its Inbound Ticket History.
View Change Details. Click the Event status link for the selected ticket. You will be forwarded to the Trend Analysis screen for the specific change event.