Using Policy Based Management in SQL Server
As we are reviewing the new features in SQL Server, we found one that looks really interesting - Policy-Based Management. Could you help us to understand how this works and provide some examples? Can you please explain each of the components and how to manage them in the interface and with commands?
Policy-Based Management was released in SQL Server 2008. It allows you to define and enforce policies for configuring and managing SQL Server across the enterprise. Originally this feature was called the Declarative Management Framework but has since been renamed. There are a number of terms that we need to define in order to begin to understand Policy-Based Management:
- Target - an entity that is managed by Policy-Based management; e.g. a database, a table, an index, etc.
- Facet - a predefined set of properties that can be managed
- Condition - a property expression that evaluates to True or False; i.e. the state of a Facet
- Policy - a condition to be checked and/or enforced
Policy-Based Management is configured in SQL Server Management Studio (SSMS). Navigate to the Object Explorer and expand the Management node and the Policy Management node; you will see the Policies, Conditions, and Facets nodes:
Expand the Facet node to see the list of facets. Note each new version of SQL Server may add new facets.
As you can see there is a rather comprehensive collection of facets predefined in SQL Server, allowing you to manage just about every aspect of SQL Server. Double click on a facet to see the actual list of properties in the facet; e.g. double click the Database facet:
These facet properties are used to specify a condition; e.g. AutoShrink = False means that you do not want to automatically shrink database files. A policy specifies an expression that evaluates to True or False. The expression can be made up of one or more conditions logically joined by And / Or.
In this tip we are going to gain an understanding of Policy-Based Management by walking through the following demonstration:
- Create a Condition
- Create a Policy
- Evaluate a Policy
Create a Condition
The starting point in Policy-Based Management is to create a Condition. Right click on Conditions in the SSMS Object Explorer (under the Management | Policy Management node) then select New Condition from the menu. Fill in the dialog as follows:
You select a single Facet for a Condition, then enter an Expression. The Expression evaluates to either True or False. This is the essence of Policy-Based Management which will test whether the Condition is True.
Create a Policy
Right click Policies in the SSMS Object Explorer (under the Management | Policy Management node) then select New Policy from the menu. Fill in the dialog as follows:
The Check Condition drop down will include the list of conditions that you have defined. You can check Every Database in the Against targets list, or you can click the glyph (between Every and Database) and define a condition. Execution Mode can have one of the following values:
- On Demand (this is the default)
- On Schedule
- On Change - Log Only
- On Change - Prevent
The On Demand option only evaluates the policy when a user right clicks on the policy in the SSMS Object Explorer and selects Evaluate from the menu.
The On Schedule option takes advantage of SQL Agent to execute a job on a particular schedule to check the policy. After selecting On Schedule from the Execution Mode drop down list, you can click either the Pick or New button.
To pick an existing schedule, make a selection from the available options:
To create a new schedule, fill in the familiar schedule dialog:
When policy evaluation is scheduled, any violations are logged to the Windows Event Log.
The On Change - Log Only option evaluates the policy whenever the property in the facet is changed and any violation is logged to the Windows Event Log. The On Change - Prevent option evaluates the policy whenever the property in the facet is changed and actually prevents the change; this option uses DDL triggers to enforce the policy. Not all changes can be detected and rolled back by DDL triggers; the Execution Mode drop down list will include the On Change - Prevent option only when it is available.
One final note on the policy setup concerns the Enabled check box. When the Execution Mode is On Demand, the Enabled check box must be unchecked; for all other options you must check the Enabled check box in order for the policy to be evaluated.
Evaluate a Policy
To evaluate a policy on demand, right click on the policy in the SSMS Object Explorer and select Evaluate from the menu. The following is a partial screen shot of the output from evaluating a policy on demand:
The green check icon signifies that the policy evaluated to True for the databases shown. Not shown above is a Configure button that allows the user to automatically fix a target where the policy evaluates to False.
Right click on a database in the SSMS Object Explorer and select Properties from the menu. Click the Options page and change the AutoShrink property to True. Evaluate the policy again and you will see the following output:
Note the red icon with the X indicating that policy evaluation failed for a particular database. Not shown above is the Configure button which you can click to automatically change the AutoShrink property to comply with the policy.
Edit the policy and change the Execution Mode to On Change - Log Only. Select a database and change the AutoShrink property to True. Open the Windows Event Viewer, click on Application and you will see an event that was written when the policy evaluation detected the violation:
To test the On Change - Prevent Execution Mode for a policy, create a new condition and a new policy. Create a new condition as follows:
Now create a new policy as follows:
This policy will prevent a table from being created if the table name does not begin with 'tbl_'. Open a New Query window in SSMS and enter a create table script. When you execute the CREATE TABLE script you will get the following error message and the table will not be created:
CREATE TABLE sample ( message varchar(256) )
We get this error:
This transaction will be rolled back. Policy description: ''Additional help: '' : ''.
Msg 3609, Level 16, State 1, Procedure sp_syspolicy_dispatch_event, Line 50 The transaction ended in the trigger.
The batch has been aborted.
- Check out these other Policy Based Management tips.
About the author
View all my tips