1-18
User Guide for Cisco Security Manager 4.4
OL-28826-01
Chapter 1 Getting Started with Security Manager
Using Configuration Manager - Overview
In non-Workflow mode, submitting and deploying your changes can be done in a single action. In
Workflow mode, you first submit your activity and then you create a deployment job to deploy your
changes.
For more information, see Chapter 8, “Managing Deployment”.
Policy and Policy Object Overview
A policy is a set of rules or parameters that define a particular aspect of network configuration. In
Configuration Manager, you define policies that specify the security functionality you want on your
devices. Security Manager translates your policies into CLI commands that can be deployed to the
relevant devices.
Security Manager enables you to configure local policies and shared policies.
Local policies are confined to the device on which they are configured; they are automatically
assigned (applied) to the device when you configure them. Unconfigured policies (those whose
default settings you do not change) are not considered to be assigned or configured. To remove a
policy, you unassign it.
Shared policies are named, reusable policies that can be assigned to multiple devices at once. Any
changes you make to a shared policy are reflected on all devices to which that policy is assigned, so
you do not have to make the change on each device.
When you add a device to the inventory, you can discover the existing policies configured on the device.
Security Manager translates your device configuration into Security Manager policies, populates the
relevant local policies, and assigns them to the device. Policy discovery ensures that you do not need to
recreate your existing configurations in Security Manager terms. You can also rediscover policies on
devices after you add them to the inventory if you change their configuration through the CLI.
When you create policies, you often have the option to use policy objects, which are reusable definitions
of related sets of values. (Sometimes, you are required to use policy objects.) For example, you can
define a network object called MyNetwork that contains a set of IP addresses in your network. Whenever
you configure a policy requiring these addresses, you can simply refer to the MyNetwork network object
rather than manually entering the addresses each time. Furthermore, you can make changes to policy
objects in a central location and these changes will be reflected in all the policies that reference those
objects.
For more detailed information, see Understanding Policies, page 5-1 and Chapter6, “Managing Policy
Objects”.
Workflow and Activities Overview
To provide flexible, secure policy management while allowing your organization to implement change
control processes, Security Manager provides three closely-related features in Configuration Manager:
Workflow/Non-Workflow modes—Configuration Manager provides two modes of operation that
scale to different organizational working environments: Workflow mode and non-Workflow mode
(the default).
Work flo w Mod e—Workflow mode is for organizations that have division of responsibility
between users who define security policies and those who administer security policies. It
imposes a formal change-tracking and management system by requiring all policy configuration
to be done within the context of an explicitly-created activity. A user can create multiple