cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1017
Views
0
Helpful
4
Replies

Communications Manager 9.x Roles and Groups

Live2 Bicycle
Level 3
Level 3

I want to give my helpdesk the ability to look up an end user on the end user page and then click the 2 check boxes under service settings for:

Home Cluster

Enable User for Unified CM IM and Presence (Configure IM and Presence in the associated UC Service Profile)

I created a new role base on the Standard CCMADMIN Read Only and uncheck all of the check boxes with the exception of user pages.

I created a new Group and added my new roll and the Standard CCM Admin Users role to my new gourp which is called helpdesk.

My issue is the users I have added to the new group Helpdesk have the ability to add themselves to a higher group such as the super user group. 

Is there a way to prevent a user from escalating their own priviliages?

2 Accepted Solutions

Accepted Solutions

Rob Huffman
Hall of Fame
Hall of Fame

Could be this bug

CCM Standard Admin User able to elevate permission settings

CSCtw88054

Cheers!

Rob

"A smile relieves a heart that grieves" 

- Stones

View solution in original post

Rob, a cisco engineer on my account team pointed out this enterprise setting.

1. Admin sets the enterprise parameter 'Allow non-super user to grant access to 
administrative web pages' to false. The default is true.
2. From then on each time an end user or application user who is not a super user 
adds an end user and puts that user in a user group, CCMadmin would check to see if
the user group has access right to any resources other than the UCMUser webapp
(User Options). If it does, then an appropriate error messages is thrown and the add
failed.

The user can STILL remove users from groups but atleast they can not add users to groups.

View solution in original post

4 Replies 4

Rob Huffman
Hall of Fame
Hall of Fame

Could be this bug

CCM Standard Admin User able to elevate permission settings

CSCtw88054

Cheers!

Rob

"A smile relieves a heart that grieves" 

- Stones

Bug ID  CSCtw88054 sure does look like what I am experiencing.  I am on version  9.1.1.20000-5 which is not mentioned but in my 7 yrs of doing this I often don't see every version mentioned. 

Thanks Rob as always your amazing and helpful!

Rob, a cisco engineer on my account team pointed out this enterprise setting.

1. Admin sets the enterprise parameter 'Allow non-super user to grant access to 
administrative web pages' to false. The default is true.
2. From then on each time an end user or application user who is not a super user 
adds an end user and puts that user in a user group, CCMadmin would check to see if
the user group has access right to any resources other than the UCMUser webapp
(User Options). If it does, then an appropriate error messages is thrown and the add
failed.

The user can STILL remove users from groups but atleast they can not add users to groups.

Great feedback! Thanks so much for the kind follow-up +5 all day long.

Cheers!

Rob

"A smile relieves a heart that grieves" 

- Stones