Infrastructure Change Management

Enforce standardized processes for rule and group changes through automated workflows that ensure consistency, compliance, and operational efficiency.

Infrastructure Change Management guides you through using SecureChange to:

• Enforce consistent, policy-driven processes for infrastructure lifecycle events such as cloning and decommissioning.

• Reduce manual effort and improve operational control.

Why this matters

• Replace inconsistent manual changes with standardized, policy-driven execution.

• Standardize infrastructure object changes through controlled workflows.

• Enforce structured workflows for infrastructure lifecycle events such as clone and decommission.

Who this is for

• Change requestors responsible for submitting access-related change requests.

• Designer/Verifier experts responsible for validating rule changes.

• Change managers responsible for overseeing workflow execution and approvals.

• Operational managers responsible for ensuring workflow adoption across teams.

Key capabilities

Infrastructure Change Management leverages key features in SecureChange to use:

• Decommission Network Object workflow to remove specified servers or other network objects from all firewall rules.

• Clone Network Object Policy workflow to reuse server policies, objects, and all the existing connections of the original server by cloning them to other servers.

Prerequisites

For user assignment:

• RBAC for users and user groups

• If needed, LDAP integration with SecureChange

Step 1: Create and configure Decommission Network Objectworkflow

Begin by creating and configuring the Decommission Network Object workflow.

The workflow:

• Removes an unused network object from security policy.

• Identifies the rules that reference the object and determines whether to remove the object or the entire rule.

• Verifies and implements the required policy changes through configured workflow steps.

Use SecureChange's Workflows to create the workflow.

Create workflow

If you already have a Decommission Network Object workflow, select it and update the settings. Otherwise, create a new custom workflow.

1. Click New Workflow.

2. Define the Name and the Description.

3. From the Type list, select Decommission network object.

See:

Creating a workflow from templates

Creating a custom workflow

Configure workflow properties

Define the settings for the workflow behavior and for how handlers and owners can interact with it.

• Click Workflow properties and make sure to configure the following settings.

Confirmation settings

Select both Confirmation settings:

• To allow requester to manually confirm request, and automatically confirm after <num> days.

• Define the starting phase of the ticket to allow optional skip-ahead.

Related ticket settings

Select to allow linking to previously submitted tickets for context.

Designer and Verifier options

Make sure Allow advanced customization of rule optimization is selected.

Related ticket referencing (optional)

Allow linking to previously submitted tickets for context.

 

See Configuring workflow properties.

Configure workflow steps and user assignments

Based on your scenario, in addition to the step field, for each workflow step, configure Designer, Verifier, and implementation options.

Define step field

For each step, define which fields are editable, visible, or mandatory, including:

• Decommission network object

• Comments

• Other custom fields like business justification, and change start/end date.

Use Designer to analyze the requested change

Configure the step to run Designer for the requested change. Designer analyzes the change and provides recommendations and instructions for the required policy updates based on the workflow type.

Use Verifier for verification

Configure the step to run Verifier to review the proposed changes before implementation. Verifier confirms that the Designer-suggested changes can be provisioned or manually applied successfully.

Add implementation after verification

Configure implementation to execute the approved change in addition to analysis. Where applicable, include the option to update policies on the device and commit the policy changes.

User assignment

Assign steps to users or groups using these options from the Assignment mode list:

• Auto-assignment

• Role-based conditions

• Dynamic rules based on request content

See:

Configuring workflow steps

Decommission network object field

Configuring assignment mode

Activate the workflow

After validating all workflow steps, activate the workflow to make it available for users to submit and track change requests.

1. Set Workflow status to Active.

2. Save the workflow.

 

Step 2: Create and configure Clone Network Object Policy workflow

Create the second workflow for automated infrastructure change management: Network Object Policy. This workflow manages the policy changes required when an existing server is cloned.

The settings are identical to the Decommission Network Object workflow, except for the workflow type and the step field, where you select Clone network object policy.

The workflow:

• Identifies the affected rules.

• Supports validation of the required updates.

• Guides implementation for cloned environments to be brought online in a controlled and consistent way.

 

Use SecureChange's Workflows to create the workflow.

Create workflow

If you have a Clone Network Object Policy workflow, select it and update the settings. Otherwise, create a new custom workflow.

1. Click New Workflow.

2. Define the Name and the Description.

3. From the Type list, select Clone network object policy.

See:

Creating a workflow from templates

Creating a custom workflow

Configure workflow properties

Define the settings for the workflow behavior and for how handlers and owners can interact with it.

• Click Workflow properties and make sure to configure the settings below.

Confirmation settings

Select both Confirmation settings:

• To allow requester to manually confirm request, and automatically confirm after <num> days.

• Define the starting phase of the ticket to allow optional skip-ahead.

Related ticket settings

Select to allow linking to previously submitted tickets for context.

Designer and Verifier options

Make sure Allow advanced customization of rule optimization is selected.

Related ticket referencing (optional)

Allow linking to previously submitted tickets for context.

 

See Configuring workflow properties.

Configure workflow steps and user assignments

Based on your scenario, in addition to the step field, for each workflow step, configure Designer, Verifier, and implementation options.

Define step field

For each step, define which fields are editable, visible, or mandatory, including:

• Clone network object policy

• Comments

• Other custom fields like business justification, change start/end date.

Use Designer to analyze the requested change

Configure the step to run Designer for the requested change. Designer analyzes the change and provides recommendations and instructions for the required policy updates based on the workflow type.

Use Verifier for verification

Configure the step to run Verifier to review the proposed changes before implementation. Verifier confirms that the Designer-suggested changes can be provisioned or manually applied successfully.

Add implementation after verification

Configure implementation to execute the approved change in addition to analysis. Where applicable, include the option to update policies on the device and commit the policy changes.

User assignment

Assign steps to users or groups using these options from the Assignment mode list:

• Auto-assignment

• Role-based conditions

• Dynamic rules based on request content

See:

Configuring workflow steps

Clone network object policy field

Configuring assignment mode

Activate the workflow

After validating all workflow steps, activate the workflow to make the it available for users to submit and track change requests.

1. Set Workflow status to Active.

2. Save the workflow.