OctoSAM installation auto-approval¶
Info
Auto-approval requires OctoSAM 1.10.7.93 or later.
Installation auto-approval automatically approves installations of critical software based on a set of rules. Currently, this feature is available for Oracle Java SE installations. Support for other software may be added in future releases of OctoSAM.
Installation approval data model¶
Installations may be approved on three levels.
Signature approval¶
A specific software signature may be approved. The approval will be automatically propagated to all installations of this signature.
Signature installation approval¶
A specific installation of a signature may be approved. This approval will conditionally be propagated to the software package installation when all signature installations of this package installation on the same machine are approved.
Package installation approval¶
A specific installation of a package may be approved.
Approval propagation¶
The auto-approve process propagates approvals up the hierarchy.
Note
Propagation works the same way for auto-approved signatures as for manually approved signatures or signature installations.
Signature to signature installation propagation¶
The auto-approve process propagates auto-approved and manually approved signatures to signature installation (table MachineSoftwareSignature). If a signature is approved, all its installations are automatically approved.
Signature installation to package installation propagation¶
A licensing-relevant package installation will only be approved if all licensing-relevant signature installations of that package are approved.
Running the auto-approval configuration¶
Auto-approval is triggered via the OctoUtil autoapprove command:
OctoUtil autoapprove OracleJavaSE
Administering auto-approval configuration¶
The configuration can be modified using the OctoSAM GUI:
The configuration is in JSON format:
{
"OracleJavaSE": {
"rules": [
{
"name": "sqldeveloper",
"type": "signature-match",
"pattern": "java:.*/sqldeveloper/.*" // a regular expression to match the Signature field
},
// example where a tag is specified in a custom field
{
"name": "oradb1",
"type": "machine-match",
"field": "CustomField1",
"pattern": "Ora-Db-Server", // a regular expression to match the contents of the machine property specified in 'field'
"approved-packages": [ "Oracle Java SE JDK 8", "Oracle Java SE JRE 8"]
},
// example where all database servers have a specific pattern in their description properties
{
"name": "oradb2",
"type": "machine-match",
"field": "Description",
"pattern": ".*Oracle.*Database.*", // a regular expression to match the contents of the machine property specified in 'field'
"approved-packages": [ "Oracle Java SE JDK 8", "Oracle Java SE JRE 8"]
},
{
"name": "weblogic",
"type": "machine-signature-match",
"field": "CustomField1" // name of a property on the machine that contains a regex that matches specific signatures
},
{
"name": "animate",
"type": "installed-package-match",
"pattern": "Adobe Animate .*", // a regular expression to match package names
"approved-packages": ["Oracle Java SE JRE 11"] // a list of approved package installations
}
]
}
}
Auto-approval types¶
All configuration values and regex patterns are case-sensitive.
signature-match¶
This rule matches specific signatures against a regular expression.
| Property | Required | Default Value | Description |
|---|---|---|---|
| name | Y | name for the rule. this will appear in the approver fields | |
| type | Y | 'signature-match' | |
| pattern | Y | a regular expression to match the Signature field |
machine-match¶
This rule matches specific machines and allows the installation of specified packages on the matching machines.
| Property | Required | Default Value | Description |
|---|---|---|---|
| name | Y | name for the rule. this will appear in the approver fields | |
| type | Y | 'machine-match' | |
| field | N | CustomField1 | Field to match on the machine object. Must be a string field |
| servers-only | N | false | if true matches only installations on server operating systems |
| pattern | Y | a regular expression to match the field | |
| approved-packages | Y | a list of software package names or software package guids |
machine-signature-match¶
This rule matches specific signature installations on machines. The match extends to all installed signatures with the same base version per machine
| Property | Required | Default Value | Description |
|---|---|---|---|
| name | Y | name for the rule. this will appear in the approver fields | |
| type | Y | 'machine-signature-match' | |
| field | N | CustomField1 | name of the field that contains the pattern to match on the machine object |
installed-package-match¶
This rule matches specific installed software packages.
| Property | Required | Default Value | Description |
|---|---|---|---|
| name | Y | name for the rule. this will appear in the approver fields | |
| type | Y | 'installed-package-match' | |
| servers-only | N | false | if true matches only installations on server operating systems. |
| pattern | Y | a regular expression to match the installed software package name(s). | |
| packages | Y | A list of software packages to be approved |