Cisco Prime Collaboration Provisioning Guide - Standard and Advanced, 10.0
Managing Users
Downloads: This chapterpdf (PDF - 1.33MB) The complete bookPDF (PDF - 6.23MB) | Feedback

Managing Users

Managing Users

A user is a person who has active IP Telephony services. Provisioning allows you to add users, synchronize user information, reapply the services, update user information, and domain specific user roles.

The user role refers to the role that a user will have within an organization. This role dictates the services to which the user is entitled. User roles are predefined in the system.


Note


Any out-of-band configurations (configurations that are performed directly on the processor but not synchronized with Provisioning) can result in failed orders. You must always synchronize Provisioning with the processors that it is provisioning.


Adding Users

To add users:

Procedure
    Step 1   Choose Deploy > User Provisioning.
    Step 2   In the User Provisioning page, click Add.
    Step 3   In the Add User window, enter the User ID, Domain, and Last name. Also, enter values for other fields if required.

    To launch quick view for a particular domain or user role, while selecting the domain and user role, click the drop-down menu and rest the mouse on quick view icon.

    Step 4   In the Save and Begin Provisioning drop-down:
    • To save the details and launch the Service Provisioning page for the user, click Save and Begin Provisioning.

    • To save the details and add another user, click Save and Add Another.

    • To save the details and close the Add User window, click Save and Close.

    Note   
    • If you are removing a user who has services associated, you are notified to disassociate the services before removing the user.
    • The user ID must be unique. It must not be case sensitive. Valid values are alphanumeric characters (A-Z, a-z, 0-9), underscore (_), hyphen (-), period (.), apostrophe (‘), space ( ), and at sign (@).
    • To create a username for Cisco Unified Communications Manager Express and Cisco Unity Express, enter only alphabetical characters in the First Name and Last Name fields. If you use other types of characters, orders for the user will fail.
    • To create a username for Call Processors, the combination of characters for First Name and Last Name cannot exceed 30 characters. If this limit is exceeded when you provision, the Call Processor sends an error message.
    • Pseudo role allows you to provision phones without an associated user in the Call Processor.
    • While selecting roles for user, the default or Employee user role should be configured to match the typical setup of employees in your organization. If you do not configure the default or Employee user role to meet your needs, you may not see all the desired options in the employee user record.
    • The DefaultUserType rule Authorization Roles controls which user role is set as the default. Provisioning comes with the Employee user role configured as the default user role. If you update the default user role name for a domain in Provisioning, make sure you update the DefaultUserType rule with the new default role name for that domain.
    • Changing the username does not also change the phone or line description field for the user (if a phone or line was ordered for the previous username).
    • For Cisco Unified Communications Manager Express and Cisco Unity Express, enter only alphabetical characters in the First Name and Last Name fields. If you use other types of characters, orders for the user will fail.
    • For Cisco Unified Communications Manager, the combination of characters for First Name and Last Name cannot exceed 30 characters.
    • If a user does not have any associated services, you are prompted to confirm removal of the user.
    • When a service is disassociated from a user, the service is not deleted or disassociated on the device (processor); it is only disassociated within Provisioning.
    • When a subsequent Domain synchronization occurs, depending on the synchronization rules, the user could be created again, and the services could be associated with the user.

    Cross-launching Related Links in CUCM and Unity Connection from User Provisioning

    Prime Collaboration Provisioning allows an administrator to cross launch Manager configuration and Assistant configuration for a selected user. As an administrator, you can cross-launch Related Links Pages for Users, Phones and Lines from Prime Collaboration Provisioning. When you cross-launch the Manager configuration and Assistant configuration, you can access the UI and perform any operation directly on the server. Using Single Sign-On, you can cross launch to a few of the applications. See Single Sign-On for Prime Collaboration for details.

    If the Voicemail service is provisioned for the user, the cross-launch links from the Voicemail service: Notification Devices, Alternate Extensions, Greetings, Private Lists.

    Rest your mouse pointer over User Services in the Service Details page (Deploy > User Provisioning select a user), and click the quick view icon to view the Manager configuration and Assistant configuration cross launch link.

    Managing User Passwords

    You can change password, reset to default, or prompt users to change their password after their initial login to the application. You must have the correct privileges Table1 to manage passwords.

    You can update the following:

    • Provisioning login password
    • Cisco Unified Communications Manager password

      Note


      The Cisco Unified Communications Manager password cannot be modified when the Cisco Unified Communications Manager is configured to use external authentication. Provisioning indicates that the password is updated, even though it is not.


    • Cisco Unified Communications Manager PIN
    • Cisco Unified Communications Manager Express password
    • Cisco Unity Subscriber password
    • Cisco Unity Connection PIN
    • Cisco Unity Connection Web password When resetting the Cisco Unity Connection Web password, if the new password is not of required length, the following error occurs: Unity Connection Password: Failed to reset credential: The credential minimum length check failed. Minimum length = 8
    • Unified CM MLPP Password This password can be changed using the Manage PIN/Password option only when you set the MLPP User Identification Number and MLPP Precedence Authorization Level for User Service (in the Service Provisioning page).

    The password should use a combination of at least three of the following:

    • Uppercase letters
    • Lowercase letters
    • Numbers
    • Special characters

    You can either change password, reset password to the Provisioning system default, or prompt user to change their password when they login to the application next time. You can obtain the default values for the user passwords from your Provisioning administrator, Managed Service Provider, or corporate IT department.

    The following rules control the default passwords:

    • DefaultCUPMPassword
    • DefaultCallManagerPassword
    • DefaultCallManagerPIN
    • DefaultCallManagerDigestCredentials
    • DefaultUnitySubscriberPassword
    • DefaultWebAccessPassword

    For more information about rules, see Introduction to Business Rules.


    Note


    After you reset the password of a user, you must inform the user of the default value that is required to change their password.


    To change, reset password, or prompt users to change their password the next time they login to the application:

    Procedure
      Step 1   Open the Manage User page for the desired user (see Adding Users).
      Step 2   Click Manage Passwords.
      Step 3   In the Password Management page, you can select Password, PIN or Digest Credentials to modify. Select the password to be changed from the drop-down list.
      Step 4   Do one of the following:
      • To change password, specify a new password (and confirm), and then click Apply.

      • To set the password to default, click Reset Password.

      • To prompt users to change their password when they login to the application the next time, click Prompt User.

      Step 5   Click Done to confirm.

      The following rules are applicable while creating a password:
      • Password cannot be the same as, or reverse of, the username.
      • Password cannot have a character repeated consecutively more than three times.
      • Password cannot be:
        • Cisco or the reverse.
        • Cisc0 (with zero substituted for o).
        • C!sco (with exclamation mark substituted for i).
        • Ci$co (with dollar sign substituted for s).
        • Any variation of the previous that uses variations in case (uppercase or lowercase).
      • Password must have lowercase, uppercase, special characters, and digits.
      • 8 is the minimum number of characters required (by default, but can be changed).
      • 80 is the maximum number of characters allowed (by default, but can be changed).

      Provisioning stores the password policy properties in a file named passwordpolicy.properties under opt/cupm/sep. You can modify the properties file to change the password policies as required. You must restart Provisioning whenever you modify the password policies.


      Note


      • Make sure that you adhere to Assurance password policy for admin user if you are planning to integrate Provisioning with Assurance server.
      • Provisioning users can use their passwords to log into Call Processors, where they can view and edit the configuration details of the endpoints associated to them.

      Although Cisco Unified Communications Manager Express allows a user to have only one associated endpoint, Provisioning overcomes this limitation, allowing more than one endpoint to be associated to the user.

      In Cisco Unified Communications Manager Express, new users are created with the same username appended with a tilde (~) and sequence index (starting with 1) from the second and subsequent phones (for example, TestUser and TestUser~1). You must use the exact username to view the corresponding endpoint details in the Cisco Unified Communications Manager Express web interface.

      When you change the password value in Provisioning, the password value is changed for all of the corresponding user names in Cisco Unified Communications Manager Express.

      Synchronizing a User

      The data of a user in Provisioning is synchronized with the user data in the Call Processor and Unity Connection. For more information about synchronizing, Synchronizing Domains.

      When synchronizing users, remember the following:

      • The username and phone number fields may display Unknown for users who were initially created on Cisco Unified Communications Manager Express and then later synchronized to Provisioning. You can update the user information through Provisioning, but be aware that this information will be pushed to the Cisco Unified Communications Manager Express system, and will overwrite any existing information for the user in the ephone description field.
      • If a Cisco Unified Communications Manager Express is the only device present in a Domain and Service Area, during Domain synchronization users are not created in Provisioning if the ephone username command is not configured in Cisco Unified Communications Manager Express. Make sure the ephone username command is configured in Cisco Unified Communications Manager Express for all users.
      • For Cisco Unified Communications Manager Express, when using the button command in ephone configuration mode, make sure you only use a colon (:) as the separator. Provisioning only supports a colon as a separator in the button command. If any other separator is used, Provisioning does not display the line in the User Record Details page. Only the endpoint is displayed.
      Procedure
        Step 1   Choose Deploy > User Provisioning.
        Step 2   From the list of users, mouse over QuickView, and click Synchronize User.
        Note   

        If the Domain contains a large number of users, the synchronization may take several minutes.


        Authorization Roles

        Two types of global Provisioning user roles are available: global and domain specific.

        Based on their roles, Provisioning users are authorized to perform various tasks in Provisioning (see the Authorization Roles table). You can create user roles in both standalone Prime Collaboration Provisioning and converged applications. When you integrate a freshly installed Provisioning server (that contains no user data) with the Assurance server, you can create common users for both Assurance and Provisioning, or create Provisioning roles only. When you attach a Provisioning server with existing user data (users and users), then the globaladmin and domain-admin roles are synchronized automatically in the User Management page.

        Note the following:
        • Only globaladmin and domain-admin users created before attaching Provisioning to an Assurance server are synchronized automatically in the converged UI. After synchronization, the globaladmin and domain-admin receive the privileges of an Assurance Helpdesk role. See the Cisco Prime Collaboration 10.0 Assurance Advanced guide for more information. Users other than globaladmin and domain-admin created before attaching Provisioning to an Assurance server are not synchronized. For example, users with Ordering roles, Approval roles and so on. These users cannot login to the converged UI.
        • Users other than globaladmin and domain-admin created before attaching Provisioning to an Assurance server are not synchronized. For example, users with Ordering roles, Approval roles and so on. These users cannot login to the converged UI.
        • In the converged mode, multi-domain and single-domain users can be created from the User Management page.
        • Activity roles are available in Prime Collaboration Provisioning Advanced only. This menu is not available in Prime Collaboration Provisioning Standard.
        • While creating an order in Prime Collaboration Provisioning Standard, MAC or dummy MAC address is mandatory.
        Table 1 Authorization Roles

        Authorization Role

        Description

        Global Roles

        Administration

        Has access to all Provisioning functionality.

        Maintenance

        Authorized to configure system cleanup activities. See Maintenance Mode.

        Roles for Domain

        In the drop-down list, select the Domain for which you are setting the authorization roles. The selected roles only apply to the selected Domain. To apply the same authorization role to all available domains, select Apply to all domains.

        Note   

        If the administrator selects Apply to all domains, existing roles of the user in all the domains will be overridden with the current selection.

        Policy

        Authorized to view phone button templates, modify user roles, and add or update phone inventory.

        Infrastructure Configuration Management

        Authorized to provision infrastructure configuration objects. When you select this role, you must also select a profile from the Permission Profile box.

        Permission Profiles

        Sets the permissions for which infrastructure configuration object users assigned this authorization role can configure. (For information on setting permissions, see Managing Infrastructure Configuration Permissions .)

        SelfCare User

        Authorized to manage his own services; set up lines, manage services, and configure phone options quickly and easily.

        Note   

        The SelfCareUser check box is available only if the CreateSelfCareAccounts rule is enabled for the domain.

        Ordering Roles

        Users assigned these roles are allowed to place orders for other users and themselves.

        Ordering

        Authorized to:

        • Add, delete, or update a user within a Domain.
        • Add, delete, or update a user role within a Domain (if the rule for that Domain permits it).
        • Add, delete, or update phones in the inventory within a Domain (if the rule for that Domain permits it).
        • Search and view detailed user information within a Domain.
        • Place an order for a user within a Domain.

        Advanced Ordering

        Authorized to access all the functionality specified by the Ordering role; can also access Advanced Order Options in the Order Entry page.

        Advanced Assignment

        Authorized to access all the functionality specified by the Ordering role, and to assign the MAC address for a phone product at the time of order entry.

        Activity Roles

        Users assigned one of these roles can perform activities assigned to the group during order processing.

        Approval

        Authorized to accept and complete the approval for orders.

        Assignment

        Authorized to accept the user activity for assigning the MAC address.

        Shipping

        Authorized to accept and complete shipping of orders.

        Receiving

        Authorized to accept and complete receiving of orders.

        Editing User Roles


        Note


        Global roles apply system-wide and Domain roles only apply to the Domains the user belongs to.


        Table lists authorization roles that are available in both standalone Prime Collaboration Provisioning, and Provisioning in the converged application.

        In both standalone Prime Collaboration Provisioning and converged applications, these authorization roles can be created and managed from the User Management page.

        To manage authorization roles in the converged application:

        Procedure
          Step 1   Choose Administration > User Management.
          Step 2   Select the User Name you want to edit and click Edit.
          Step 3   Save the necessary changes.

          To manage authorization roles in the standalone Prime Collaboration Provisioning application:

          Step 4   Choose Administration > Users and Device Access Management > User Management.
          Step 5   In the Manage User page , click the Chooser icon next to the User ID field.
          Step 6   Click Edit next to the assigned roles field. The Assign User Authorization Roles page appears.
          Tip    To access the Assign User Authorization Roles page, you can also click Manage Authorization Roles.
          Step 7   Select the roles that you want to apply to the user.
          Step 8   Click Update.
          Step 9   Click Done.

          You can use the User Management page to change the following information:

          • User Name
          • User’s First Name.
          • User’s Last Name.
          • User’s email.
          • Global Provisioning Roles (Administration or Maintenance).
          • Provisioning Roles for Domain.

          In the converged mode, the users created via Add User feature are applicable for web client only and these cannot log into the Assurance and/or Provisioning server through the CLI.

          Managing Infrastructure Configuration Permissions

          The Infrastructure Configuration Permission Profiles page is where you set the permissions as to which infrastructure configuration products a user with the Infrastructure Configuration Management authorization role has access to for configuration purposes.

          Creating an Infrastructure Configuration Permission Profile

          Procedure
            Step 1   Choose Administration > Users and Device Access Management > Infrastructure Configuration Permissions.
            Step 2   In the Infrastructure Configuration Permission Profiles page, click Add New.
            Step 3   In the Permission Profile Configuration page, enter a name. Valid values are alphanumeric characters (A-Z, a-z, 0-9), underscore (_), hyphen (-), period (.), space ( ), and at sign (@).
            Step 4   (Optional) Enter a description.
            Step 5   In the Services pane, select the products that you want the profile to be able to configure.
            Step 6   Click Save.

            Updating an Infrastructure Configuration Permission Profile

            Procedure
              Step 1   Choose Administration > Permission Profiles. (See to choose the Administration > Users and Device Access Management > Infrastructure Configuration Permissions in the standalone Prime Collaboration Provisioning application.)
              Step 2   In the Infrastructure Configuration Permission Profiles page, click the profile that you want to update.
              Step 3   In the Permission Profile Configuration page, make the desired changes.
              Step 4   Click Save.

              Deleting an Infrastructure Configuration Permission Profile

              Procedure
                Step 1   Choose Administration > Permission Profile. (See to choose the Administration > Users and Device Access Management > Infrastructure Configuration Permissions in the standalone Prime Collaboration Provisioning application.)
                Step 2   In the Infrastructure Configuration Permission Profiles page, click the profile that you want to delete.
                Step 3   In the Permission Profile Configuration page, click Delete.

                Accessing User Records for a User

                To access user records in the standalone Prime Collaboration Provisioning application:

                Procedure
                  Step 1   Choose Deploy > User Provisioning.
                  Step 2   Select the user that you require.
                  Step 3   Click Provision Services.

                  Viewing or Logging out Active Sessions

                  You can view active sessions and log out single or multiple active sessions.

                  Procedure
                    Step 1   In standalone mode, choose Administration > Users and Device Access Management > Logged In Users. In converged mode, choose Reports > Administrative Reports > Who Is Logged On.

                    The Logged In Users page appears, showing the list of active sessions.

                    Step 2   To cancel single or multiple sessions, select the session that you want to end.
                    Step 3   Click Log Out.

                    The selected session and the user are logged out of the server.

                    Note   

                    The Logged In Users and Locked Users can be accessed only by the globaladmin.


                    Using the Global Search Tool

                    You can use the Search tool to:

                    • Locate a User
                    • Locate a MAC Address
                    • Locate a Directory Number

                    To search using the search field at the top of the view pane:

                    Procedure
                      Step 1   Select Provisioning Data from the drop-down list in the top right corner of the Home page.
                      Step 2   Select User ID , Last Name, MAC Address, or Directory Number from the drop-down list available in the search field.
                      Step 3   Enter valid information.
                      Step 4   Press Enter to begin the search. If there is an exact match, you will be taken to the User or endpoint device.