Reconciliation rules

Reconciliation rules specify which data sources can update a table or a set of table attributes, and they can be defined at the parent and the child table level. Ensure that there is a reconciliation rule for each data source that is authorized to update an attribute - multiple reconciliation rules can exist for the same set of attributes.

As you create reconciliation rules, keep the following principles and guidelines in mind. These principles are designed for flexibility and the refinement of rules at the attributes level.

Example reconciliation rules

For example, you might have the following reconciliation rules. The rules are created for the cmdb_ci_computer table and one of its child tables, the cmdb_ci_linux_server table. The rules specify the following:
  1. Discovery is exclusively authorized to update the name attribute in the cmdb_ci_computer table.

    Because reconciliation rules are inherited by child tables from parent tables, this rule also authorizes Discovery to update the name attribute in any child tables for the cmdb_ci_computer table.

  2. ServiceWatch is exclusively authorized to update the name attribute in the cmdb_ci_linux_server table.
  3. ServiceWatch is exclusively authorized to update all attributes in the cmdb_ci_linux_server table, as configured by leaving the Attributes field empty in the rule.

Authorization for all attributes in a table

If you want to authorize a data source to update all attributes in a table, leave the attribute list empty in the reconciliation rule for the data source. However, this authorization can be overridden for some of the attributes by rules for child tables in which specific attributes are listed.

For example, if only example rules #1 and #3 are created, then Discovery is authorized to update the name attribute in the cmdb_ci_linux_server table. ServiceWatch is authorized to update all other attributes in the table except for the name attribute.

To override the authorization of Discovery to update the name attribute, example rule #2 is added to specifically authorize ServiceWatch to update the attribute.

Authorization to only specific attributes in a table

If you want to authorize a data source to update specific attributes in a table, list these attributes in the reconciliation rule for the data source. A rule that grants access to specific attributes in a table overrides other rules with an empty attribute list that grants access to the entire table.

Example rule #1 grants Discovery with exclusive authority to update the name attribute of the cmdb_ci_computer table. All other data sources are prevented from updating the name attribute of any CI in the cmdb_ci_computer table.

Child table rules overrides parent table rules

Any reconciliation rules defined for a child table override the rules defined for its parent table.

For example, rule #1 lets Discovery update the name attribute in the cmdb_ci_computer table and all of its child tables. However, rule #2 for the cmdb_ci_linux_server child table, which overrides rule #1 for the parent table, explicitly authorizes ServiceWatch to update this attribute in the child table.

As a result:
  • Discovery cannot update the name attribute of the child cmdb_ci_linux_server table. Only ServiceWatch is authorized to update this attribute.
  • Discovery is authorized to update the name attribute of CI records in all other child tables of the cmdb_ci_computer table.

Overlapping rules

Rules that authorize different data sources for the same attributes of the same table can coexist and do not exclude each other.

For example, assume the following rule is added. It is similar to example rule #1 but authorizes a different data source:

  • ServiceWatch is authorized to update the name attribute in the cmdb_ci_computer table.
Like example rule #1, this new rule applies to the name attribute in the cmdb_ci_computer table so both Discovery and ServiceWatch can update the attribute. Any applicable data source precedence rules are enforced to prevent the data sources from overwriting each other's updates.

Domain separation

If Domain Separation is enabled, then you can scope reconciliation rules to specific domains. Rules of the parent domain, if not overridden, apply to CIs of child domain. All rules that are visible to a domain are applied, and a rule overriding the parent domain displays the child domain version.