Inherited Reviews

[cd-rite]

We need to support the concept that an Asset can inherit reviews from other Assets.

This Issue will spawn others for testing, docs, api, ui, etc.
Need to define this feature (this will be an incomplete list)

Terminology - "shared" ( do we want to distinguish the asset sharing and the asset "borrowing"? It might be confusing if the terms do not imply which asset is "authoritative" in this context. ) (alternatives considered: linked? inherited? imported? Dependent Asset? Supporting Asset? )

Level - Shared to (or borrowed by?) an Asset? Asset-STIG? Asset-STIG-Review? Entire Collection?

stats - (These Reviews borrowed by X number of assets; Shared with but overridden for X reviews on asset Y)
reports - Which assets are making use of this Assessment resource.

general implementation considerations:
Must access to this Shared assessment be granted(by whom?)? can it be revoked? (A review Resource (at collection, asset, or asset-stig level) could mark itself "shareable" to specific Collections....)
Should the ability to "override" an inherited review have a control mechanism?
What if more than one review for a rule is shared? (could make use of Review Resources tab to show available shared reviews)

Address Collision Resolution, circular references, overrides, inheritance chains, etc.

[tlskinneriv]

Sorry to necro this discussion. Is there any movement on implementing this feature? It would extremely useful to us and would mirror the way that one can import "baseline" checklists into eMASS to be used against multiple assets.

[cd-rite]

Hi @tlskinneriv - Inherited reviews are not on our roadmap at this time.... Most of our sponsor's users are moving towards a Continuous Monitoring approach using a tool like Evaluate-STIG that can incorporate user-provided Answer Files into its output at scan time. This lets them move that part of the process "left" a bit, so their results are already contain the answers they want by the time they hit STIG Manager, and in a much more granular and configurable way than applying a baseline.

We do have an API endpoint that could be used to apply a set of Reviews to all Assets in a Collection (though it is not exposed in that way in the UI), but that obviously is not true inheritance in the sense we were considering for this feature, which would be much more complex.