Service Broker Policy Criteria

Updated April, 2021

With the latest release of features for vRealize Automation Cloud for September 2019 there is a new capability in VMware Service Broker which allows you to set criteria on how policies run when a consumer requests a catalog item. We call this the Service Broker Policy Criteria (I know catchy name)! In this blog I will cover what policies currently exist in Service Broker and how the policy criteria feature can help pinpoint when the policies should be applied. Let’s get started!!

What are Service Broker Policies:

Service Broker policies are rules that you can set on a catalog item to control certain governance aspects of a request. Currently in vRealize Automation Cloud there are two policies available: Lease Policy and Day 2 Actions Policy.

Lease Policy – This is pretty self explanatory. How long do you want the requestor to be able to have the resources?
Day 2 Actions Policy – This policy controls what actions a requestor can perform on a resource post the deployment. Details on this feature can be found here.
Approvals – Creates a deployment approval workflow when a user requests resources

There are several more policies that will be introduce in the coming months, so stay tuned!

What are Policy Criteria and How do they work:

As you can see from the above description, Policy Criteria can help you refine, or pinpoint, when you want the policy to apply. Detailed documentation on Policy Criteria can be found here.

In the above example policy configuration I created a policy that will only allow for the requestor to only delete the resource once it has been deployed. No other actions are allowed. In this scenario though, I don’t want it to run on every catalog item that is requested by uses of the organization. This is where the policy criteria comes into play.

The above criteria is a simple expression that tells this policy to only apply to deployments that use the blueprint in Cloud Assembly named “AD-TEST”. So Blueprint is equal (eq) to AD-TEST! It’;s that simple. Now when someone request a catalog that deploys the AD-TEST blueprint the only action that will be available is the ability to delete the deployment.

Update:

With the March 2020 release of vRA Cloud and vRA 8.1, updated policy criteria and interface elements allow you to further refine how policies are applied to deployments. Policy criteria now includes resources. This criterion allows a user to target a collection of resources within a deployment. Also included is a new operator, has any, and new subfields for resources including cloud type, flavor, region, and resource type. Additionally, the conditions of AND or OR, plus grouping for multiple levels of criteria, have been added. Once your policy definition is complete, you can click Preview to determine how the new policy will be applied to existing deployments. This new update will allow for more granularity in your policy definitions and assignments.

For vRA 8.4, new policy criteria and operators are available that allow further granularity over deployment assignment. New resource options, CPU Count, Total Memory(MB), and tags allow you to constrain policies to specific deployments based on configured values. New operators were added along with those resource including, less than, greater than, less than/greater than or equal to. Additionally, criteria such as Created By now includes contains as an operator.

CPU Count criteria and new operators:

This image has an empty alt attribute; its file name is Screen-Shot-2021-04-12-at-2.31.11-PM-4-1024x551.png

Tags criteria and new operators:

This image has an empty alt attribute; its file name is Screen-Shot-2021-02-16-at-11.47.46-AM-1024x552.png

Summary:

As you can see with policy criteria you can really pinpoint where you want policies, such as leas and day 2 action policies, to run when users request resources through the Service Broker catalog.