Mapping Rule Owners and Rules

Overview

The App Administrator must map Rule Owners to the rules (assets) for the network devices (network, IP, or range of IPs) for which they are responsible. After this mapping, the Rule Lifecycle Management App (RLM) can retrieve rules from SecureTrack that need a certification decision and alert the corresponding Rule Owners about their rules.

Once the Rule Owners are mapped to the rules (assets) for which they are responsible, a job runs (frequency depends on configuration settings) to retrieve rules that require a certification decision. The criteria for these rules include the following:

• Rules that will expire based on the Rule Recertification settings.

• Rules that have already expired.

• Rules that do not have any certification.

• Rules based on the source and destination setting.

For more information, see Rule Recertification settings.

Rule Owners receive an email notification that they have rules which require a certification decision.

Prerequisites

• Rule Owners in RLM must be SecureChange users. For SecureChange login credentials, contact your TOS Administrator.

• Use either Google Chrome or Mozilla Firefox internet browser for RLM.

What Can I Do?

There are two pages for owners:

• Assets page:

  • Add Owners and Assets individually

  • Import Owners using a CSV file

  • Import Owners using API

  • Export Owners: Select this option to export the owners' data to a CSV file. You can edit this file to add or change information and import the file into RLM.

  • Edit an Owner: Select a row and from the Actions () list, select Edit Owner.

  • Delete Owners: Select one or more rows and from the Actions () list, select Delete Owners.

• Requests page:

  • View Owner details

  • Remove an Owner from rules

Add Owners and Assets

1. Click and select the Assets tab.

   The Owners and Assets page appears:

   

2. Add owner-asset entries individually or import multiple entries using CSV:

   • Individually:

   1. From the Actions () list, select Add a new owner and complete the fields in the Edit Owner window.

      

      • Use the Group toggle to create group of assets. RLM enables the Group toggle for groups in the Owner list.

        If an owner belongs to a group, the group permissions take precedence over the owner permissions.

      • When adding objects in the Object Name field, the objects are retrieved from SecureTrack and the names that you enter must fully match those defined in SecureTrack.

   2. Click Save.

      A new row appears in the Owners and Assets table.

   You can also use this procedure to reassign rules to another Rule Owner. Update the assets and run the Sync process to update the rules' ownership.

   • Import using CSV: You can use a CSV file to upload multiple owners and assets.

     Here is an example as a text file:

     Use a comma (,) as a delimiter. Use quote marks (" ") to group multiple values that are separated by commas.

     

     Here is an example as an Excel worksheet:

     

     The CSV includes the following columns:

     RLM uses the column names to match values during import. The order of the columns is irrelevant.

     Column	Description
     application	Word or phrase to associate with the asset.
     asset_name	List of assets.
     asset_values	Values for the assets.
     description	Description for the owner-asset pairing.
     objects	List of objects in SecureTrack. If an object name is not exact, the whole row is excluded.
     owner	Owner name or name of a group of owners. This name must match the SecureChange user name exactly.

     1. From the Actions () list, select Import Owners.

     2. Select the Excel file with the owner-asset information.

        Depending on the volume of data, the upload may take some time.

     3. Run a scan to update the rules based on the new uploaded data (see Run a Manual Scan).

   After you define the owners and their assets, Rule Owner can make certification decisions about the rules for which they are responsible.

Import Owners using API

You can use API to upload owner and asset information.

• API URL is https://<Server_IP>/apps/rlm/api/owners.

• HTTP method is POST.

• Authentication method must be OAuth2 and must be done before importing owner data using API. The required fields are as follows:

  Field	Value
  Grant type	Resource Owner Password Credentials
  Username/password	Credentials for the API user
  Access Token URL	https://<Server_IP>/apps/rlm/oauth/token
  Client ID	securechange
  Client Secret	123

• JSON payload must have the following structure:

  {
      "owners": [
      {
          "owner": {
              "name": "<NAME>"
          },
          "asset": {
              "name": "<GROUP>",
              "values": [
                  "<IP_VALUES>"
              ],
              "objects": ["<EXACT_NAME_OF_OBJECTS_AS_IN_SECURETRACK>"]
          }.
          "applications": "<APPLICATIONS>",
          "description": "<DESCRIPTION>"
      }
      ]
  }

Owner Request to Update Asset Allocation

An owner can decide that they are not the correct person to own the selected rules. When an owner selects this option, they can add comments to explain the reason that they want to be removed as owner. RLM removes the selected rules from the owner's list of waiting rules. The App Administrator receives an email and the request appears in the Owners > Requests page.

On this page, you can do the following:

• View Rule Owner details: Click the link in the Username column to see the details of the owner and the rules from which they requested to be removed. This is a read-only drill-down page.

• Remove a Rule Owner from rules: Select a row and, from the Actions () list, select Resolve to remove the owner from the selected rules.