4-3
User Guide for Cisco Security Manager 4.4
OL-28826-01
Chapter4 Managing Activities
Understanding Activities
In addition, the changes you make within an activity are visible only within the activity. Other users
see only the last approved committed configurations, unless they view your activity before you close
it (in Workflow mode).
Activity Approval
When you enable Workflow mode, you can choose to operate with or without an activity approver.
If your organization requires a different person with higher permissions to approve activities, you can
enable workflow with an approver. When using Workflow mode with an approver, the activity must be
approved by a person with the appropriate permissions so the policies can be committed to the database.
This approval process at the policy definition level helps to ensure that no inappropriate configurations
reach the network devices.
If you choose to operate without an approver, the person defining the policies has the permissions to
approve them.
For information about enabling or disabling activity approval and changing the default activity approver,
see Workflow Page, page11-54.
Activities and Locking
To prevent multiple users from making conflicting changes, Security Manager obtains activity-level
locks when a user performs certain actions within an activity or configuration session in Workflow or
non-Workflow mode. This prevents two or more people from making changes to the same feature policy,
policy assignment, or object at the same time.
Security Manager also uses locking to ensure that operations related to the committed configuration
always run exclusive of one another. These operations can be divided into two categories:
Operations that change the committed configuration:
Activity approval, which includes configuration session submission in non-Workflow mode.
Device deletion.
Editing device properties.
Operations that read the committed configuration:
Configuration preview.
Deployment (in non-Workflow mode).
Creation of deployment job (in Workflow mode).
Activity or configuration session validation.
If you are performing an operation that changes the committed configuration, no one can perform any
of the operations in either list until this operation is complete. An error message is displayed to the user
who tries, indicating the action and activity (or user, in non-Workflow mode) that has the lock. For
example, if you are approving an activity (which occurs automatically when an activity is submitted in
non-Workflow mode), no one else can delete a device or validate a different activity until the approval
is complete. This type of locking is particularly important in multi-user settings as it prevents multiple
users from simultaneously making changes to the committed configuration.
If you are performing an operation that reads the committed configuration, no one can perform an
operation that changes the committed configuration. For example, if you are validating an activity,
another user cannot approve an activity. However, other users can perform another operation that reads