Locking an Access Control Policy

You can lock an access control policy to prevent other administrators from editing it. Locking the policy ensures that your changes will not be invalidated if another administrator edits the policy and saves changes before you save your changes. Without locking, if multiple administrators edit the policy simultaneously, the first person who saves changes wins, and all other users have their changes erased.

The lock is for the access control policy itself. The lock does not apply to objects used in the policy. For example, another user can edit a network object that is used in a locked access control policy. Your lock remains in place until you explicitly unlock the policy, so you can log out and come back to your edits later.

When locked, other administrators have read-only access to the policy. However, other administrators can assign a locked policy to a managed device.

Before you begin

Any user role that has permission to modify the access control policy has permission to lock it, and to unlock a policy that was locked by another user.

However, the ability to unlock a policy that was locked by another administrator is controlled by the following permission: Policies > Access Control > Access Control Policy > Modify Access Control Policy > Override Access Control Policy Lock.

If you are using custom roles, your organization might have limited your unlocking abilities by not assigning this permission. Without this permission, only the administrator who locks a policy can unlock it.

Procedure

Step 1	Choose Policies > Access Control.
Step 2	Click Edit () next to the access control policy you want to lock or unlock. The Lock Status column shows whether a policy is already locked, and if so, who locked it. An empty cell indicates that the policy is not locked. If View () appears instead, the configuration belongs to an ancestor domain, or you do not have permission to modify the configuration. Or, it is locked by another user.
Step 3	Click the lock icon next to the policy name to lock or unlock the policy. If the policy inherits settings from a parent policy, you must choose one of the following options when you click the lock icon. Lock/Unlock This Policy—The locking or unlocking is for this policy only. Lock/Unlock This Policy and Parents in the Hierarchy—This policy and all parent policies are locked or unlocked. If a parent policy is already locked by another administrator, you will see a message and you will not be able to lock that parent policy. When unlocking policies, if you have the Override Access Control Policy Lock permission, all parent policies are unlocked even if they were locked by other users.