cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3357
Views
5
Helpful
10
Replies

Callamanger 10.5 Restrict access to Permissions

dawsonpettifer1
Level 1
Level 1

I have created roles and assigned them to our Help desk staff but I am unable to restrict access under the end user that allows them to assign themselves as Full admins by accessing the Access Control Group via the Permissions Info on the end user pages.

I have added the standard ccm admin user to allow access and also feature management and end user management. Is there any documentation to assist with this?

10 Replies 10

Suresh Hudda
VIP Alumni
VIP Alumni

Have you followed correct procedure while assigning role, please verify it once...below is the link.

http://www.cisco.com/c/en/us/td/docs/voice_ip_comm/cucm/admin/8_0_2/ccmsys/accm-802-cm/a02mla.html#wp1062944

Note: The Standard Unified CM Admin Users role gives the user access to the Cisco Unified Communications Manager Administration user interface. This role, the base role for all administration tasks, serves as the authentication role. Cisco Unified Communications Manager Administration defines this role as the role that is necessary to log in to Cisco Unified Communications Manager Administration.

The Standard Unified CM Admin Users role includes no permissions beyond logging into Cisco Unified Communications Manager Administration. The administrator must add another authorization role to define the parts of the Cisco Unified Communications Manager Administration that the user can administer.

The Standard CCMADMIN Administration role allows a user to access and make changes in all of Cisco Unified Communications Manager Administration.

Suresh

Hi Suresh,

I have followed the procedure. Allowing access is fine and allowing access to phones and end user pages is ok, but I need to stop access to the role field.

Do you know which field restricts this part?

I am not sure if I understand correctly. You can't add roles directly from user's window. You need to assign groups which are containing roles.

You can create custom group if you are looking for custom roles.

Does this answer your question.

Hi Mohammed,

Sorry let me reword this.

I have assigned the groups that allow a user to login and a group to provide access to certain fields, but the problem I have is no matter what I select in a role within the group I am unable to restrict any user the right to assign themselves as an admin by allowing them to select a new group and adding it to themselves within the end user as shown in the image.

I hope this helps.

Create a custom access control group (e.g. test). Make sure that none of the below roles is assigned to it. Then your users won't be able to assign admin privileges

Standard CCM User Management Cisco Call Manager Administration Standard CCM User Management Copy
Standard CCM User Privilege Management Cisco Call Manager Administration Standard CCM User Privilege Management Copy
Standard CCMADMIN Administration Cisco Call Manager Administration Administer all aspects of CCMAdmin system Copy
Standard CCMADMIN Administration Cisco Call Manager Dialed Number Analyser Administer all aspects of CCMAdmin system Copy
Standard CCMADMIN Administration Cisco Call Manager Serviceability Administer all aspects of CCMAdmin system Copy
Standard CCMADMIN Administration Cisco Unified CM IM and Presence Administration Administer all aspects of CCMAdmin system Copy
Standard CCMUSER Administration Cisco Call Manager End User Administer all aspects of CCMUser system Copy

Hi Mohammed

I have tried what you have suggested with no success. I need to provide access to the End user page to modify items, but I can only provide read only or update to the entire page. I need to restrict access to the access control group assignment in the permission information section which is a subset of this page, even thou it is not accessible from the menu at the top of the menu.

Is this a bug at all?

anish.gupta11
Level 1
Level 1

Hi,

Were you able to fix this. I am also facing the same problem.

Please advise/help.

Thanks!!

I figured out a way to restrict my lower level admins from having access to change the Permissions Information section on the End User profiles while maintaining there ability to do their job such as change passwords. I had to use the "User Rank" function. I created a level 5 User Rank and assigned the Access Control Group with the roles configured to give my lower level admins access to the End User Web Pages. Then I assigned the lower level admins application user accounts to the level 5 User Rank. All my other Access Control Groups are set between User Ranks of 1 to 4. This removes the "Add to Access Control Group" and "Remove from Access Control Group" buttons from their view of the End User web pages since they no longer have access to any Access Control Groups with a higher rank (1 - 4 are higher than 5). 

Nice fix J_B(+5).  I ran into the same problem as you and dawson.  Call Manager allows you to create a role with just read/update to the "User web pages".  That role is then assigned to an Access Control Group, which is assigned to the lower tier HelpDesk End User (Standard CCM Admin Users is required as well for web page login/access).  Now the HelpDesk staff can login to CUCM and only view End User pages, all other pages return "User is not authorized to access this page".  With access to the End User pages they can update passwords for your customers/users...great...the problem is they can also update the Access Control Groups (lower down on the same page) to elevate their own privileges.  J_B provided a nice workaround:

Create User Rank 2

Create Tier_1 Role, Assign "User web pages" read/update

Create Tier_1 Access Control Group as Rank 2

Assign Tier_1 Role and Standard CCM Admin Users Role to Tier_1 Access Control Group

Configure the HelpDesk End User's User Rank: 2 and Access Control Group: Tier_1


The HelpDesk user can now view Rank 1 users but the Add/Remove Access Control Group buttons are gone.  If the Rank 2 user browses to their own End User profile they can only see Rank 2 Access Control Groups (ie Tier_1).  They don't have the ability to modify User Rank on Rank 1 users (greyed out), on existing Rank 2 or "Add New" users the only option presented from CUCM is Rank 2 (not allowing them to change themselves back to Rank 1).


This is definitely a unique scenario where your use case is to have a HelpDesk user only able to reset passwords.


...it's kind of like CSS' for End Users


CUCM: 11.5.1.14900-11

Dear Experts,

 

I also fix the same issue using User RANK.
but after configuring user rank, the helpdesk user is not able to assign end-user in Users Associated with Line phone line setting. 

for example, a page appear and users from the same rank also display for changing but when I select and click on ADD SELECTED so there is no effect 

I also tried with full access but still the same. 

 

Please suggest