The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.
This chapter provides information about roles and user groups in Cisco Unified Communications Manager Administration which uses roles and user groups to provide varying levels of privilege (access). This technique permits granting only the required privileges for a selected group of users and limits the configuration functions that users in a particular user group can perform.
Roles and user groups provide multiple levels of security to Cisco Unified Communications Manager Administration and to other applications. The system groups the resources that are available to Cisco Unified Communications Manager Administration and to other applications into roles. Each application comes with standard, predefined roles. Each application defines its own access privilege for Cisco Unified Communications Manager Administration.
Administrators can configure additional roles for an application. A role contains, for a particular application, the list of resources that an application comprises. For each resource that a role comprises, the administrator defines the access privilege. For the Cisco Unified Communications Manager Administration application, the access privileges include read and update. Other applications specify their own access privileges.
Because Cisco Unified Communications Manager allows administrators to manage user groups, roles, and resources, no guarantee exists that a particular user group or role goes unchanged or that administrators will use the predefined user groups or roles.
The system groups the resources that are available to Cisco Unified Communications Manager Administration and to other applications into roles. A role includes a collection of resources for an application, such as Cisco Unified Communications Manager Administration. The following types of roles exist:
Custom roles-Administrator-defined roles that you configure in Cisco Unified Communications Manager Administration after a Cisco Unified Communications Manager installation; for example, a help desk role.
Standard roles-Default roles that get created automatically with Cisco Unified Communications Manager installation; you cannot modify or delete standard roles, but you can copy them to create custom roles, which allows you to modify them for your preferences. (See the table below for the list of standard roles and the privileges/resources that the role provides.)
Each role contains a group of resources, with privileges assigned to each resource. For most applications with graphical user interfaces, such as Cisco Unified Communications Manager Administration, privileges allow you to perform tasks, such as viewing or updating data, in a specific window or a group of related windows, which are defined as resources in the Role Configuration window. For example, for the Standard CCM Feature Management role, you can view and configure message waiting in the Message Waiting Configuration window in Cisco Unified Communications Manager Administration. For each role that is associated with Cisco Unified Communications Manager Administration, the specified privilege allows a certain level of access to each of the resources (windows). For example, privileges specify the following access in Cisco Unified Communications Manager Administration:
Read- Allows users in a user group to view data in specific windows (defined as resources), but the user(s) cannot modify data in the window. Buttons such as Insert, Delete, Update, and Reset do not display.
Update-Allows users in a user group to view and modify data in certain windows (defined as resources for the role). Users with the update privilege can perform operations such as Insert, Delete, Update, and Reset.
Other applications, such as CTI applications, specify their own access privileges and do not use the read and update privileges or a common list of resources (which are configuration windows in most cases); for example, the Standard CTI Allow Call Recording role allows CTI devices/CTI applications to record calls, and the Standard EM Authentication Proxy Rights manages Cisco Extension Mobility authentication rights for application users that interact with Cisco Extension Mobility.
The following table lists the standard roles, the application(s) that the roles support, the privileges (resources) for the roles, and the standard user groups that are automatically associated with the standard roles.
Caution | For a role, supported privileges are checked in the Role Configuration window. For standard roles, you cannot change the configuration, but if you want to do so, you can copy a standard role to configure a custom role, which you can modify to your preferences. |
After configuration of custom roles, you can configure user groups, which are a collection of Cisco Unified Communications Manager application users and end users that get grouped together for the purpose of assigning a common list of roles to the members in the user group. Like standard roles, standard user groups get created at installation, and you cannot delete these user groups; you can only add or delete application or end users from standard user groups.
Standard user groups in Cisco Unified Communications Manager Administration provide a predefined set of roles and permissions for various functions. Administrators can manage user groups, roles, and permissions to control the level of access (and, therefore, the level of security) for system users.
Various named user groups that are predefined have no members that are assigned to them at install time. The Cisco Unified Communications Manager super user or a user with access to user group configuration should add users to these groups. The super user or a user with access to user group configuration can configure additional named user groups as needed.
Note | The Standard CCM Super Users user group represents a named user group that always has full access permission to all named roles. You cannot delete this user group. You can only make additions and deletions of users to this group. |
Note | CCMAdministrator always represents a super user. |
Certain user groups and roles exhibit limitations that administrators need to recognize. For example, you can modify the Standard EM Authentication Proxy Rights user group by adding both application users and end users. Because authentication by proxy is intended for use by applications, end users that get added to this user group cannot authenticate by proxy.
The log contains a file report of access/change attempts. That is, Cisco Unified Communications Manager Administration generates a record of attempts to access or modify any directory or database component through Cisco Unified Communications Manager Administration. The change record includes the user name, date, time, window from which the change was made, and the success or failure status of the update.
Roles and user groups use the Effective Access Privileges For Overlapping User Groups and Roles enterprise parameter.
The Effective Access Privileges For Overlapping User Groups and Roles enterprise parameter determines the level of user access for users that belong to multiple user groups and have conflicting privileges.
You can set this enterprise parameter to the following values:
Maximum-The effective privilege represents the maximum of the privileges of all the overlapping user groups.
Minimum-The effective privilege represents the minimum of the privileges of all the overlapping user groups.
The Effective Access Privileges For Overlapping User Groups and Roles enterprise parameter specifies the maximum default value.
Note | This enterprise parameter does not affect the privileges for the members of the Standard CCM Super Users user group. |
Some companies want their help desk personnel to have privileges to be able to perform certain tasks, such as adding a phone, adding an end user, or adding an end user to a user group in Cisco Unified Communications Manager Administration.
Performing the steps in the following example allows help desk personnel to add a phone, add an end user, and add the end user to the Standard CCM End Users user group, which allows an end user to access and update the Cisco Unified Communications Self Care Portal.
Example-Allows Help Desk Personnel to Add Phone, Add End User, and Add End User to User Group
Step 1 | In Cisco Unified Communications Manager Administration, choose . |
Step 2 | Click Add New. |
Step 3 | From the Application drop-down list box, choose Cisco Call Manager Administration; then, click Next. |
Step 4 | In the Name field, enter the name of the role; for example, Help Desk. |
Step 5 | In the Description field, enter a short description; for example, for adding phones and users. |
Step 6 | Choose one of
the following options, which depends on where you want the help desk personnel
to perform the task:
|
Step 7 | By performing
the following tasks, create a custom user group for the help desk:
|
In Cisco Unified Communications Manager Administration, the help desk personnel can add the phone, add the user, and add the end user to the user group.