Policy inheritance with Enterprise Scanner policies
The inheritance properties of policies in SiteProtector provide a flexible and
efficient method for setting up your scanning environment in a hierarchical group
structure.
General inheritance behavior
In general, inheritance works as follows:
v When you define a policy for a group in your group structure, the policy
automatically applies to the subgroups for the group unless a subgroup already
has its own version of the policy. Then, that subgroup retains its version of the
policy.
v You can break the inheritance at any level in the group structure by redefining
(overriding) the policy for a subgroup. When you define a policy for a
subgroup, the changes apply to its subgroups.
v If you have defined a policy for a subgroup that you want to apply to groups
above it, you can promote the policy to a higher group.
Inheritance with Enterprise Scanner policies
As you plan your Site grouping structure for vulnerability management, keep these
points in mind:
v Most asset policies follow the general rules of inheritance.
v Many agent policies apply only to a single agent or scanning network interface.
v Some asset and some agent policies have specialized inheritance characteristics.
These differences are described in more detail in the following topics.
Inheritance indicators
When you select a group in the left pane of the SiteProtector Console, policies
applicable to the group are displayed in the right pane. The inheritance indicators
of the policies are displayed in the Inheriting From column as follows:
Table 4. Policy inheritance indicators
If the Inheriting From Value is... Then...
blank The policy is defined at the group
level/agent selected in the left pane.
UNCONFIGURED You have chosen to override the policy with
one that is defined higher in the group
structure, but a higher-level policy is not
defined.
a_group_name The policy is inherited from the referenced
group.
Initially blank or unconfigured?
The initial inheritance indicators for agent policies can be blank or unconfigured
depending on whether you override SiteProtector group settings when you register
your agent with SiteProtector:
v If you override the settings, the settings for the agent are applied to the
SiteProtector policies, so that the Inheriting From column is blank.
30 Enterprise Scanner: User Guide
