Hi Suresh,

I have followed the procedure. Allowing access is fine and allowing access to phones and end user pages is ok, but I need to stop access to the role field.

Do you know which field restricts this part?

I am not sure if I understand correctly. You can't add roles directly from user's window. You need to assign groups which are containing roles.

You can create custom group if you are looking for custom roles.

Does this answer your question.

Hi Mohammed,

Sorry let me reword this.

I have assigned the groups that allow a user to login and a group to provide access to certain fields, but the problem I have is no matter what I select in a role within the group I am unable to restrict any user the right to assign themselves as an admin by allowing them to select a new group and adding it to themselves within the end user as shown in the image.

I hope this helps.

Create a custom access control group (e.g. test). Make sure that none of the below roles is assigned to it. Then your users won't be able to assign admin privileges

Standard CCM User Management	Cisco Call Manager Administration	Standard CCM User Management
	Standard CCM User Privilege Management	Cisco Call Manager Administration	Standard CCM User Privilege Management
	Standard CCMADMIN Administration	Cisco Call Manager Administration	Administer all aspects of CCMAdmin system
	Standard CCMADMIN Administration	Cisco Call Manager Dialed Number Analyser	Administer all aspects of CCMAdmin system
	Standard CCMADMIN Administration	Cisco Call Manager Serviceability	Administer all aspects of CCMAdmin system
	Standard CCMADMIN Administration	Cisco Unified CM IM and Presence Administration	Administer all aspects of CCMAdmin system
	Standard CCMUSER Administration	Cisco Call Manager End User	Administer all aspects of CCMUser system

Hi Mohammed

I have tried what you have suggested with no success. I need to provide access to the End user page to modify items, but I can only provide read only or update to the entire page. I need to restrict access to the access control group assignment in the permission information section which is a subset of this page, even thou it is not accessible from the menu at the top of the menu.

Is this a bug at all?

I figured out a way to restrict my lower level admins from having access to change the Permissions Information section on the End User profiles while maintaining there ability to do their job such as change passwords. I had to use the "User Rank" function. I created a level 5 User Rank and assigned the Access Control Group with the roles configured to give my lower level admins access to the End User Web Pages. Then I assigned the lower level admins application user accounts to the level 5 User Rank. All my other Access Control Groups are set between User Ranks of 1 to 4. This removes the "Add to Access Control Group" and "Remove from Access Control Group" buttons from their view of the End User web pages since they no longer have access to any Access Control Groups with a higher rank (1 - 4 are higher than 5). 

Nice fix J_B(+5).  I ran into the same problem as you and dawson.  Call Manager allows you to create a role with just read/update to the "User web pages".  That role is then assigned to an Access Control Group, which is assigned to the lower tier HelpDesk End User (Standard CCM Admin Users is required as well for web page login/access).  Now the HelpDesk staff can login to CUCM and only view End User pages, all other pages return "User is not authorized to access this page".  With access to the End User pages they can update passwords for your customers/users...great...the problem is they can also update the Access Control Groups (lower down on the same page) to elevate their own privileges.  J_B provided a nice workaround:

Create User Rank 2

Create Tier_1 Role, Assign "User web pages" read/update

Create Tier_1 Access Control Group as Rank 2

Assign Tier_1 Role and Standard CCM Admin Users Role to Tier_1 Access Control Group

Configure the HelpDesk End User's User Rank: 2 and Access Control Group: Tier_1

The HelpDesk user can now view Rank 1 users but the Add/Remove Access Control Group buttons are gone.  If the Rank 2 user browses to their own End User profile they can only see Rank 2 Access Control Groups (ie Tier_1).  They don't have the ability to modify User Rank on Rank 1 users (greyed out), on existing Rank 2 or "Add New" users the only option presented from CUCM is Rank 2 (not allowing them to change themselves back to Rank 1).

This is definitely a unique scenario where your use case is to have a HelpDesk user only able to reset passwords.

...it's kind of like CSS' for End Users

CUCM: 11.5.1.14900-11

Dear Experts,

I also fix the same issue using User RANK.
but after configuring user rank, the helpdesk user is not able to assign end-user in Users Associated with Line phone line setting. 

for example, a page appear and users from the same rank also display for changing but when I select and click on ADD SELECTED so there is no effect 

I also tried with full access but still the same. 

Please suggest