Required Workflow Configurations

Overview

RLM uses SecureChange tickets to implement certification decisions. These decisions include Rule Certification, Rule Decommission, and Rule Modification. Each ticket type requires a corresponding workflow configured with specific requirements.

We recommend creating dedicated workflows for RLM tasks. The Rule Certification workflow is mandatory, while Rule Decommission and Rule Modification workflows are optional. The sections below outline the required configurations for each.

Rule Certification Workflow (required)

This workflow allows Rule Owners to certify or decertify rules.

When you install RLM, a Rule Receritfication workflow template is added to SecureChange. You can use this auto-generated template, create a new work flow, or use one of your existing workflows. Regardless, you must ensure that all the workflow contains all the necessary configurations.

The workflow must contain the following steps. Admins can add additional steps.

Open Request Step

  • Must be the first step.

  • RLM must be authorized to open tickets.

  • Fields tab: Must include the Rule Recertification field.

  • Assignments tab: The Ticket Requester must be among the assignees. You may add any additional assignees or select Any Participant.

Business Approval Step

  • Must be the second step.

  • Fields tab: Must include the Rule Recertification field.

  • Assignments tab: You have three options.

    • If you would like the step to be handled manually: Assign to any user you choose.

    • If you would like the step to be automatically handled by the RLM App Administrator: Assign to the Ticket Requestor. Automatically update rule recertification metadata must be selected in RLM.

    • If you would like the step to be automatically handled within SecureChange: Assign to an account affiliated with a custom automation bot or script.

Update Meta Data Step

  • This must be the last step. If you wish to add include additional steps, they must come before this step.

  • Fields tab: Must include the Rule Recertification field.

  • Assignments tab: You have three options.

    • If you would like the step to be handled manually: Assign to any user you choose.

    • If you would like the step to be automatically handled by the RLM App Administrator: Assign to the Ticket Requestor. Automatically update rule recertification metadata must be selected in RLM.

    • If you would like the step to be automatically handled within SecureChange:Assign to an account affiliated with a custom automation bot or script.

Rule Decommission Workflow (optional)

This workflow allows RLM to disable rules that have been decertified. The workflow will verify that the rule has changed before closing the ticket.

The workflow must contain the following steps. Admins can add additional steps.

Open Request Step

  • Must be the first step.
  • RLM must be authorized to open this step.

  • Fields tab: Must include the Rule Decommission field.

  • Assignments tab: The Ticket Requester must be among the assignees. You may add any additional assignees or select Any Participant.

Rule Decommission Step

Verifier Step

  • Must run Verifier to determine whether the rule has been updated and SecureTrack has accepted a new revision.

Rule Modification Workflow (optional)

This SecureChange workflow is not supported for all firewall devices.

When two Rule Owners submit conflicting decisions related to a single rule, RLM escalates the certification decision to an admin. The rule may need to be modified to remove one or more assets that should no longer be included in the Source/Destination. In that case, the admin will need to use a Rule Modification ticket to remove those assets from the rule.

See Resolve Certification Conflicts for more information.

The workflow must contain the following steps. Admins can add additional steps.

Open Request Step

Remove Decertified Networks