I would like to see the ability to flag fixlets with a color code. For example, if I review a fixlet as safe and deployable, I would flag it green. If it causes problems and we don’t want to deploy it, we can flag it red. Etc… Ideally the list would be sortable by flag color. It would allow us to see the status of fixlet at a glance, instead of having to open each one up and look for comments to see if it’s safe to deploy. This could also be used by the HCL team to reset flags to a warning color in case a previously reviewed and flagged fixlet, has been subsequently changed or updated or superseded by the company.
For what is worth, I have had RFE/Idea for something similar but a bit more advanced (ability not only to “rate” the fixlets but also apply need for “approval” on any actions submitted for the “risky” fixlets where a secondary operator/role needs to login and actually “approve” the action before it actually starts) for good 8 years now. The request is currently listed as separate use-case in a comment of: https://bigfix-ideas.hcltechsw.com/ideas/BFP-I-43, but not officially committed to or at least not on the short-term agenda.
1 Like
I think I would find it very difficult to generalize these use-case into something that would work for most customers. Maybe I’m not understanding some part of it.
For reviewing Fixlets and choosing whether to deploy, many customers would add their approved Fixlets into a Baseline in a Custom Site (or copy the source Fixlets themselves into Custom Sites), and then duplicate the Baseline as needed after testing. I.E. create the Baseline in a “Test Site”, send it out to some test machines, and if happy copy the Baseline into a QA site, test on more, and then duplicate into a Production site where it is actioned to the rest of the deployment.
1 Like
Well, as a use case, lets presume I have gone through that process and have the baseline all set up. But then next month when I’m ready to build the new baseline after patch tuesday, there are some stragglers from last month that didn’t deploy to everything for some reason. Either there are new servers, or there was a problem patching and I had to abort. Whatever. So the patches that are still relevant to our body of computers, contains many older patches that have already gone through the approval process last month. There would be no need to re-review them and look for known issues in all the KBAs all over again. We could just see that it’s flagged green, and add it to the new baseline without having to waste time looking at it again. I already do something similar with comment filtering but it’s a little tedious. Flags would make it much easier.
Have you considered creating a custom filter that searches the comments field for the string that indicates “green” or “red”?
Ideally, it should be per-fixlet setting, so if it is a fixlet you intend to add to baseline you can just leave the tag off and globally hide it instead. The idea is to really control what is being pushed and whether it is valid or not. It’s not whether people should be able to see or not, cause they should but whether they deploy it on those 50 machines vs the other 50. How do you safeguard if an user mistakenly selects certain machines? The use case is really to allow you to identify certain set of fixlets as more risky and enforce additional security measures when they are being used but the same exact operators do still need to be able to see and use them.
Agreed. For example. I have certain machines that can only be patched with KBs that are officially sanctioned and approved by the application vendor. We aren’t allowed to install anything but theses approved patches on them. right now, I have put them in their own site and build them their own special baseline of approved patches. If I could flag the fixlets that are approved and have the servers only be relevant to those flags, then I could just throw them in with the regular monthly baseline.
I do actually use comments and filtering to sort when I am building the main monthly baseline. However I can’t see comments when I and looking at the “relevant fixlets” screeen on an individual computer, unless I open each patch and look. Plus, while I can comment multiple fixlets easily enough, there is no way I’ve found to remove a comment from multiple fixlets at once. I would have to go into each one to change it.