Delegate permisson to sync LDAP
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-17-2010 08:43 AM - edited 03-19-2019 01:25 AM
Is there a way to grant a user the ability to synchronize LDAP without giving them full admin rights? This applies to both UCM and Unity Connection. When adding new users to the system we add them to Active Directory, and then create their phone & voice mailbox. After creating their AD account we synchronize LDAP in UCM and UC so the new accounts are visible to those systems. When I do it myself it's not a problem because I have full admin rights, but I'd like to delegate the permission to sync LDAP to our technical support staff who don't have full admin rights on the phone system. It's not realistic to expect them to wait for the next scheduled LDAP sync to occur.
- Labels:
-
UC Applications
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-17-2010 11:43 AM
Try using End User Roles to delegate administrative rights to the end users you want to promote to various administrative roles. I don't have access to a CUCM or UConn cluster at the moment to verify that LDAP Syncing is a task that can be delegated; however, use the guide linked below to guide you through the role administration process. Sorry I couldn't be of more help!
http://www.cisco.com/en/US/products/sw/voicesw/ps556/products_tech_note09186a00808c82d2.shtml
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-25-2010 06:24 AM
Unfortunately there is not enough granularity to allow users to 'Perform Full Sync Now' without also granting permission to make LDAP directory configuration changes. The closest thing you can do in a role is grant read/update on 'LDAP Directory Configuration Pages'.
too bad.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-25-2010 06:33 AM
Well dang. I don't feel like there's a ton of danger allowing access to that portion of CCMAdmin as long as they know the only button they're supposed to press on that screen is "Perform Full Sync Now"!

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-24-2017 02:41 PM
Any third party tool or AXL API that can be used to achieve this?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-13-2013 08:04 AM
I have this problem too. The LDAP Directory Configuration Pages option works perfectly for the Call Manager LDAP sync, but that setting doesn't transfer over to Unity. And the Unity roles don't allow you to copy and reconfigure them like Call Manager does. So right now its either give them the technician role or no LDAP sync
