Table Of Contents

Managing Activities

Understanding Activities

Benefits of Activities

Activity Approval

Activities and Locking

Activities and Multiple Users

Understanding Activity States

Working with Activities

Accessing Activity Functions

Creating an Activity

Opening an Activity

Closing an Activity

Validating an Activity

Submitting an Activity for Approval

Approving or Rejecting an Activity

Understanding Activity Change Reports

Discarding an Activity

Displaying Activity Details

Displaying Activity History

Managing Activities

---

When using Workflow mode, all policy definition and assignment tasks must be done within the context of an activity. If you are using non-Workflow mode (the default mode of operation in Security Manager), you do not need to create and manage activities. For more information, see Working in Non-Workflow Mode, page 2-41.

The following topics provide information about activities:

•Understanding Activities

•Working with Activities

–Creating an Activity

–Opening an Activity

–Closing an Activity

–Validating an Activity

–Submitting an Activity for Approval

–Approving or Rejecting an Activity

–Understanding Activity Change Reports

–Discarding an Activity

Understanding Activities

An activity is a temporary context within which you define policies and assign them to devices. You need not create an activity to import or create devices. However, you do need to create an activity or open an existing activity before you define policies or assign them to devices.

When you create an activity, you open a virtual copy of the Security Manager policy database. You define and assign policies within this copy. Changes that you made within this copy are only available within the copy. Other users in different activities cannot see these changes. After the activity is submitted and approved, the changes within this copy are committed to the database so that all other users can view the changes.

Then, you can create a deployment job to generate the relevant CLI commands and deploy them to the devices.

---

Note If you try to define or assign policies before you open an activity, a message prompts you to either create a new activity or open an existing activity.

---

The following topics describe why activities are important and how they operate in Workflow mode:

•Benefits of Activities

•Activity Approval

•Activities and Locking

•Activities and Multiple Users

•Understanding Activity States

Benefits of Activities

You use activities to control changes made to policies and policy assignments. Although how activities are implemented depends on the workflow settings you choose, however all activities provide the following benefits:

•Audit trail—Activities track changes that are made in Security Manager. You can use this information to determine what changes were made and who made the changes. For more information, see Displaying Activity History.

•Safety mechanism—Activities provide a means for experimenting with changes. You can make changes using an activity, then view the configuration that results from those changes. If you do not want to implement the changes, you can discard the activity. For more information, see Discarding an Activity.

•Task isolation—When you create an activity, the policies that are modified within that activity are locked from being modified within other activities. This prevents conflicting changes that could make a policy unstable. For more information, see Activities and Locking.

In addition, the changes you make within an activity are visible only within the activity. Other users will see only the last approved committed configurations, unless they view your activity before you close it.

Activity Approval

When you enable Workflow mode, you can choose to operate with or without an activity approver.

If your organization requires a different person with higher permissions to approve activities, you can enable workflow with an approver. When using Workflow mode with an approver, the activity must be approved by a person with the appropriate permissions so the policies can be committed to the database. This approval process at the policy definition level helps to ensure that no inappropriate configurations reach the network devices.

If you choose to operate without an approver, the person defining the policies has the permissions to approve them.

---

Note For information about enabling or disabling activity approval and changing the default activity approver, see Chapter 2, "Performing Administrative Tasks."

---

Activities and Locking

Activities introduce a locking model. This is useful in large networks where several people have the authority to make configuration changes. It prevents two or more people from making changes to the same feature policy, policy assignment, or object at the same time.

In addition, Security Manager uses locking to ensure that operations related to the committed configuration always run exclusive of one another. These operations can be divided into two categories:

Operations that change the committed configuration:

•Activity approval

•Device deletion

•Editing device properties

Operations that read the committed configuration:

•Configuration preview

•Deployment (in non-Workflow mode)

•Creation of deployment job (in Workflow mode)

•Activity validation

If you are performing an operation that changes the committed configuration, you cannot perform any of the operations in either list until this operation is complete. An error message is displayed if you try. For example, if you are approving an activity (which occurs automatically when an activity is submitted in non-Workflow mode), you cannot delete a device or validate a different activity until the approval is complete. This type of locking is particularly important in multi-user settings as it prevents multiple users from simultaneously making changes to the committed configuration.

If you are performing an operation that reads the committed configuration, you cannot perform an operation that changes the committed configuration. For example, if you are validating an activity, another user cannot approve an activity. However, you may perform another operation that reads the configuration. For example, if you are validating an activity, another user can create a deployment job. Similarly, if you are previewing the configuration before deployment, another user is permitted to do the same. This is because these two operations are limited to reading the committed configuration; they do not make any changes to it.

Related Topics

•Understanding Locking, page 6-48

•Approving or Rejecting an Activity

•Deleting Devices from the Security Manager Inventory, page 5-83

•Defining Device Properties, page 5-77

•Working with Deployment, page 15-31

•Validating an Activity

Activities and Multiple Users

Only one user can define or change policies within an individual activity at one time. However, when Workflow mode is enabled, multiple users can work in the activity in sequence. That is, if an activity is closed (but not yet approved or submitted for approval), another user can open it and make changes to it. Multiple users can work in parallel in different activities.

Understanding Activity States

An activity has four primary states:

•Edit Open—Policy changes can be made within the selected activity. The activity remains in this state until it is submitted for approval, approved, or deleted. The activity can be opened, closed, and edited any number of times while it is in this state. The policies, policy assignments (devices being assigned policies), and objects being configured or modified in the activity are locked. That is, they cannot be configured or modified within the context of another activity. The configuration changes can be seen only in the context of the current activity.

If the browser session terminates while you are editing an activity, Security Manager prompts you to save your changes, then closes the activity.

•Submitted—The activity was submitted for approval. (This state is available only if you have Workflow mode enabled with activity approval required. For more information, see Chapter 2, "Performing Administrative Tasks.") No further changes can be made within the activity. The policies, devices (through policy assignment), or objects affected by the policy changes remain locked to other activities.

When an activity is submitted, an email is sent to the approver. The approver can open the activity (in read-only mode) to review the changes within the activity, then approve or reject it. An approved activity moves to the approved state. A rejected activity returns to the Edit state.

•Approved—The activity was approved by a person with activity approval permissions. The policies defined within the activity are committed and ready to be deployed to devices or to a file. The devices affected by the policy changes are no longer locked to other activities.

•Rejected—The activity was reviewed and rejected by a person with activity approval permissions. The policies defined within the activity are not committed. The activity returns to the Edit state and the devices affected by the policy changes remain locked to other activities.

Figure 7-1 shows the stages in the activity workflow without an approver (default). Figure 7-2 shows the stages in the activity workflow with an approver.

For a complete list and descriptions of activity states, see Activity States, page G-4.

Figure 7-1 Activity Workflow without an Approver

Figure 7-2 Activity Workflow with an Approver

Working with Activities

The following topics provide information to help you use activities:

•Accessing Activity Functions

•Creating an Activity

•Opening an Activity

•Closing an Activity

•Validating an Activity

•Submitting an Activity for Approval

•Approving or Rejecting an Activity

•Discarding an Activity

Accessing Activity Functions

You can access activity management functions in the following ways:

•Select Tools > Activity Manager. The Activity Manager window contains a list of existing activities and their states. From this window, you can create new activities, and open, close submit, approve, reject, or discard existing activities. For more information, see Activity Manager Window, page G-1.

•Click a button in the main toolbar. The activity management buttons that are active in the main toolbar vary according three factors:

–Whether workflow is turned on with or without an approver. In Workflow mode with an approver, the main toolbar buttons allow you to create, open, close, submit, approve, reject, and discard activities. In Workflow mode without an approver, the main toolbar buttons allow you to create, open, close, submit, and discard activities.

–The state of the activity. For example, if no activity is open, the Open An Activity button is provided, while the Close Activity button is not provided.

–Users permissions. If the user who is logged in does not have activity approval permissions, the Approve button is not visible.

For descriptions of the buttons on the main toolbar, see Table 7-1.

Table 7-1 Main Toolbar Buttons—Workflow Mode Enabled

Button	Description
	Creates a new activity.
	Opens an activity. You can open an activity when it is in the Edit or the Submitted state. To open a submitted activity, you must have user privileges to approve or reject changes made in that activity. For more information, see Setting Up User Permissions, page 2-2.
	Saves all changes made while the activity was open and closes it. You can close an activity when it is in the Edit Open or the Submit Open state.
	Generates change data and produces an Activity Change Report in PDF format in a separate window. For more information, see Understanding Activity Change Reports
	Submits the activity for approval. You can submit an activity when it is in the Edit or the Edit Open state.
	Approves the changes proposed in an activity. You can approve an activity when it is in the Submitted state. You must have user privileges to accept the changes proposed in an activity. For more information, see Setting Up User Permissions, page 2-2. This action is not available in Workflow mode without an approver.
	Rejects the changes proposed in an activity. You can reject an activity when it is in the Submitted or Submitted Open state. You must have user privileges to deny changes proposed in an activity. For more information, see Setting Up User Permissions, page 2-2. This action is not available in Workflow mode without an approver.
	Discards the selected activity. The activity is discarded and later purged from the system when you perform the purge action, either automatically as set in the Workflow Management page or manually. The activity state is shown as discarded until the activity is actually purged from the system.
	Validates the integrity of changed policies within the current activity.

Creating an Activity

This procedure describes how to create an activity.

Before you create or change policies or assign policies to devices, you must create an activity.

Procedure

---

Step 1 Click Create in the main toolbar.

The Create Activity dialog box appears.

Step 2 In the Activity Name field, keep the default name (username, date, and time the activity was created) or enter a logical, unique name that reflects the contents of the activity.

Step 3 In the Comment field, enter a brief description of the activity or other pertinent information.

Step 4 Click OK.

The activity is listed by name in the Activity Manager window. For more information, see Activity Manager Window, page G-1.

---

Related Topics

•Understanding Activities

•Create Activity Dialog Box, page G-7

Opening an Activity

This topic describes how to open an activity.

You can open an existing activity if no one else has it opened. You might open an existing activity in the Edit state to make further policy changes, or you might open an existing activity in the Submitted state to review proposed policy changes before approving or rejecting it (if you have the appropriate permissions and you are working in Workflow mode with an approver). For more information, see Chapter 2, "Performing Administrative Tasks."

---

Note submitted activity opens in read-only mode.

---

To open an activity, do one of the following:

•Click the Open button in the main toolbar. From the Openable activities dialog box, select the activity you want to open, then click OK.

•Select Tools  > Activity Manager. From the Activity Manager window, select the activity you want to open, then click Open.

Related Topics

•Understanding Activities

Closing an Activity

You can close an activity without approving it (or submitting it for approval) if you or others want to continue configuring policies at a later time.

---

Note A person with administrator privilages can close an activity opened by another user.

---

To close an open activity, do one of the following:

•Click the Close button in the main toolbar.

•Select Tools  > Activity Manager. From the Activity Manager window, click Close.

Related Topics

•Understanding Activities

Validating an Activity

Security Manager validates activities when you submit them for approval, or you can validate an activity at any time while you are creating and changing policies in an activity. After an activity is submitted, the validation report remains static.

The validation process checks the following and displays a report of the results:

•Policy integrity—There are no unresolvable references (for example, missing objects, unresolved Interface Roles, overrides of Mandatory settings, and so on).

•Policy deployability—The platform, OS, and configured features are supported by the target devices so that policies can be correctly translated into CLI commands.

•FlexConfig integrity—Makes sure there are no corrupted FlexConfig objects. If corrupted objects are found, a warning with a list of the corrupted FlexConfig objects results.

•FlexConfig syntax—If syntax errors are found, a warning with a list of affected FlexConfigs and their syntax errors results.

•FlexConfig object references—Makes sure object references are resolvable. If FlexConfig objects reference non-existent objects, a warning with a list of the missing objects results.

---

Note If you finish working on an activity, you can submit it, and the validation process runs. For more information, see Submitting an Activity for Approval.

---

Procedure

---

Step 1 Do one of the following:

•Open an activity, then click the Validate button on the main toolbar.

•Select Tools > Activity Manager. From the Activity Manager window, select an activity, then click Validate.

Security Manager performs the validation. If no errors are found, an informational message shows that the validation passed. If errors are found, the Validation dialog box appears. The Validation dialog box contains detailed error information organized in two tabs. You must correct these errors before submitting the activity. Security Manager does not allow an activity to be submitted with validation errors.

---

Note A validation warning (as opposed to an error) will not prevent activity approval or deployment.

---

Step 2 Click the desired tab to display its contents. The following topics contain information about these tabs:

•Errors Tab, page G-12

•Devices Tab, page G-14

---

Related Topics

•Validation Dialog Box, page G-12

Submitting an Activity for Approval

This procedure describes how to submit an activity for approval.

After you finish creating, changing, or assigning policies within the activity, you must submit the activity for approval. When you submit it, the integrity and deployability of the activity is validated. For details about the validation process and report, see Validating an Activity.

The activity is also closed so that it can be opened by the user who has the permissions to approve it. When the activity is approved, its configurations are committed to the Security Manager database, and they can be deployed to the devices.

When you submit an activity, you can send email to the relevant approvers to notify them that an activity requires approval.

---

Note By default, submission of activities for approval is disabled in the Workflow dialog box (Tools > Security Manager Administration > Preferences > Workflow). This means that the submission step is not required and you can approve the activity yourself (if you have the appropriate permissions). An administrator can change activity approval settings in the Workflow dialog box if the organization requires one set of users to define configurations and another set to approve and commit them. For more information about changing activity approval settings, see Chapter 2, "Performing Administrative Tasks."

---

Procedure

---

Step 1 Do one of the following:

•Open an activity and click the Submit button on the main toolbar.

•Select Tools > Activity Manager. From the Activity Manager window, select an activity, then click Submit.

The Submit Activity dialog box appears.

Step 2 In the Approver field, keep the default email address of the person assigned activity approval permissions or enter the email address of another person. This person receives notification of your submission.

---

Note The default email address is set in Tools > Security Manager Administration > Preferences > Workflow.

---

Step 3 In the Comment field, enter a brief description of the changes included in the activity or other pertinent information.

Step 4 Click OK. The activity status changes to Submitted in the Activity Manager window.

---

Note If the email does not reach the recipient, Security Manager displays a message indicating that the email server is unreachable, and you must contact the approver directly.

---

---

Related Topics

•Understanding Activities

•Submit Activity Dialog Box, page G-8

Approving or Rejecting an Activity

This procedure describes how to approve or reject an activity.

If you have activity approval permissions, you can open a submitted activity, review the policies and policy assignments, and then either approve or reject the activity.

If you approve the activity, policies and policy assignments are committed to the database and are ready to be deployed to devices or files. Devices associated with the activity are unlocked, meaning they can be included in policy definitions and changes in other activities.

If you reject the activity, the submitter can reopen the activity to make the necessary changes and resubmit it for approval. Devices associated with the activity are not unlocked, meaning that they cannot be included in policy definitions or changes in another activity.

---

Note After an activity is approved, changes cannot be undone. You must create a new activity and manually change policies and policy assignments to the desired state.

---

Before You Begin

•Open the activity and review its policies and policy assignments.

Procedure

---

Step 1 Do one of the following:

•Open an activity and click the Approve or Reject button, as appropriate, on the main toolbar.

•Select Tools > Activity Manager. From the Activity Manager window, select an activity and click Approve or Reject.

The Approve Activity or Reject Activity dialog box appears.

Step 2 In the Comment field, enter a brief explanation of why you are approving or rejecting the activity. If you are rejecting the activity, you might want to include suggested revisions.

Step 3 Click OK. The activity status changes to Approved or Edit (if rejected) in the Activity Manager window. For a description of the elements in the window, see Activity Manager Window, page G-1.

---

Related Topics

•Understanding Activities

•Approve Activity Dialog Box, page G-9

•Reject Activity Dialog Box, page G-10

Understanding Activity Change Reports

From the Tools > Change Reports menu (non-Workflow mode), or the Activities menu (Workflow mode), you can select View Changes to view reports about actions that users have taken within an activity. You can see which actions were taken and what devices and groups were acted upon within an activity or configuration session (non-Workflow mode). A report generated in PDF format format identifies the policy and building block changes made as part of that activity.

---

Note If you discover a device or rediscover policies on a device, then subsequent policy changes in the same activity performed on that device are not listed in the activity change report. This is also true on a device that you clone from another device.

---

A three-level menu structure view shows which actions were taken and what devices and groups were acted upon. It also identifies the policy changes made as part of that activity, including changes to policy objects. You can use the PDF bookmark feature to navigate the report.

---

Note You must disable any popup-blocker applications you have running to ensure the activity report will launch.

---

Figure 7-3 shows a sample activity report.

Figure 7-3 Activity Report

Use File > View Changes to obtain an Activity Change Report that only reports changes on the current activity (or configuration session in non-Workflow mode).

Related Topics

•View Changes (Activity Change Report), page G-16

•Understanding Audit Reports, page 17-6

Discarding an Activity

This topic describes how to discard an activity.

You can discard an activity if it is no longer required. When you discard an activity, you delete all the policies and policy assignments that were defined within the activity. Those policies and policy assignments are not in the database; therefore, they cannot be deployed.

Discarded activities are removed from the system according to the settings defined in the Administrative Settings Workflow page, and devices associated with the activity are unlocked, meaning they can be used by other activities. For more information see Workflow Page, page F-25.

To discard an activity, do one of the following:

•Open an activity, then click the Discard button on the main toolbar.

•Select Tools > Activity Manager. From the Activity Manager window, select an activity, then click Discard. Only an activity in the Edit or Edit Open state can be discarded.

Related Topics

•Define These Settings First, page 2-2

•Understanding Activities

Displaying Activity Details

This procedure describes how to display activity details.

For a specific activity, you can view details, such as the activity ID and name, the date and time that an activity was created and last modified, and any comments that the user entered when changing the activity state.

Procedure

---

Step 1 Select Tools  > Activity Manager.

Step 2 Select the activity about which you want to see detailed information.

Step 3 Click the Activity Details tab. For details about the information displayed, see Details Tab, page G-5.

---

Related Topics

•Understanding Activities

Displaying Activity History

This procedure describes how to display historical information about an activity.

The Activity History tab displays actions that occurred to the selected activity since it was created. Each row in the table show the action that occurred, the user who performed the action, the date and time it occurred, and comments, if any, that the user entered.

Procedure

---

Step 1 Select Tools  > Activity Manager.

Step 2 Select the activity about which you want to see information.

Step 3 Click the Activity History tab. For details about the information displayed, see History Tab, page G-6.

---

Related Topics

•Understanding Activities