Rule and Group Management

Enforce standardized processes for rule and group changes through automated workflows that ensure consistency, compliance, and operational efficiency.

Rule and Group Management guides you through using SecureChange workflows to manage automated changes for rules and groups in two ways:

• By updating group membership

• By modifying firewall rule components

These workflows help enforce consistent, policy-driven processes for rule and group changes, reduce manual effort, and improve operational control.

Why this matters

• Replace inconsistent manual changes with standardized, policy-driven execution.

• Standardize rule and group changes through controlled workflows.

• Enforce structured workflows for rule and group updates.

Who this is for

• Firewall administrators responsible for executing rule and object updates via workflows.

• Change managers responsible for monitoring process adherence and approvals.

• Policy owners responsible for standardization and governance.

• Operational managers responsible for ensuring workflow adoption across teams.

Key capabilities

Rule and Group Management leverages key features in SecureChange to use:

• Modify Group workflow to add or remove objects from a group of network objects.

• Rule Modification workflow to update firewall rules by adding or removing devices or services in the access request fields.

Use the workflow that best fits your use case.

Prerequisites

For user assignment:

• RBAC for users and user groups

• If needed, LDAP integration with SecureChange

Step 1: Create and configure Modify Group workflow

This step describes how to create and configure the Modify Group workflow for group changes. This workflow allows you to select a group of network objects from a device and add or remove objects.

To use the Rule Modification workflow instead, go to Step 2.

Use SecureChange's Workflows to create the workflow.

Create workflow

If you already have a Modify Group workflow, select it and update the settings. Otherwise, create a new custom workflow.

1. Click New Workflow.

2. Define the Name and the Description.

3. From the Type list, select Decommission network object.

See:

Creating a workflow from templates

Creating a custom workflow

Configure workflow properties

Define the settings for the workflow behavior and for how handlers and owners can interact with it.

• Click Workflow properties and make sure to configure the following settings.

Confirmation settings

Select both Confirmation settings:

• To allow requester to manually confirm request, and automatically confirm after <num> days.

• Define the starting phase of the ticket to allow optional skip-ahead.

Related ticket settings

Select to allow linking to previously submitted tickets for context.

Designer and Verifier options

Make sure Allow advanced customization of rule optimization is selected.

Related ticket referencing (optional)

Allow linking to previously submitted tickets for context.

See Configuring workflow properties.

Configure workflow steps and user assignments

Based on your scenario, in addition to the step field, for each workflow step, configure Designer, Verifier, and implementation options.

Define step field

For each step, define which fields are editable, visible, or mandatory, including:

• Modify group

• Comments

• Other custom fields like business justification, and change start/end date.

Use Designer to analyze the requested change

Configure the step to run Designer for the requested change. Designer analyzes the change and provides recommendations and instructions for the required policy updates based on the workflow type.

Use Verifier for verification

Configure the step to run Verifier to review the proposed changes before implementation. Verifier confirms that the Designer-suggested changes can be provisioned or manually applied successfully.

Add implementation after verification

Configure implementation to execute the approved change in addition to analysis. Where applicable, include the option to update policies on the device and commit the policy changes.

User assignment

Assign steps to users or groups using these options from the Assignment mode list:

• Auto-assignment

• Role-based conditions

• Dynamic rules based on request content

See:

Configuring workflow steps

Modify group field

Configuring assignment mode

Activate the workflow

After validating all workflow steps, activate the workflow to make it available for users to submit and track change requests.

1. Set Workflow status to Active.

2. Save the workflow.

 

Step 2: Create and configure Rule Modification workflow

This step describes how to create and use the Rule Modification workflow for rule and group changes. Use the workflow for quick remediation actions for firewalls and to update firewall rules by adding or removing devices or services in the Source, Destination, and Service fields.

To use the Modify Group workflow instead, follow Step 1.

The settings are identical to the Modify Group workflow, except for the workflow type and the step field, where you select Rule modification.

Use SecureChange's Workflows to create the workflow.

Create workflow

If you already have a Rule Modification workflow, select it and update the settings. Otherwise, create a new custom workflow.

1. Click New Workflow.

2. Define the Name and the Description.

3. From the Type list, select Rule Modification.

See:

Creating a workflow from templates

Creating a custom workflow

Configure workflow properties

Define the settings for the workflow behavior and for how handlers and owners can interact with it.

• Click Workflow properties and make sure to configure the settings below.

Confirmation settings

Select both Confirmation settings:

• To allow requester to manually confirm request, and automatically confirm after <num> days.

• Define the starting phase of the ticket to allow optional skip-ahead.

Related ticket settings

Select to allow linking to previously submitted tickets for context.

Designer and Verifier options

Make sure Allow advanced customization of rule optimization is selected.

Related ticket referencing (optional)

Allow linking to previously submitted tickets for context.

 

See Configuring workflow properties.

Configure workflow steps and user assignments

Because design, verification, and implementation occur in different places, based on your use case configure separate steps for Designer, Verifier and implementation.

Define step field

For each step, define which fields are editable, visible, or mandatory, including:

• Rule Modification

• Comments

• Other custom fields like business justification, change start/end date.

Use Designer to analyze the requested change

Configure the step to run Designer for the requested change. Designer analyzes the change and provides recommendations and instructions for the required policy updates based on the workflow type.

Use Verifier for verification

Configure the step to run Verifier to review the proposed changes before implementation. Verifier confirms that the Designer-suggested changes can be provisioned or manually applied successfully.

Add implementation after verification

Configure implementation to execute the approved change in addition to analysis. Where applicable, include the option to update policies on the device and commit the policy changes.

User assignment

Assign steps to users or groups using these options from the Assignment mode list:

• Auto-assignment

• Role-based conditions

• Dynamic rules based on request content

See:

Configuring workflow steps

Rule modification field

Configuring assignment mode

Activate the workflow

After validating all workflow steps, activate the workflow to make the it available for users to submit and track change requests.

1. Set Workflow status to Active.

2. Save the workflow.