Filter
Top Products
5-8
User Guide for Cisco Security Manager 4.4
OL-28826-01
Chapter 5 Managing Policies
Understanding Policies
Tip Security Manager also obtains activity (or configuration session) locks, which are broader in scope than
policy locks, when users perform some actions. For more information, see Activities and Locking,
page 4-3.
Lock Types
Security Manager uses two different types of locks:
• Policy content locks—Locks the content of a particular policy. The banner displayed above the work
area reads:
This data for this policy is locked by activity/user: <name>.
The content lock prevents other users from making any changes to the configuration of the locked
policy.
• Assignment locks—Locks the assignment of a policy type to a particular device. The banner
displayed above the work area reads:
The assignment of this policy is locked by activity/user: <name>.
For a local policy, an assignment lock prevents other users from unassigning the policy or assigning
a shared policy of the same type in place of the local policy. For a shared policy, an assignment lock
prevents other users from assigning a different shared policy of the same type in place of one already
assigned.
These locks can either work together or independently of one another, depending on the actions being
performed by the user. If both locks are active at the same time, the banner displayed above the work
area reads:
This policy is locked by activity/user: <name>.
See Understanding Locking and Policies, page 5-9 for a summary of the effects locking has on the
actions you can perform.
Releasing Locks
After is locked is enabled, it remains in place until you either submit your changes (when working in
non-Workflow mode) or submit and approve the activity (when working in Workflow mode). If you
discard the activity, any locks generated by the activity are also discarded. For more information about
workflow modes, see Workflow and Activities Overview, page 1-18.
Keep in mind that:
• Locks are based on the device name, not the IP address of the device. Therefore, we recommend that
you avoid defining two devices with different names but the same IP address in Security Manager.
Any attempt to deploy to both devices, especially at the same time, leads to unpredictable results.
• In addition, locks do not extend across different operations. For example, locking does not prevent
one user from deploying to the same device that is being discovered by a different user.
Additional details about locking can be found in the following sections:
• Understanding Locking and Policies, page 5-9
• Understanding Locking and VPN Topologies, page 5-9
• Understanding Locking and Objects, page 5-10