http://www.nature.com/srep/2013/130325/srep01376/full/srep01376.html

http://www.nature.com/srep/2013/130325/srep01376/full/srep01376.html

Using SMPolicyReader to Correct Differences Between Tiers

Introduction
I am currently using the SMPolicyReader to try to resolve differences between ACO settings in the various tiers [we use DEV/TST/STG/PRD].

Installation
Download from the community site. Unzip. Run the .bat file–there is video on youtube with more instructions.

Creating Exports
I generally use something simple like:

xpsexport e:\david\TST-Policy.xml -xb -npass -vT

Comparing

There are a lot of issues–the first is naming standards. For the difference engine to work either the OID’s need to be the same [which is hard to control even with mature import/export strategies] or the names must exactly match. I am trying to use name match–going back and renaming ACO’s, updating WebAgent.conf, & then restarting is not that difficult–make a copy and clean up later is safest. In any event, even with the names exactly the same you can still see challenges:
nameClash

This is because I did not select Options > Compare uses ObjectXID. Turing that off improves the comparison by only using name…

tbpDifferences

Trouble Shooting
Here is an example where a manual admin error was made on a rule which in most cases would be very difficult to track down–generally involving the need to troubleshoot with the app team. Here we can see that there is an obvious difference in the OnAccessReject rule:

issueULRFindHardOnes

Looks like it was a configuration issue in which the wrong Action was selected

issueURLWrongRepose

Easy to fix–but stuff like that can be very hard to find sometimes, APP teams often don’t test it until it is too late, and human error is always a possibility.

Issues
There are still some challenges with the tool–it would be nice if there was a setting to ignore certain fields on certain objects.

I run into challanges on some objects with attribute values I do not understand or don’t show up on the admin console, for example here is an ACO setting for IgnoreURL=2 or =0–the value of the attribute in the console for both is the same.

issueIgnoreUrl=2Compare