This documentation supports the 22.1 and consecutive patch versions of BMC Helix Multi-Cloud Broker.

To view an earlier version, select the version from the Product version menu.

Multi-Factor risk assessment for Devops changes

The DevOps and IT Change Governance teams need change requests to be approved quickly so that the required updates can be deployed faster to support the business. However, the business should also be protected from bad changes by enforcing risk evaluation. To evaluate the risk level of a change created from a third-party application, BMC Helix Multi-Cloud Broker provides the Risk Calculation service. The service calculates the risk level of a change request when it is brokered from a third-party application to BMC Helix ITSM. The calculated risk level data is automatically added to the BMC Helix ITSM Change record. 

Risk management configurations

As an administrator, you can view and update the risk management configurations to define the risk value and weightage for development groups and services used to calculate the risk level of a change request. 

The following configurations are available in the Risk Management section:

Configuration namePurpose

Manage CI Property To Risk Value Mapping

Defines the risk value associated with a CI's priority or any other field on AST:BaseElement form when calculating risk level.

Important:

This value is not required for integrations developed by using BMC Helix iPaaS, powered by Jitterbit.

Manage Development Groups

Defines the risk value associated with a development group in your third-party application.

If the development group used to create a third-party record does not exist in the BMC Helix Multi-Cloud Broker configuration, it is added automatically when the third-party record is created.

By default, the risk level for the group is set to 50.

You can update this value as per your organization's requirements.

Important:

Out of the box, the third-party application may not have specific fields for development groups. You can use existing fields or add custom fields for the values of development groups associated with the third-party application record.

Manage Risk Mapping

Defines the mapping of the risk values to low, medium, and high.

Out of the box, the following values are defined:

  • Low: 0—10
  • Medium: 11—60
  • High: 61—100
Manage Risk Rules

Defines the weightage to be used when calculating the risk level.

If you add multiple rules, ensure that the total weightage of all the rules is 100.

Important:

At least one risk rule must be defined to activate the Risk Calculation service.

For more information about how the risk values are calculated, see How the risk values are calculated.

To activate the risk calculation service

To activate risk calculation, you must complete the following tasks:

TaskActionDescription

1.

Update the field mapping for Change to add the Status Reason Code in the Vendor Metadata for Jira.

To update the field mappings, see To update vendor field mappings for ITSM change.
2.

Map the Jira fields to be used for risk calculation to the Vendor Group and Service fields in BMC Helix Multi-Cloud Broker.

  • For integrations developed by using BMC Helix Integration Service, update the Create Change flow.
  • For integrations developed by using BMC Helix iPaaS, powered by Jitterbit, powered by Jitterbit, update the transformation in the Vendor Workflow operation.
2.

Configure the Sync Change flow to sync the Status reason field with the BMC Helix Multi-Cloud Broker application.

This mapping is required to sync the Status reason field so that the risk value is updated when a change is completed.

Important:

This configuration is not required not for integrations developed by using BMC Helix iPaaS, powered by Jitterbit.

3.Define a risk rule.At least one risk rule must be defined for the Risk Calculation service to be activated.

To update vendor field mappings for ITSM change 

  1. Log in to BMC Helix Multi-Cloud Broker.
  2. Click Settings .
  3. Select Configure Vendors > Manage Vendor Metadata.
  4. On the Map Vendors page, click .
  5. For the Vendor Field Mapping click .
  6. Under com.bmc.dsm.ticekt-brokering-lib:Change, add the field ID 450000159 for Remedy to Vendor Sync Fields.
  7. Save your changes.

To update a field mapping for integration templates developed by using BMC Helix Integration Service

  1. Log in to BMC Helix Integration Studio, and navigate to My Flows.
  2. Open the Create Change flow.
  3. Click the Details tab.
  4. Expand Field Mapping
  5. Map the following BMC Helix Multi-Cloud Broker fields to the third-party application field used to define the risk calculation factors:
    • Vendor Group to the field used to define the development group.
    • Service to the field used for defining the service. 
  6. Save the flow.

To update field mappings  for integration templates developed by using BMC Helix iPaaS, powered by Jitterbit

  1. Log in to BMC Helix iPaaS, and navigate to the Cloud Studio. 
  2. Open the integration template project. 

    Important

    Risk rules are applicable only for integrations with BMC Helix ITSM change requests.

  3. Select the Components tab, and search for the Prepare Create Change Data From Issue transformation of the Create MCB Change from Jira operation in Vendor Workflow.
  4. Select the transformation, click the Ellipses (...), and select View/Edit.
  5. In the target section, click the script icon for the [ 0, 1 ] Vendor_Group (string) field and add the script to map the field ID of the field associated with a development group in the third-party application in the following format:
    <trans>
    $jsonObj["issue"]["fields"]["customfield_<fieldId>"];
    </trans>

    For example, if you have a custom field Vendor Group with field ID 10155 defined in Jira, add the following script:
    <trans>
    $jsonObj["issue"]["fields"]["customfield_10155"];
    </trans>

    Important

    • Out of the box, the third-party application may not have specific fields for development groups or services. You can use existing fields or add custom fields for the values of development groups or services associated with the third-party application record.
    • If the [ 0, 1 ] Risk_Level (string) is mapped in the Prepare Create Change Data From Issue transformation, this value takes precedence over the calculated risk value.

To define a risk rule

  1. Log in to BMC Helix Multi-Cloud Broker and click Settings.
  2. Navigate to Risk Management > 4. Risk Rules > Map Risk Rules.
  3. To add a new risk rule, click +Risk Rule.
  4. Add the following values: 

    Field NameDescription
    Source Metrics

    Select the value based on the source for which you are defining the metrics:

    • Risk Metric - Development Group—Rule for a development group metric
    • Risk Metric - Technology Service—Rule for a service metric
    • Risk Metric - CI property—Rule for a CI property metric
    WeightThe weight percentage to be used for this metric when calculating the risk level.
    Technology ProviderSelect the name of the third-party application.
    StatusSelect Enable to activate the rule.
    DescriptionEnter a short description of the rule.
    CI Property Field ID

    Enter the ID of the CI property field, as defined in the Manage CI Property To Risk Value Mapping.

    This field is mandatory if you have selected Risk Metric - CI properties option in Source Metrics field.

    CI Search Qualification

    Use this field to determine additional search qualifications for requests that are sent to the AST:BaseElement form.

    This is useful when customers have multiple records with the same CI name.

  5. Click Save.

You can define multiple risk rules and add the weight percentage for each rule. The total weightage of all risk rules defined must be 100.

Example of how the risk values are calculated

  1. When an issue is created in Jira, the user selects a service and development group. 
  2. In the corresponding BMC Helix Multi-Cloud Broker record that is created, the Risk Calculation service calculates the risk level based on the Development Group, Service metrics, or CI rules defined in BMC Helix Multi-Cloud Broker.  These metrics include the risk value and the weightage for the Development Group and Service. 
    • Weightages are defined in the risk rules

    • Risk value of the development group is defined in the Development Groups configuration

    • Risk value of a service is defined from the Risk Metrics - Service record of the Risk Management service

      Example

      The risk values defined for a specific development group and Service are 5 and 50 respectively, and the risk rule defines the weightage of the development group as 70% and service as 30%, risk level is calculated as follows:

      ((5 * 70) + (50 * 30)) / (70+30) = 18.5

      Since the valid risk level for a Change record has a value ranging from 0-4 (Level 1 - Level 5), the risk value is normalized to match the range of the enum value:

      18.5 / 100 * 4 = 0.74 = 1 (round off) = Risk Level 1

    • Risk value of the development group is defined in the Development Groups configuration, and that of a CI is defined in the Manage CI Property To Risk Value Mappings configuration.

      Example

      The risk values defined for a specific development group and CI are 5 and 50 respectively, and the risk rule defines the weightage of the development group as 70% and CI as 30%, risk level is calculated as follows:

      ((5 * 70) + (50 * 30)) / (70+30) = 18.5

      Since the valid risk level for a Change record has a value ranging from 0-4 (Level 1 - Level 5), the risk value is normalized to match the range of the enum value:

      18.5 / 100 * 4 = 0.74 = 1 (round off) = Risk Level 1

      Important

      The Development, Service, or CI rules cannot be applied simultaneously. Either Development and Service or Development and CI rules are applied. CI rule takes precedence over the service rule in risk calculation. If BMC Helix Multi-Cloud Broker cannot find the CI sent by JIRA in BMC Helix ITSM, it searches for the service in the Risk Management library. The risk is calculated as per the risk weight associated with the applied rule.

  3. The risk level is added to the change record created in BMC Helix ITSM: Smart IT from the BMC Helix Multi-Cloud Broker record. 

    Important

    You can configure auto-approval rules in BMC Helix ITSM so that low risk changes are automatically approved and high risk changes are evaluated before being approved. 

    When the change request is approved and moves to Planning in Progress, the Jira issue is updated with the approval status providing the DevOps team with the current status of a change request.

  4. The Risk Calculation service tracks the status of the change requests. When the change is completed, based on the success or failure of the change, the risk level of the development team is increased or decreased by 20. However, the range of the risk level is maintained between 0 - 100, which ensures the risk levels are realistic and based on the capability of a development team to deliver a change.

    Example

    For example, the risk level defined for the development team working on the change request is set to 40. If the change they are implementing is closed successfully, the risk level of the development team is automatically reduced to (40-20)=20.

    If the change they are implementing is closed as a failure, the risk level of the development team is automatically increased to (40+20)=60.

    Note, if the risk value is 90, it is incremented to 100 for a successful change. Similarly, if the risk value is 10, it is decreased to 0 for an unsuccessful change.

Was this page helpful? Yes No Submitting... Thank you

Comments