Tufin SecureChange offers results of the Designer for Access Request (AR) Workflows e.g. where to put a new rule, including definition of objects, comments, etc. The Designer can run in one of two modes.
As shown, the base configuration is done via SecureChange > Workflows > [workflow name] > Workflow properties. Please find some remarks about these two options below.
- Optimize policy for rule reuse
Having this option active (default), the Designer tries to implement the changes in an existing rule, e.g. if SRC and DST are the same, but only the (new) service is not implemented yet, a change of the rule is assumed - "add Service xxx to rule yyy". This leads to a slimmer rule base, but changes cannot be found easily. So this option is useful for permanent changes and not for test situations. - Create new policy rule for each access request
This option instructs the Designer to create new rules for each access request, i.e. even if there is a rule with same SRC and DST, a new rule will be proposed. It is the exact Access Request in the ticket. An advantage of this behavior is a good overview "rules per AR", so e.g. rules for testing can easily be removed. Some characteristics need to be considered when using this mode:
- Even if a rule allows the required access completely, the Designer recommends to create a new rule for the exact Access Request. This might lead to shadowed and / or redundant rules. When using Check Point, the policy cannot be installed any more because of the verifier results.
- When using SecureApp, a workflow having this option enabled, cannot be selected. In this case, Application Owners need to open the AR directly in SecureChange, without any help by SecureApp.
More information about the Designer can be found in the Tufin Portal (Authentication required).
