Policy inheritance with Enterprise Scanner policies
The inheritance properties of policies in SiteProtector provide a flexible and efficient method for setting up your scanning environment in a hierarchical group structure.
General inheritance behavior
In general, inheritance works as follows:
vWhen you define a policy for a group in your group structure, the policy automatically applies to the subgroups for the group unless a subgroup already has its own version of the policy. Then, that subgroup retains its version of the policy.
vYou can break the inheritance at any level in the group structure by redefining (overriding) the policy for a subgroup. When you define a policy for a subgroup, the changes apply to its subgroups.
vIf you have defined a policy for a subgroup that you want to apply to groups above it, you can promote the policy to a higher group.
Inheritance with Enterprise Scanner policies
As you plan your Site grouping structure for vulnerability management, keep these points in mind:
vMost asset policies follow the general rules of inheritance.
vMany agent policies apply only to a single agent or scanning network interface.
vSome asset and some agent policies have specialized inheritance characteristics. These differences are described in more detail in the following topics.
Inheritance indicators
When you select a group in the left pane of the SiteProtector Console, policies applicable to the group are displayed in the right pane. The inheritance indicators of the policies are displayed in the Inheriting From column as follows:
Table 4. Policy inheritance indicators
If the Inheriting From Value is... | Then... |
|
|
blank | The policy is defined at the group |
| level/agent selected in the left pane. |
|
|
UNCONFIGURED | You have chosen to override the policy with |
| one that is defined higher in the group |
| structure, but a |
| defined. |
|
|
a_group_name | The policy is inherited from the referenced |
| group. |
|
|
Initially blank or unconfigured?
The initial inheritance indicators for agent policies can be blank or unconfigured depending on whether you override SiteProtector group settings when you register your agent with SiteProtector:
vIf you override the settings, the settings for the agent are applied to the SiteProtector policies, so that the Inheriting From column is blank.
