In order to manage an ASA, Defense Orchestrator must have it's own stored copy of the ASA's running configuration file. When Defense Orchestrator “reads a policy" from an ASA, it takes a copy of the ASA's running configuration file and saves the copy in its own file system. The first time Defense Orchestrator reads and saves a copy of an ASA configuration file is when the ASA is onboarded to Defense Orchestrator.
When the Defense Orchestrator admin makes changes to the ASA’s configuration, the changes are first made to Defense Orchestrator's copy of the configuration file. Those changes don't take effect on the ASA until the admin "writes" them from Defense Orchestrator to the device. Defense Orchestrator writes the configuration file changes by copying them to the running configuration file on the ASA and then saving the file. Changes to Defense Orchestrator's copy of the configuration file overwrite the corresponding lines in the ASA's running configuration file.
These articles describe how to read configurations from the ASA and write configuration changes to the ASA: