Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
841
Views
0
Helpful
4
Replies

Communications Manager 9.x Roles and Groups

Go to solution
Live2 Bicycle
Level 3
Level 3

‎08-02-2013 11:20 AM - edited ‎03-19-2019 07:05 AM

I want to give my helpdesk the ability to look up an end user on the end user page and then click the 2 check boxes under service settings for:

Home Cluster

Enable User for Unified CM IM and Presence (Configure IM and Presence in the associated UC Service Profile)

I created a new role base on the Standard CCMADMIN Read Only and uncheck all of the check boxes with the exception of user pages.

I created a new Group and added my new roll and the Standard CCM Admin Users role to my new gourp which is called helpdesk.

My issue is the users I have added to the new group Helpdesk have the ability to add themselves to a higher group such as the super user group. 

Is there a way to prevent a user from escalating their own priviliages?

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Rob Huffman
Hall of Fame
Hall of Fame

‎08-02-2013 01:33 PM

Could be this bug

CCM Standard Admin User able to elevate permission settings

CSCtw88054

Cheers!

Rob

"A smile relieves a heart that grieves" 

- Stones

View solution in original post

0 Helpful

Go to solution
Live2 Bicycle
Level 3
Level 3
In response to Rob Huffman

‎08-07-2013 10:51 AM

Rob, a cisco engineer on my account team pointed out this enterprise setting.

1. Admin sets the enterprise parameter 'Allow non-super user to grant access to 
administrative web pages' to false. The default is true.
2. From then on each time an end user or application user who is not a super user 
adds an end user and puts that user in a user group, CCMadmin would check to see if 
the user group has access right to any resources other than the UCMUser webapp 
(User Options). If it does, then an appropriate error messages is thrown and the add 
failed.

The user can STILL remove users from groups but atleast they can not add users to groups.

View solution in original post

0 Helpful
4 Replies 4

Go to solution
Rob Huffman
Hall of Fame
Hall of Fame

‎08-02-2013 01:33 PM

Could be this bug

CCM Standard Admin User able to elevate permission settings

CSCtw88054

Cheers!

Rob

"A smile relieves a heart that grieves" 

- Stones

0 Helpful

Go to solution
Live2 Bicycle
Level 3
Level 3
In response to Rob Huffman

‎08-02-2013 02:02 PM

Bug ID  CSCtw88054 sure does look like what I am experiencing.  I am on version  9.1.1.20000-5 which is not mentioned but in my 7 yrs of doing this I often don't see every version mentioned. 

Thanks Rob as always your amazing and helpful!

0 Helpful

Go to solution
Live2 Bicycle
Level 3
Level 3
In response to Rob Huffman

‎08-07-2013 10:51 AM

Rob, a cisco engineer on my account team pointed out this enterprise setting.

1. Admin sets the enterprise parameter 'Allow non-super user to grant access to 
administrative web pages' to false. The default is true.
2. From then on each time an end user or application user who is not a super user 
adds an end user and puts that user in a user group, CCMadmin would check to see if 
the user group has access right to any resources other than the UCMUser webapp 
(User Options). If it does, then an appropriate error messages is thrown and the add 
failed.

The user can STILL remove users from groups but atleast they can not add users to groups.
0 Helpful

Go to solution
Rob Huffman
Hall of Fame
Hall of Fame
In response to Live2 Bicycle

‎08-07-2013 02:02 PM

Great feedback! Thanks so much for the kind follow-up +5 all day long.

Cheers!

Rob

"A smile relieves a heart that grieves" 

- Stones

0 Helpful
Customers Also Viewed These Support Documents