An Attributed Compliance Test is comprised of one or more Queries. There is one distinguished Query, called the Primary Query, which will generate a (Primary) Result View that is to be tested. The testing is done by applying sets of Rules against the Primary Result View to see if the contents of the Primary Result View are valid.

There are (currently) three types of rules that are used to evaluate the content of the Results Set:

  • Must Contain Rules: these rules are a template of rows that must appear in the result set. The template is arranged in a spreadsheet-like display, and includes the Query’s Result Set. The non-null columns of each row in the Must Contain Rules specify a row that must appear in the Primary Result Set.

  • Must Not Contain Rules: similar to Must Contain Rules, the non-null columns of each row in the Must Not Contain Rules specify a row that must not appear in the Primary Result Set.

  • Match Each Row Rules: define a boolean expression, consisting of a set of boolean tests that must be matched by every row in the result set.

    Additional Queries (other than the Primary Query) may optionally be added to the Attributed Compliance Test in order to generate variable values. Variable references can then be inserted into the rules or Primary Query, allowing values from the results of other Queries to be checked against the Primary Result Set.

    Must Contain rules should be used to specify a list of things that need to be configured on the Device. For example, it might be a list of access-lists that need to be present on each Device. You can specify that the rules must be matched in order with the result set; this is useful for checking things that are naturally ordered, like the rules in a single access-list. The rules can contain a wild-card row that allows items that are not explicitly specified by the rules to appear at a particular place in the result set.

    Must Not Contain rules should be used to specify items that should not be configured on the Device. For example, you may want to check that no access-list has a “permit any” rule.

    Match Each Row rules should be used to check that the configuration of several different items matches preset criteria; for example that all the Ospf areas are configured with the same set of parameters, or that all OspfRouterSettings have a consistent set of options enabled.