5-10
User Guide for Cisco Security Manager 4.4
OL-28826-01
Chapter 5 Managing Policies
Understanding Policies
In order to view and modify site-to-site VPN policies, you must have the required permissions for each
device in the VPN topology. You also need permissions to add a device to a VPN topology. If you have
different levels of permissions to the devices in the VPN topology, the lowest permission level is applied
to the entire topology. For example, if you have read/write permissions to the spokes in a hub-and-spoke
topology, but read-only permissions to the device serving as the hub, you are granted read-only
permission to the policies and devices in the hub-and-spoke topology. For more information about
permissions, see Installation Guide for Cisco Security Manager.
Note Unassigning devices from a VPN topology also creates device locks in the VPN topology, which means
that these devices cannot be deleted from the inventory. Other users cannot edit the device assignments
for the topology until you deploy configurations to all affected devices, including those you remove. The
device is not actually removed from the topology until you deploy configurations.
Related Topics
Understanding Policy Locking, page 5-7
Chapter 24, “Managing Site-to-Site VPNs: The Basics”

Understanding Locking and Objects

When you create or modify a reusable object, that object is locked to prevent other users from modifying
or deleting the same object. Additional rules for object locking include:
An object lock does not prevent you from modifying the definition or assignment of a policy that
uses that object.
The lock placed on a policy does not prevent you from making changes to an object that is included
in the policy definition.
You can change the definition of any object even if it is part of a policy assigned to a device to which
you do not have permissions.
When an object makes use of other objects (such as network/host objects and AAA server group
objects), the lock on the object does not prevent another user from modifying those other objects.
For example, when you modify a AAA server group object, the lock on that object does not prevent
another user from modifying any of the AAA servers that make up the AAA server group.
When an object is locked, users who try to modify that object see a read-only version of the relevant
dialog box. When you are working in Workflow mode, a message indicates which activity has locked the
object.
Related Topics
Understanding Policy Locking, page 5-7
Chapter 6, “Managing Policy Objects”
Customizing Policy Management for Routers and Firewall Devices
When you manage Cisco IOS routers or ASA, PIX, or FWSM firewall devices, you have the option of
selecting which policy types to manage with Security Manager and which policy types to leave
unmanaged. Managing a policy type means that Security Manager controls the configuration of the
policy and considers the information that it stores in its database about that policy to be the desired
configuration. Security Manager does not configure unmanaged policy types, nor does it track