cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1073
Views
0
Helpful
7
Replies

Prime Collaboration Role-based Access Control Issue

Ivan Baric
Level 1
Level 1

Hello Support Community,

we are using the Cisco Prime Collaboration Provisioning and would like to configure a user that would act as an admin for one of our domains.

This user would be able to add, remove, change, etc. all the objects that are located in one remote office. So he should not be able to see the users, phones and so on, from all other offices.

 

The issue is that we can not select the domain that should be assigned to him. When we select a user that should be configured as an administrator for the office, go to Manage Authorization Roles, under Roles for Domain there is only "Apply to all domains". We cant select one of the two domains that are currently configured.

I've tried with different browsers, tried checking the boxes to see if one of those would trigger the change and let us select the domain but so far I had no luck.

 

The cluster consists of 7 CUCMs on version 9.1.2.12900-11 (and 2x CUC, 2x IM&P, etc.) and the Prime Collaboration Provisioning is on version 10.5.1.320 (License Type Advanced).

 

Thanks in advance!

 

Ivan

1 Accepted Solution

Accepted Solutions

Ivan,

Should remove the standard license.  The product is licensed for both standard and advanced at the same time.

Take out the standard license and then wait about 2 minutes and it should short itself out.

Regards

View solution in original post

7 Replies 7

Anthony Gerbic
Cisco Employee
Cisco Employee

Ivan,

There may be a couple of reasons it is not working for you.  I will try to cover some checks to make sure it is setup right.

Most important is to make sure PCP is not in Standard mode. Standard does not allow delegation and only show the "Apply to all domains" choice no matter how many Domain groups are defined.

One sure way to check this is to look on the banner and there should be a check mark next to the word Advanced.  Another possible check is to click on the little icon next to the Provisioning License Status on the license management page. It will open a window that shows the detail of the licensing. The Delegation feature should be set to 2, and not 0 or 1.

I will assume the two Domain groups are already configured and have some users in them.

Select the user from the User Management UI and the UI will switch to the user's User Record UI.  To make the user into an order admin, click on the link to Manage Authorization Roles. A UI will open and the Roles for Domain will default to the Domain the user is assigned to.   Is this happening? If not does it just say "Apply to all domains"?   This will give a clue to the next troubleshooting step.

I checked the behavior on the 10.5.1.320 TME demo system just to make sure it was working ok in advanced mode.

Regards

Hello Anthony,

first of all, thank you for taking the time to answer and analyze!

 

Your questions:

"One sure way to check this is to look on the banner and there should be a check mark next to the word Advanced" -  in the top right Corner of the banner I can see a green check mark next to Advanced 

 

"The Delegation feature should be set to 2, and not 0 or 1." - the Delegation Feature has the following Status - "Available : 1 | Used : 0 | Expiry : permanent". Does the value has to be "2" under Available ? Because in the Moment we are not using any (Used : 0).

 

"I will assume the two Domain groups are already configured and have some users in them." - that is correct. Both Domains are already configured and we have multiple users in both of them. Domains are configured with appropriate Call Processors, Message Processors, LDAP Sync, Service Areas, User Roles and Service Templates.

 

I have tested what you proposed in the last part. Selected one of the Users through Deploy > User Provisioning. Opened his User Records page (where we can see all the Services, etc.) > Manage Authorization Rules. In the Roles for Domain field it just says "Apply to all domains", I does not Display any other value when I click on the Dropdown button.

 

Kind regards,

Ivan

 

 

Ivan,

Based on your response to the delegation setting, I think the licensing has a problem. 

Status - "Available : 1  indicates that the delegation is set to no delegation and will show "Apply to all Domains". If it was set to 2 then it allows delegation and will show Domain selections.

The next question is how many licenses are shown in the list of licenses?  The mandatory one is the purchased license. There might be one for evaluation or possibly one for Standard mode in the license directory that is interfering with the Advanced permanent license.

In the License File list there should be one that has a name that looks similar to the following: CUPM201311141320470830.lic. There may be others like eval.lic or standard.lic.  If standard.lic is present it should be deleted. eval.lic should not interfere. 

If there are more licenses in the list they may be there as evaluation extension licenses and should be removed as well.  The best method to figure out which is the "real" permanent license is to look at the license sent from the SLT based on the PAK you entered from the purchase.

If you are not able to sort this out. Please attach a screen shot of the license page that shows the license file names.

Regards

Hi Anthony,

I can't check this today, as soon as I have, I'll update you.

 

Thank you,

Ivan

Ivan,

Should remove the standard license.  The product is licensed for both standard and advanced at the same time.

Take out the standard license and then wait about 2 minutes and it should short itself out.

Regards

Hello Anthony,

 

sorry for the delay, I could not find the time to do what you proposed.

 

I have deleted the standard.lic from the License Management page and now I can set the pemissions on individual domains. Also, I was not able to see which permissions (roles) were assigned to users before. If I would set i.e. the "Ordering" permissions and saved, the page would reload and all the checkboxes would be empty. The permissions in this case would be configured, but I was not able to see it later.

 

Thanks for the support +++

 

Ivan

Hi Anthony,

so here is the list of the licenses on the License Management page (see the attachment).

There is the standard.lic. I would just like to ask you if this one can be removed ?

Kind regards,

Ivan