1-19
User Guide for Cisco Security Manager 4.4
OL-28826-01
Chapter1 Getting Started with Security Manager
Using Configuration Manager - Overview
activities so that a single activity contains only logically-related policy changes. You can
configure Workflow mode to require a separate approver, so that configuration changes cannot
be made without oversight. After approval, the user defines a separate deployment job to push
the policy changes to the devices. For more information, see Working in Workflow Mode,
page 1-19.
Non-Workflow Mode—In non-Workflow mode, you do not explicitly create activities. When
you log in, Configuration Manager creates an activity for you or opens the one you were
previously using if it was not submitted. You can define and save your policies, and then submit
and deploy them in one step. For more information, see Working in Non-Workflow Mode,
page 1-20.
For information on selecting a mode, see Changing Workflow Modes, page1-26.
Activities or Configuration Sessions—An activity (in non-Workflow mode, a configuration
session), is essentially a private view of the Security Manager database. In Configuration Manager,
you use activities to control changes made to policies and policy assignments. Adding devices to the
inventory does not involve an activity, however, unless you discover policies that define security
contexts (on multi-context firewall devices) or virtual sensors (on IPS devices). Isolating policy
changes in activities helps prevent “work in progress” from accidentally making it into active device
configurations. For more information about activities and configuration sessions, see Understanding
Activities, page 4-1 and Working with Activities/Tickets, page 4-7.
Ticket Management—Ticket management allows you to associate a Ticket ID with policy
configuration changes made in Security Manager. Ticket management works in coordination with
activities or configuration sessions depending on whether you have workflow mode enabled or not.
If workflow mode is enabled, you can also enable ticket management so that a Ticket ID can
optionally be associated with a specific activity. If workflow mode is not enabled, using ticket
management makes it so that all changes must be done as part of a ticket and the ticket must be
submitted before those changes can be deployed. In this respect, ticket management with workflow
disabled is very similar to how activities function when workflow is enabled; however, no approval
of submitted tickets is required.
For a comparison of the various modes of operation, see Comparing Workflow Modes, page1-20.
Working in Workflow Mode
Workflow mode is an advanced mode of operation that imposes a formal change-tracking and
change-management system. Workflow mode is suitable for organizations in which there is division of
responsibility among security and network operators for defining policies and deploying those policies
to devices. For example, a security operator might be responsible for defining security policies on
devices, another security operator might be responsible for approving the policy definitions, and a
network operator might be responsible for deploying the resulting configurations to a device. This
separation of responsibility helps maintain the integrity of deployed device configurations.
You can use Workflow mode with or without an approver. When using Workflow mode with an approver,
device management and policy configuration changes performed by one user are reviewed and approved
by another user before being deployed to the relevant devices. When using Workflow mode without an
approver, device and policy configuration changes can be created and approved by a single user, thus
simplifying the change process.
Note Workflow mode works in the same manner whether Ticket Management is enabled or not. Enabling
Ticket Management in Workflow mode simply enables the Ticket field for use with Activities. Entering
a ticket ID is not required, but if one is used, the Ticket field can be configured to link to an external
change management system. For more information, see Ticket Management.