This chapter presents and discusses multilevel administration access concepts. Use the following topics to understand multilevel administration access:
•Multilevel Administration Access
•User Group Access Privileges
•Where to Find More Information
Multilevel Administration Access
Multilevel administration access provides multiple levels of security to Cisco CallManager Administration. This technique permits granting only the required privileges for a selected group of users and limits the configuration functions that users in a particular user group can perform.
Prior to the availability of multilevel administration access, administrators with read/write access to Cisco CallManager configuration could change any or all the database/directory elements that are accessible through Cisco CallManager Administration and Cisco CallManager Serviceability. Users could inadvertently disable the entire system with a few mouse clicks by accidentally modifying the data to which they do not need access.
Multilevel administration access provides multiple levels of security to Cisco CallManager Administration. Cisco CallManager Administration functions comprise functional groups. Each functional group can have different access levels, such as no access, read-only access, and full access, to different user groups. Multilevel administration access also provides audit logs of user logins and access and modifications to Cisco CallManager configuration data.
Prior to the availability of multilevel administration access, Cisco CallManager administrators logged in using a local NT administration account. With multilevel administration access, directory user names and passwords stored in Lightweight Directory Access Protocol (LDAP) provide the basis for login authentication. Multilevel administration access creates a predefined super user called the CCMAdministrator.
The windows registry stores the CCMAdministrator's user ID and encrypted password. Thus, even when the directory is unavailable, CCMAdministrator can log in to take corrective action. When the user attempts direct access by entering a URL in the browser, a login window displays first to authenticate a user.
Note Applications other than Cisco CallManager Administration and Cisco CallManager Serviceability continue to use Windows basic authentication, which provides access to the local administrator. Multilevel administration access does not affect these applications, which include Trace Configuration and the Real-Time Monitoring Tool (RTMT).
A functional group includes a collection of Cisco CallManager system administration functions. All the web pages that compose each functional group belong to a common administrative menu. Two types of functional groups exist: standard functional groups, which are the default functional groups, and custom functional groups. Standard functional groups are created as part of multilevel administration access installation. Users may define custom functional groups.
Note All standard functional groups get created at installation. You cannot modify or delete standard functional groups.
The system creates the following standard functional groups at the time of installation:
For the complete listing of functional groups, see Appendix A, "Standard User Groups and Functional Groups."
A user group comprises a collection of Cisco CallManager users that are grouped together for the purpose of assigning an access privilege level to the members in the user group.
Various named user groups that are predefined have no members assigned to them at install time. The Cisco CallManager super user or a user with access to user group configuration should add users to these groups and set the access rights for the user groups. The super user or a user with access to user group configuration can configure additional named user groups as needed.
The following user groups get created at the time of installation:
Note The SuperUserGroup represents a named user group that always has full access permission to all named functional groups. You cannot delete this user group. You can only make additions and deletions of users to this group.
Note CCMAdministrator always represents a super user, even though CCMAdministrator may not be a member of the SuperUserGroup.
Note You can delete standard user groups that are created at installation, except for the SuperUserGroup.
For the complete listing of user groups, see Appendix A, "Standard User Groups and Functional Groups."
User Group Access Privileges
One of the following access privileges applies to named user groups for access to the functional groups:
For each user group, one of these privilege levels applies for access to each of the functional groups. The access privileges specify the following privileges:
•Access privilege No Access specifies that users in a user group with this privilege defined for a particular functional group can neither view nor change any pages that belong to that functional group. No access exists to pages in a functional group for which a user has access privilege No Access.
•Access privilege Read Only specifies that users in a user group with this privilege defined for a particular functional group can only view the pages that belong to that functional group, but cannot modify these pages. Access privilege View limits access to pages in a functional group to read operations. Buttons such as Insert, Delete, Update, and Reset appear as grayed out to prevent modifications to database and directory data.
•Access privilege Full Access specifies that users in a user group with this privilege defined for a particular functional group can view and change any pages that belong to that functional group. Users with full access privilege can perform operations such as Insert, Delete, Update and Reset, as well as executive functions that can start or stop a process or service from the administration pages.
Install assigns access privileges to the user groups for the functional groups that are created at install time.
Multilevel administration access generates a log with a record of login attempts. The log includes the user name, group name, date, time, and success or failure status of the login session.
A file contains a file report of access/change attempts. That is, multilevel administration access generates a record of attempts to access or modify any directory or database component through the Cisco CallManager system administration. The change record includes the user name, date, time, menu accessed, web page from which the change was made, and the success or failure status of the update.
Find the log file under the Log directory in c:\ciscowebs\MLA\logs, filename MLALogxx.log (where xx are numeric digits).
Multilevel administration access uses the following configuration parameters:
•Effective Access Privileges for overlapping user groups
•Effective Access Privileges for overlapping functional groups
The Directory Base configuration parameter designates the directory base that multilevel administration access uses.
The Directory Base configuration parameter includes the following default values:
•In DC Directory, Directory Base parameter is set to ou=MultiLevelAdmin, ou=Admins, <Cisco-base>.
•In Active Directory, Directory Base parameter is set to ou=MultiLevelAdmin, ou=CCN, <Cisco-base>.
You can change this configuration parameter to make use of the windows groups that are created in Active Directory.
The Debug Level configuration parameter designates a value that is used to set debug level (None, Trace, or Debug) for MLA debug logs. Set this parameter to None to turn off debug, to Trace to generate trace information, and to Debug to generate debug information.
The Debug Level configuration parameter specifies a default value of Trace. The debug log files are stored in the directory c:\ciscowebs\MLA\debug.
Effective Access Privileges for Overlapping User Groups
The Effective Access Privileges for overlapping user groups configuration parameter determines the level of user access for users that belong to multiple user groups and have conflicting privileges.
You can set this configuration parameter to the following values:
•Maximum - The effective privilege represents the maximum of the privileges of all the overlapping user groups.
•Minimum - The effective privilege represents the minimum of the privileges of all the overlapping user groups.
The Effective Access Privileges for overlapping user groups configuration parameter specifies the following default value: Maximum.
Effective Access Privileges for Overlapping Functional Groups
The Effective Access Privileges for overlapping functional groups configuration parameter determines the level of user access for Cisco CallManager web pages that belong to multiple functional groups and have conflicting privileges.
You can set this configuration parameter to the following values:
•Maximum - The effective privilege represents the maximum of the privileges of all the overlapping functional groups.
•Minimum - The effective privilege represents the minimum of the privileges of all the overlapping functional groups.
The Effective Access Privileges for overlapping functional groups configuration parameter specifies the following default value: Maximum.
Where to Find More Information
•Installing Multilevel Administration Access, page 2-1
•Multilevel Administration Access Configuration, page 3-1
Additional Cisco Documentation
•Installing Cisco CallManager
•Cisco CallManager System Guide
•Cisco CallManager Administration Guide
•Cisco CallManager Serviceability System Guide
•Cisco CallManager Serviceability Administration Guide