Deploying Policies

Policies must be deployed to take effect in the system.

There are two stages of deployment: Ready to Deploy and Deployed. The Ready to Deploy stage signals that the Policy configuration is finalized and the Policy can be deployed. The Deployed stage means that this version of the Policy is actively being made available to the Protectors. If you modify a Policy, then you need to repeat the deployment process.

Note that this behavior only applies to modifying Policies via ESA Web UI. If you are modifying a Policy using the Policy Management API, the deployment happens automatically after every change. For more information about the Policy Management API, please refer to the section Using the Policy Management REST APIs.

Marking the Policy as Ready to Deploy

To mark the Policy as Ready to Deployment:

1. On the ESA Web UI, navigate to Policy Management > Policies & Trusted Applications > Policies.

   The list of all the policies appear.

2. Select the required policy.

   The screen to edit the policy appears.

3. Click Ready to Deploy.

A message confirming the action appears. The Ready to Deploy is inactive and the Deploy is active. The ESA must be up and running to deploy the package to the protectors.

Deploying a Policy

This section describes how to deploy the policy after it has been marked as Ready to Deploy.

To deploy the policy:

1. On the ESA Web UI, navigate to Policy Management > Policies & Trusted Applications > Policies.

   The list of all the policies appear.

2. Select the required policy.

   The screen to edit the policy appears.

3. Click Deploy.

A message Policy has been deployed successfully appears.

Note: An error message appears if the deployment of the Policy is not linked to any Data Store.

If you deploy a policy to a data store, which contains additional policies that have already been deployed, then the policy user inherits the permissions from the multiple policies.

For more information about inherting permissions, refer to Inheriting Permissions.

Deploying Data Stores

You can choose to deploy a Policy to a specific Data Store only. That will allow the nodes associated with the Data Store to get the latest Policy. By deploying a Data Store, you deploy the Trusted Applications associated with it.

To deploy a Data Store:

1. On the ESA Web UI, navigate to Policy Management > Data Stores.

   The list of all the data stores appear.

2. Select the data store.

   The screen to edit the data store appears.

3. Click Deploy.

A message **Data Store has been deployed successfully** appears.

When the Protector pulls the package that contains a policy added to the data store, it connects to ESA to retrieve the necessary policy information. The policy information includes members for each role in the policy, token elements, and so on.

Deploying Trusted Applications

During deployment, the Application Protector validates the Trusted Application. If the validation fails, then the Protector generates an audit entry with the detailed information.

Marking a Trusted Application as Ready to Deploy

To mark a Trusted Application as Ready to Deploy:

1. On the ESA Web UI, navigate to Policy Management > Policies & Trusted Applications > Trusted Applications.

   The list of all the trusted applications appear.

2. Select the required trusted application.

   The screen to edit the trusted application appears.

3. Click Ready to Deploy.

A message Trusted Application has been marked ready to deploy appears.

The Deploy action is active.

Deploy the Trusted Application

To deploy the trusted application after it has been marked as Ready to Deploy:

1. On the ESA Web UI, navigate to Policy Management > Policies & Trusted Applications > Trusted Applications.

   The list of all the trusted applications appear.

2. Select the required application that is in the ready to deploy state.

   The screen to edit the trusted application appears.

3. Click Deploy. A message Trusted application has been successfully deployed appears.

Note: An error message appears if the deployment of the Trusted Application is not linked to any Data Store.

You can also deploy the trusted application by deploying the data store. In this case, all the policies and trusted applications that are linked to the data store are prepared to be distributed to the protection points.

For more information about deploying a data store, refer to Deploying Data Stores to Protectors.