5-7
User Guide for Cisco Security Manager 4.4
OL-28826-01
Chapter5 Managing Policies
Understanding Policies
Therefore, when working with rule-based policies such as access rules, you must use discretion when
choosing these options. Use inheritance to supplement the local rules on the device with additional rules
from a parent policy. Use assignment to replace the policy on the device with a selected shared policy.
Tip To prevent overwriting your local rules by mistake, Security Manager displays a warning message when
you select the Assigned Shared Policy option for a rule-based policy. The message provides you the
option of inheriting the rules of the policy instead of assigning it. Choose the inheritance option if you
want to preserve your local rules.
Related Topics
Understanding Rule Inheritance, page 5-4
Inheriting or Uninheriting Rules, page 5-43
Local Policies vs. Shared Policies, page 5-3
Settings-Based Policies vs. Rule-Based Policies, page 5-2
Policy Management and Objects
Objects make it easier to configure policies in Security Manager by providing a set of values with a
logical, easy-to-remember name that can be applied wherever it is needed. For example, you can define
a network/host object called MyNetwork that contains a set of IP addresses in your network. Whenever
you configure a policy requiring these addresses, you can simply refer to the MyNetwork object instead
of manually entering the addresses each time.
When you define a policy, you can create objects on the fly by clicking the Select button next to any field
that accepts an object as a value. For more information, see Selecting Objects for Policies, page 6-2. You
can also create and manage objects system-wide from the Policy Object Manager, page 6-4.
Policy objects also are created when you discover policies that already exist on a device. You can
discover policies when you add a device to the Security Manager inventory, or you can discover policies
on devices that are already in the inventory, as described in Discovering Policies, page5-12. You can
configure Security Manager to reuse already-defined policy objects for newly-discovered policies. For
more information on configuring policy object settings for discovery, see Discovery Page, page 11-21.
Certain types of objects enable you to override their predefined values at the device level, which enables
you to use an object in a policy while retaining the ability to customize particular values. For more
information, see Understanding Policy Object Overrides for Individual Devices, page 6-17.
For more information about objects and how to use them when defining policies, see Chapter6,
“Managing Policy Objects”.
Related Topics
Understanding Policies, page 5-1
Understanding Policy Locking
Security Manager has a policy locking mechanism that is useful in organizations where several people
have the authority to make configuration changes. It prevents a potential situation in which two or more
people are making changes to the same device, policy, policy assignment, or object at the same time.
When a lock is applied, a message is displayed across the top of the work area to other users who access
that device or policy.