Table Of Contents

Administrative Settings User Interface Reference

AutoLink Settings Page

Configuration Archive Settings Page

Customize Desktop Page

Deployment Page

Device Communication Page

Add Certificate Dialog Box

Device Groups Page

Discovery Page

Licensing Page

Logs Page

Policy Management Page

Policy Objects Page

Server Security Page

Take Over User Session Page

Token Management Page

Workflow Page

Administrative Settings User Interface Reference

---

---

Tip For helpful information on the most important settings to define first, read Define These Settings First, page 2-2.

---

The following topics describe Security Manager settings administration:

•AutoLink Settings Page

•Configuration Archive Settings Page

•Customize Desktop Page

•Deployment Page

•Device Communication Page

•Device Groups Page

•Discovery Page

•Licensing Page

•Logs Page

•Policy Management Page

•Policy Objects Page

•Server Security Page

•Take Over User Session Page

•Token Management Page

•Workflow Page

AutoLink Settings Page

The Security Manager Map view provides a graphical view of your VPN and Layer 3 network topology. Using device nodes to represent managed devices and map objects to represent unmanaged objects such as devices, clouds, and networks, you can create topology maps with which to study your network. AutoLink settings enable you to exclude any one of five private or reserved networks from Map view. For example, you might want to exclude any networks that are not relevant to the management tasks you are using Security Manager to perform, for example, test networks. For the procedure, see Working with AutoLink, page 2-45.

Navigation Path

Select Tools > Security Manager Administration, then click AutoLink.

Related Topics

•Displaying Layer 3 Links on the Map, page 4-22

•Displaying Your Network on the Map, page 4-16

•Understanding Maps, page 4-1

•Working With Maps, page 4-2

Field Reference

Table F-1 AutoLink Settings Page 

Element	Description
IP addresses	Selected by default and grouped by category. There are five: three internal, one used for loopback testing, and one for multicast routing. Deselect to prevent these networks from appearing as map objects in map view.
Save button	Saves and applies changes.
Reset button	Resets changes to the last saved values.
Restore Defaults button	Resets values to Security Manager defaults.
Close button	Closes the page.
Help button	Opens help for this page.

Configuration Archive Settings Page

From the Configuration Archive page, you can purge configuration file versions maintained for devices managed by Security Manager. Here you can also enter the TFTP server and directory information for Cisco IOS and Catalyst OS devices used during configuration rollback. For the procedure, see Defining Configuration Archive Settings, page 2-46.

Navigation Path

Select Tools > Security Manager Administration, then click Configuration Archive.

Related Topics

•Configuration Archive Window, page E-10

•Using the Configuration Archive Tool, page 17-9

Field Reference

Table F-2 Configuration Archive Settings Page 

Element	Description
Max. Versions Per Device	Enter the maximum number of configuration versions you would like to retain for each device, once you click Purge Now. Acceptable values are 1 through 100.
Purge Now button	Click to delete all configuration versions in each devices archive greater than the number you entered in Max. Versions Per Device Text field.
TFTP Server for Rollback	Enter the server name or IP address for TFTP file transfers to be used for IOS devices only.
TFTP Root Directory	Enter the root directory for configuration file transfers on your TFTP server.
Save button	Saves and applies changes.
Reset button	Resets changes to the last saved values.
Restore Defaults button	Resets values to Security Manager defaults.
Close button	Closes the page.
Help button	Opens help for this page.

Customize Desktop Page

Adjust your GUI timeout and `Do Not Ask' settings from the Customize Desktop page. For the procedure, see Customizing Your Desktop, page 2-48.

Navigation Path

Select Tools > Security Manager Administration, then click Customize Desktop.

Field Reference

Table F-3 Customize Desktop Page 

Element	Description
Reset `Do Not Ask' on Warnings button	Click to reestablish `are you sure' reminders.
Enable Idle Timeout	Select to enable the idle timeout for the user interface.
Idle Timeout (minutes)	Enter the number of minutes Security Manager waits for input before exiting the user from the system and closing the connection to the server. Default is 120 minutes.
Save button	Saves and applies changes.
Reset button	Resets changes to the last saved values.
Restore Defaults button	Resets values to Security Manager defaults.
Close button	Closes the page.
Help button	Opens help for this page.

Deployment Page

Use the Deployment page to define the methods by which Security Manager deploys configurations to devices. To make changes for only a single device, see Editing Device Properties, page 5-79.

For the procedure, see Defining Deployment Settings, page 2-49.

Navigation Path

Select Tools > Security Manager Administration, then click Deployment.

Related Topics

•Managing Deployment, page 15-1

•Managing Objects, page 8-1

•Policy Object Manager General Reference, page C-28

Field Reference

Table F-4 Deployment Page 

Element	Description
Deployment
Purge debugging files older than (days)	Enter a number greater than zero, representing the maximum number of days to retain debugging files.
Purge Now button	Click to delete debugging files older than the number of days specified in the text field. For example, if you change the number of days from 10 to 7, click Purge Now to immediately remove debugging files older than 7 days.
Default Deployment Method	Select one of the following as the default method for deploying configurations to devices: •Device (default)—Configurations deploy directly to a device unless the device is unreachable. •File—Configurations deploy to a file.
Directory	If you selected File as the default deployment method, enter a directory path where the file resides. You can click Browse to help you make your selection. Note This field is required if you selected File as the default deployment method.
When out of band changes detected	Select one of the following when Security Manager detects changes made directly to the device CLI: •Warn—Deployment proceeds, but a warning message is displayed. •Cancel—Deployment stops. •Skip—Deployment proceeds without checking for out-of-band changes.
Reference config source (deploy to file)	Specify the following deploy to file preferences: •Archive (default)—Uses the most recently archived configuration against which to compare changes, then generates the CLI needed to be deployed. •Device—Uses the current device configuration against which to compare changes, then generates the CLI needed to be deployed.
Reference config source (deploy to device)	Specify the following deploy to device preferences: •Archive—Uses the most recently archived configuration against which to compare changes, then generates the CLI needed to be deployed. •Device (default)—Uses the current device configuration against which to compare changes, then generates the CLI needed to be deployed.
Optimize the Deployment of Access Rules For	Choose one of the following for enabling firewall rule deployment: •Speed—Increases deployment speed by sending only the delta (difference) between the new and old ACLs. This is the default and recommended option. By making use of the ACL line number feature, this approach selectively adds, updates, or deletes ACEs at specific positions and avoids resending the entire ACL. Since the ACL being edited is still in use, there is a very small chance that some traffic might be handled incorrectly between the time an ACE is removed, and the time that it is added to a new position. The ACL line number feature is supported by most Cisco IOS, PIX and ASA versions, and becomes available in FWSM from FWSM 3.1(1). For those devices that do not support ACL line numbers, this option is ignored. •Traffic—This approach inhibits traffic interruption by performing a transaction like ACL editing. At first, a temporary ACL is created that has the same content as the new ACL that is intended for deployment. This new ACL binds to the target interface. The old ACL is recreated with the same name but the content of the new ACL and also binds to the target interface. Lastly the temporary ACL is deleted. This achieves seamless ACL switching and avoids possible traffic interruption caused by ACL editing. The cost is that deployment takes longer and uses more device memory before the temporary ACLs are deleted. This option is ignored for FWSM devices when the manual commit mode is.
Firewall Access-Lst Names	Determines how ACL names are deployed to devices. •Reuse existing names—Recognizes user-defined ACL names that were configured on the device. See Preserving User-Defined ACL Names, page 11-6. •Reset to CS-Manager generated names—Recognizes Security Manager auto-generated ACL names. See How ACL Names Are Generated, page 11-4.
Let FWSM decide when to compile access-lists	When selected, FWSM is set to automatic ACL compilation mode to determine when to compile access lists. Selecting this option might increase deployment speed but has potential negative impacts. Traffic might be disrupted and the system becomes incapable of reporting ACL compilation error messages. When deselected, Security Manager takes control of ACL compilation to avoid traffic interruption and to minimize peak memory usage on the device. For more information, see Understanding Access Rules, page 11-10. Caution You should not check this option unless you are otherwise experiencing deployment problems and are an advanced user.
Enable Advanced Debugging	When selected, Security Manager generates data files containing information about configuration generation, deployment, and discovery as these functions are performed. The intermediate data files are stored in a temporary directory that you can use for debugging. Note Selecting this check box slows down product response time.
Allow Download on Error	When selected, enables deployments to devices (as opposed to a file) to continue even if there are minor device configuration errors.
Remove unreferenced OjbectGroups on device	When selected, any object groups that are not being used by other CLI commands are removed from devices during deployment.
Remove unreferenced access-lists on device	When selected, any access lists that are not being used by other CLI commands are removed from devices during deployment.
Copy running config to startup config	When selected, ensures that any changes to the device configuration for PIX, FWSM, ASA, or Cisco IOS devices are copied to the startup configuration for that device. Deselect to keep startup configuration as is.
Generate ACL Remarks During Deployment	When selected, displays ACL warning messages during deployment.
Optimize Network Object Groups During Deployment	When selected, optimizes network object groups when you generate configurations for PIX, FWSM, and ASA devices for deployment.
Preselect Devices with Undeployed Changes	When selected, devices with undeployed changes are preselected in the list.
Save button	Saves and applies changes.
Reset button	Resets changes to the last saved values.
Restore Defaults button	Resets values to Security Manager defaults. The default is to enable any configuration changes to be saved to startup configuration.
Close button	Closes the page.
Help button	Opens help for this page.

Device Communication Page

Use the Device Communication page to define these settings:

•The number of seconds that Security Manager has to establish a connection with a device before timing out.

•The number of seconds Security Manager can spend blocked waiting for incoming data.

•Whether to use SSL, SSH, or TMS as the default transport protocol for contacting Cisco IOS devices.

•Whether and when to authenticate device certificates for devices that use SSL firewall devices, FWSMs, ASAs and Cisco IOS devices.

•Whether Security Manager applies changes to SSH keys made directly on the device.

For the procedure, see Defining Device Communication Settings, page 2-52.

Navigation Path

Select Tools > Security Manager Administration, then click Device Communication.

Related Topics

•Adding Devices from DCR, page 5-59

•Adding Devices from the Network, page 5-32

•Managing Devices, page 5-1

•Preparing the Devices for Security Manager to Manage, page 5-2

Field Reference

Table F-5 Device Communication Page 

Element	Description
Device Connection Parameters
Device Connection Timeout	Enter the number of seconds that Security Manager has to establish a connection with a device before timing out.
Retry Count	Enter the number of times that Security Manager tries to establish a connection before failing. The default value is 3. An error message displays at the third (or whatever number of times you enter) failed attempt of Security Manager to connect to device.
Socket Read Timeout	(For SSH sessions only.) Enter the maximum number of seconds Security Manager can spend blocked waiting for incoming data. If no incoming data is received within this period an error displays.
Transport Protocol (IOS Router)	Select SSL, SSH, or TMS transport protocol to use when contacting Cisco IOS devices. For more information, see Preparing the Devices for Security Manager to Manage, page 5-2.
SSL
Device Authentication Certificates	•Select Retrieve while adding devices to enable Security Manager to automatically obtain certificates from devices while you add one or more devices from the network or DCR. Security Manager calculates the device certificate thumbprints and stores the calculated thumbprints in the certificate data store. For information and procedures see Adding Devices to the Security Manager Inventory, page 5-29. •Select Manually add certificates to prevent Security Manager from automatically accepting certificates from the Adding Devices from the Network or the Adding Devices from DCR wizards. You must add the device thumbprint manually before adding the devices by clicking Add Certificate or from Device Properties pages to be successful. See Adding Certificates for Firewall Devices, FWSMs, ASAs, and Cisco IOS Devices, page 2-55. •Select Do not use certificate authentication to prevent automatic certificate validation for devices using SSL.
Add certificate button	Opens the Add Certificate Dialog Box. See Add Certificate Dialog Box.
SSH
Overwrite SSH Keys	•Select to allow Security Manager to apply changes in the device's SSH keys when they are updated directly on the device. •Deselect this check box with caution, and only if a greater level of security is necessary. Security manager does not communicate with the device if keys are changed on the device.
Save button	Saves and applies changes.
Reset button	Resets changes to the last saved values.
Restore Defaults button	Resets values to Security Manager defaults.
Close button	Closes the page.
Help button	Opens help for this page.

Add Certificate Dialog Box

Security Manager gives you the option of adding device certificates manually for devices that use the SSL transport protocol (firewall devices, FWSMs, ASAs, and Cisco IOS devices). Adding the device certificates manually gives you the highest level of security because there an intruder is prevented from introducing a fraudulent certificate thumbprint. Device certificates are stored in the database to be used for device authentication.

For the procedure, see Adding Certificates for Firewall Devices, FWSMs, ASAs, and Cisco IOS Devices, page 2-55.

Navigation Path

Tools > Security Manager Administration, then click Device Communication. Click Add Certificate....

Field Reference

Table F-6 Add Certificate Dialog Box 

Element	Description
Host Name or IP Address	Hostname or IP address of the device from which you are retrieving the certificate.
Certificate Thumbprint	The string of hexadecimal digits that is unique to each device certificate.
OK button	Initiates device contact and adding of certificate thumbprint.
Cancel Button	Cancels operation and closes the page.
Help button	Opens help for this page.

Device Groups Page

Use the Device Groups page to create group types and groups, delete groups, and modify group names.

Navigation Path

Select Tools > Security Manager Administration > Device Groups.

Related Topics

•Understanding Device Grouping, page 5-84

•Working With Groups, page 5-86

Field Reference

Table F-7 Device Groups Page

Element	Description
Groups	Displays group types, groups, and subgroups.
Add Type button	Creates a new group type.
Add button	Creates a group or subgroup.
Save button	Saves your changes and closes the page.
Reset button	Restores all fields to their previous values.
Close button	Closes the page without saving your changes.
Help	Opens help for this page.

Discovery Page

From the Discovery page you can define how long to keep a record of discovery and device-import tasks. Any tasks older than the number of days you specify will be deleted. You can also determine wether to substitute any matching named objects that are already defined in Security Manager for any inline values found in the CLI, and whether to roll back all policies if an error is encountered during policy discovery. For the procedure see Defining Discovery Settings, page 2-57.

Navigation Path

Select Tools > Security Manager Administration, then click Discovery.

Related Topics

•Frequently Asked Questions about Policy Discovery, page 6-10

•Understanding the Policy Object Manager Window, page 8-5

Field Reference

Table F-8 Discovery Page 

Element	Description
Prepend Device Name when Generating Security Context Names	Selecting this check box prepends device names (that is, the device display names) when generating security context names. This turns off the Security Manager default naming method. Note By selecting this option, you disable Security Manager's method for ensuring unique names. Instead, Security Manager will append a number to any duplicate name it encounters. (So, for example, the name "mydevice" when encountered a second time would be rendered as "mydevice_01".)
Purge discovery tasks older than (days)	The number of days to save discovery and device-import tasks. Tasks older than the number of days you enter are deleted.
Reuse policy objects for inline values	When selected, substitutes any named policy objects, such as IP addresses, already defined in Security Manager for inline values in the CLI. For more information on policy objects, see Managing Objects, page 8-1.
Allow Device Override for Discovered Policy Objects	For certain types of objects, selecting this check box enables you to override the parent object values at the device level. For more information see, Overriding Global Objects for Individual Devices, page 8-250.
On error, rollback discovery for entire device	When selected, rolls back all discovered policies if even one error is encountered for a single policy. When deselected, Security Manager keeps the policies successfully discovered and discards only those policies with errors. For more information on policy discovery, see Discovering Policies, page 6-5.
Save button	Saves your changes to the Security Manager database.
Reset button	Resets changes to the previously applied values.
Restore Defaults button	Resets values to Security Manager defaults.
Close button	Closes the page.
Help button	Opens help for this page.

Licensing Page

From the Licensing page you can view a record of installed licenses and install new licenses from Cisco.com or from a server to which a new license has been sent. For the procedure, see Installing License Files, page 2-58.

Navigation Path

Select Tools > Security Manager Administration, then click Licensing.

Field Reference

Table F-9 Licensing Page 

Element	Description
License Information	License summary displaying all relevant information about the license currently registered with the product: Edition, License Type, Install Time, Expiration, Number of Licensed Devices, Number of Devices in Use.
Install License	Displays record of installed licenses and installation dates.
Install a License button	Click to obtain license file from Cisco.com or hard drive.
Close button	Closes the page.
Help button	Opens help for this page.

Logs Page

When state changes occur in Security Manager, an event is generated and an audit entry is created in the audit log. You can display the aggregated results of the audit entries by defining the parameters in the Audit Report page. The System Administration Logs page allows you to determine how long to keep log files archived. For the procedure, see Archiving Log Files, page 2-61.

Navigation Path

Select Tools > Security Manager Administration, then click Logs.

Related Topics

•Audit Report Page, page E-6

•Understanding Audit Reports, page 17-6

Field Reference

Table F-10 Logs Page 

Element	Description
Keep Audit Log For (days)	Enter the number of days to save audit report entries before deleting them. This field is used with the Purge Audit Log after (entries) field. Entries are deleted based on the number of days or entries, whichever maximum is reached first.
Purge Now button	Click to immediately purge entries older than the number of days specified in the Keep Audit Log For field.
Purge Audit Log after (entries)	Enter the maximum number of audit report entries to save. This field is used in conjunction with the Keep Audit Log For (days) field. Entries are deleted based on the number of days or entries, whichever maximum is reached first.
Keep Operation Log For (days)	Enter the number of days that Security Manager keeps operation logs before deleting them. These logs are used for debugging purposes.
Log Level	Select the level of information, according to severity, that you would like collected in the operation logs. Valid choices are Severe, Warning, and Info. Each level collects different amounts of data. For example, the Info level yields the most data, and the Severe level collects the least. Note If you select the Info level (greatest amount of data), system performance might be slower than expected.
Save button	Saves your changes to the Security Manager database.
Reset button	Resets changes to the previously applied values.
Restore Defaults button	Resets values to Security Manager defaults.
Close button	Closes the page.
Help button	Opens help for this page.

Policy Management Page

Customizing policy management settings on a Cisco IOS router makes it possible, for example, to use Security Manager to manage DHCP and NAT policies on Cisco IOS routers while leaving routing protocol policies, such as EIGRP and RIP, unmanaged. These settings, which can be modified only by a user with administrative permissions, apply globally in Security Manager.

Unmanaged policies are removed from both Device view and Policy view. Any unmanaged policies, local or shared are removed from the Security Manager database.

You cannot unmanage a policy type if you have configured and assigned policies of that type in Security Manager. You must first remove the assignments and then unassign the policy type. If the configurations defined by those policies have already been deployed, these configurations are left in place on the devices, but the policies are no longer stored in the database or accessible from the Security Manager interface. For the procedure, see Defining Policy Management Settings, page 2-63.

Navigation Path

Select Tools > Security Manager Administration, then click Policy Management.

Related Topics

•Advanced Policy Features, page 6-44

•Managing Policies, page 6-1

•Managing Routers, page 12-1

•Managing Shared Policies in Policy View, page 6-35

•Understanding Policies, page 6-1

Field Reference

Table F-11 Policy Management Page 

Element	Description
Policies to Manage	Displays the router platform policies that Security Manager manages, organized by category (NAT, Router Platform). By default, all policies are selected. Deselect for each router platform policy that should be left unmanaged by Security Manager. Deselecting the check box for a group of policies deselects all policies in that group. Note Unmanaged policies are removed from the Policy selectors in Device view and Policy view.
Save button	Saves your changes to the Security Manager database.
Reset button	Resets changes to the previously applied values.
Restore Defaults button	Resets values to Security Manager defaults.
Close button	Closes the page.
Help button	Opens help for this page.

Policy Objects Page

Use the Policy page to define these policy object settings:

•The warning behavior of Security Manager when identical objects are found.

•The default source ports for service objects.

For the procedure, see Defining Policy Object Settings, page 2-65.

Navigation Path

Select Tools > Security Manager Administration, then click Policy Objects.

Related Topics

•Managing Objects, page 8-1

Field Reference

Table F-12 Policy Objects Page 

Element	Description
When Redundant Objects Detected (Conflict Detection)	Defines the action you want Security Manager to take when you try to create a policy object that has the same definition as an existing object: •Ignore—You can freely create objects with identical definitions. Any conflicts are ignored by Security Manager. •Warn—Security Manager displays a warning if you attempt to create an object that is identical to an existing object. You may proceed to create the object, if you wish. •Enforce—Security Manager prevents you from creating an object that is identical to an existing object. An error message is displayed. For more information, see Guidelines for Managing Objects, page 8-3.
Default Source Ports	Defines the port range value that is used as the default source port range for service objects. Options are: •Use all ports—Includes all ports from 1 to 65535. •Use secure ports—Includes all ports from 1024 to 65535. Note If you change the default source port (Use all ports), you must manually redeploy any previously deployed devices that might be affected. These changes might not be reflected in any open activities, until you refresh the data. For more information on objects, see Working with Port List Objects, page 8-171.
Save button	Saves your changes to the Security Manager database.
Reset button	Resets changes to the previously applied values.
Restore Defaults button	Resets values to Security Manager defaults.
Close button	Closes the page.
Help button	Opens help for this page.

Server Security Page

Common Services provides the administrative functions that control a user's access in Security Manager. Security Manager provides access to these functions through the Application Security page. The buttons found in the Application Security page are actually a series of buttons that open Commons Services functions.

When you log in to Security Manager, your username and password are compared with the account information stored in the CiscoWorks or Cisco Secure Access Control Server (ACS) database, depending on which you established at installation as your AAA provider. After the authentication of your credentials, you have access according to the role you have been assigned.

For more information on Security Manager roles and privileges, including descriptions of how Common Services roles translate to user functions in Security Manager, see Setting Up User Permissions, page 2-2. For the procedure, see Working with Server Security, page 2-66.

Navigation Path

Select Tools > Security Manager Administration, then click Application Security.

Field Reference

Table F-13 Security Page 

Element	Description
AAA Setup button	Opens Common Services and displays AAA Mode Setup page. This option enables you to set AAA as your fallback sign-on method. For more information about AAA, click Help from that page.
Certificate Setup button	Opens Common Services and displays the Self-Signed Certificate Setup page. CiscoWorks enables you to create self-signed security certificates, which you can use to enable SSL connections between your client browser and management server. For more information about self-signed certificates, click Help from that page.
Single Sign On button	Opens Common Services and displays the Single Sign-On Setup page. With Single Sign On (SSO), you can use your browser session to transparently navigate to multiple CiscoWorks servers without having to authenticate to each of them. Communication between multiple Cisco works servers is enabled by a trust model addressed by Certificates and shared secrets. For more information about setting up single sign-on, click Help from that page.
Local User Setup	Opens Common Services and displays the Local User Setup page. You can use this page to add and delete users, edit user settings, and assign roles or permissions.
System Identity Setup	Opens Common Services and displays the System Identity Setup page. Communication between multiple CiscoWorks servers is enabled by a trust mode addressed by Certificates and shared secrets. System Identity setup helps you to create a trust user on servers that are part of a Multi- Server setup. This user enables communication between servers part of a Domain. There can only be one System Identity User for each machine. For more information about system identity setup, click Help from that page.
Close button	Closes the page.
Help button	Opens help for this page.

Take Over User Session Page

A user with administrative privileges can take over the work of another user from the Take Over User session page in non-Workflow mode. This feature is useful when a user is working on devices and policies, causing the devices and policies to be locked, and another user needs access to the same devices and policies. For the procedure, see Taking Over Another User's Work, page 2-67.

Navigation Path

Select Tools > Security Manager Administration, then click Take Over User Session.

Related Topics

•Activities and Multiple Users, page 7-5

•Understanding Activities, page 7-2

•Understanding Activity States, page 7-5

Field Reference

Table F-14 Take Over User Session Page 

Element	Description
User	Shows the username of the person who changed the state of the activity.
Session State	Displays the state of the activity. See Understanding Activity States, page 7-5 for a list of valid states.
Take over session button	Transfers changes made by the selected user to the currently logged in user. Any changes that have not already been committed are discarded. Note If the selected user is logged in at the time changes are taken over, the user receives a warning message, loses the changes in progress, and then is logged out.
Close button	Closes the page.
Help button	Opens help for this page.

Token Management Page

Security Manager uses FTP to deploy the configuration file to the Token Management System (TMS) server, from which it can be downloaded and encrypted onto an eToken. Security Manager uses the server settings and passwords you provide to connect to the TMS server. For the procedure, see Defining TMS (Token Management System) Settings, page 2-68.

---

Note To use TMS with Cisco IOS routers, you must specify TMS as the transport protocol in the device properties. (This is set by going to Device properties > DCS settings > Transport protocols. See Editing Device Properties, page 5-79.) You must also configure the TMS server as an FTP server, otherwise deployment will fail.

---

Navigation Path

Select Tools > Security Manager Administration, then click Token Management.

Related Topics

•Device Communication Page

•Preparing the Devices for Security Manager to Manage, page 5-2

•Understanding Deployment Methods, page 15-11

Field Reference

Table F-15 Token Management Page 

Element	Description
Server Name or IP Address	Enter the hostname or IP address for the TMS server.
Username	Enter the username Security Manager uses to sign onto the TMS server.
Password	Enter the password Security Manager uses to sign onto the TMS server.
Confirm Password	Re-enter the password. This action verifies that this password matches the one entered in the previous field.
Directory in the TMS for Config Files	Enter the directory on the TMS server where deployed configuration files will be downloaded. The "." character is the default FTP location on the TMS server.
Public Key File Location	Location of the public and private key files on the TMS server. Security Manager uses the public key to encrypt data sent to the TMS server. Then the server uses its private key to decrypt the data. Security Manager comes with a default public key that matches the default private key on the server. Note If needed, you can generate a new pair of public and private keys using the TMS server. If you do this, you need to copy the new public key to the Security Manager server.
Browse button	Allows you to search your hard drive to locate public key file directory.
Save button	Saves and applies changes.
Reset button	Resets changes to the last saved values.
Restore Defaults button	Resets values to Security Manager defaults.
Close button	Closes the page.
Help button	Opens help for this page.

Workflow Page

Security Manager workflow mode has two main modes:

•Workflow mode (with and without a approvers)

•Non-Workflow mode (default)

The workflow mode you choose depends on your organizational structure and the level of control you wish to have over changes to the network. For the procedure to enable or disable Workflow mode, see Selecting a Workflow Mode, page 2-40.

Navigation Path

Select Tools > Security Manager Administration, then click Workflow.

Related Topics

•Managing Activities, page 7-1

•Managing Deployment, page 15-1

Field Reference

Table F-16 Workflow Page 

Element	Description
Workflow Control
Enable Workflow	Select to enable Workflow mode. When Workflow mode is enabled, you can select whether to have an approver for activities and jobs. See the fields below. For information on the differences between workflow modes, see Working in Workflow Mode, page 2-40.
Require Activity Approval	Select to enable activity approval. If the check box is selected, an approver is required. A deselected check box means no approver is necessary. For more information about the differences between working with and without an approver, see Activity Approval, page 7-3.
Require Deployment Approval	Select to enable deployment job approval. If the check box is selected, an approver is required. A deselected check box means no approver is necessary. For more information about the differences between working with and without an approver, see Understanding Deployment, page 15-1.
Default Approvers
Activity Approval Email	Enter the default email address for the person responsible for approving activities. Only one approver email can be entered. If necessary, you can replace the default email address with a different one when submitting an activity to an approver. For more information, see Submitting an Activity for Approval, page 7-14.
Job Approval Email	Enter the default email address for the person responsible for approving deployment jobs. Only one approver email can be entered. If necessary, you can replace the default email address with a different one when submitting an activity to an approver. For more information, please see Submitting Deployment Jobs, page 15-50.
Workflow History
Keep Activity for (days)	Do one of the following: •Enter the number of days that activity information is kept in the Activity table. Valid values are 1-180 days. The default is 30 days. Note To keep information longer than the maximum number of days, you need to perform a backup. For more information, see Backup and Restore, page 17-17. •Click Purge Now to delete all activities older than the number of days specified in the Keep Activity for (days) field.
Keep Job for (days)	Do one of the following: •Enter the number of days that job deployment information is kept in the Deployment table. Valid values are 1-180 days. The default is 30 days. Note To keep information longer than the maximum number of days, you need to perform a backup. For more information, see Backup and Restore, page 17-17. •Click Purge Now to delete all jobs greater than the number of days specified in the Keep Job for (days) field.
Save button	Saves your changes to the Security Manager database.
Reset button	Resets changes to the previously applied values.
Restore Defaults button	Resets values to Security Manager defaults.
Close button	Closes the page.
Help button	Opens help for this page.