Cisco Unified CallManager System Guide, Release 4.2(3)
Multilevel Administration
Downloads: This chapterpdf (PDF - 235.0KB) The complete bookPDF (PDF - 5.08MB) | Feedback

Multilevel Administration

Table Of Contents

Multilevel Administration

Key Features

Login Authentication

Functional Groups

User Groups

User Group Access Privileges

Access Logs

Failed Login Attempts

MLA Enterprise Parameters

Standard User Groups and Functional Groups

Standard Functional Groups

Standard User Groups

Standard User Group and Functional Group Privilege Mapping

Where to Find More Information


Multilevel Administration


Multilevel Administration (MLA) provides multiple levels of security to Cisco Unified CallManager Administration. This technique permits granting only the required privileges for a selected group of users and limits the configuration functions that users in a particular user group can perform.

Prior to the availability of MLA, administrators with read/write access to Cisco Unified CallManager configuration could change any or all the database/directory elements that are accessible through Cisco Unified CallManager Administration and Cisco Unified CallManager Serviceability. Users could inadvertently disable the entire system with a few mouse clicks by accidentally modifying the data to which they do not need access.

Use the following topics to understand MLA:

Key Features

Login Authentication

Functional Groups

User Groups

User Group Access Privileges

Access Logs

Failed Login Attempts

MLA Enterprise Parameters

Standard User Groups and Functional Groups

Where to Find More Information

Key Features

MLA provides multiple levels of security to Cisco Unified CallManager Administration. Cisco Unified CallManager Administration functions comprise functional groups. Each functional group can have different access levels, such as no access, read-only access, and full access, to different user groups. MLA also provides audit logs of user logins and access and modifications to Cisco Unified CallManager configuration data.

Login Authentication

Prior to the availability of MLA, Cisco Unified CallManager administrators logged in by using a local NT administration account. With MLA, directory user names and passwords that are stored in Lightweight Directory Access Protocol (LDAP) provide the basis for login authentication. MLA creates a predefined super user called the CCMAdministrator.

The windows registry stores the CCMAdministrator user ID and encrypted password. Thus, even when the directory is unavailable, CCMAdministrator can log in to take corrective action. When the user attempts direct access by entering a URL in the browser, a login window displays first to authenticate a user.


Note MLA provides authentication for Cisco Unified CallManager Administration, Cisco Unified CallManager Serviceability, Cisco Unified CallManager Trace Analysis, Cisco Unified CallManager Trace Collection Tool, Real-Time Monitoring Tool (RTMT), and Serviceability SOAP applications. If MLA is enabled, login works only for the CCMAdministrator.



Note After upgrade to Cisco Unified CallManager 4.2(x) from either Cisco CallManager 3.3(x) or Cisco CallManager 3.2(x) with MLA enabled, the password for the super user CCMAdministrator gets reset. At the end of the upgrade, a message box displays the new CCMAdministrator password. Use this password and change it to a unique value.


If your installation of Cisco Unified CallManager is an upgrade of an earlier version in which MLA was not enabled, change the Enable MultiLevelAdmin enterprise parameter to enable MLA. Refer to "Enable MultiLevelAdmin" in the "MLA Enterprise Parameters" section.

Functional Groups

A functional group includes a collection of Cisco Unified CallManager system administration functions. A common administrative menu includes each functional group. Two types of functional group exist: standard functional groups, which are the default functional groups, and custom functional groups. Standard functional groups get created as part of MLA installation. Users may define custom functional groups.


Note All standard functional groups get created at installation. You cannot modify or delete standard functional groups.


The system creates the following standard functional groups at the time of installation:

Standard System

Standard RoutePlan

Standard Service Management

Standard Feature

For the complete listing of functional groups, see the "Standard User Groups and Functional Groups" section.

User Groups

A user group comprises a collection of Cisco Unified CallManager users that are grouped together for the purpose of assigning an access privilege level to the members in the user group.

Various named user groups that are predefined have no members assigned to them at install time. The Cisco Unified CallManager super user or a user with access to user group configuration should add users to these groups and set the access rights for the user groups. The super user or a user with access to user group configuration can configure additional named user groups as needed.

The following user groups get created at the time of installation:

SuperUserGroup

ReadOnly

PhoneAdministration

GatewayAdministration


Note The SuperUserGroup represents a named user group that always has full access permission to all named functional groups. You cannot delete this user group. You can only make additions and deletions of users to this group.



Note CCMAdministrator always represents a super user, even though CCMAdministrator is not a member of the SuperUserGroup.



Note You can delete standard user groups that are created at installation, except for the SuperUserGroup.


For the complete listing of user groups, see the "Standard User Groups and Functional Groups" section.

User Group Access Privileges

One of the following access privileges applies to named user groups for access to the functional groups:

No Access

Read Only

Full Access

For each user group, one of these privilege levels applies for access to each of the functional groups. The access privileges specify the following privileges:

Access privilege No Access specifies that users in a user group with this privilege defined for a particular functional group can neither view nor change any windows that belong to that functional group. No access exists to windows in a functional group for which a user has access privilege No Access.

Access privilege Read Only specifies that users in a user group with this privilege defined for a particular functional group can only view the windows that belong to that functional group but cannot modify these windows. Access privilege Read Only limits access to windows in a functional group to read operations. Buttons such as Insert, Delete, Update, and Reset appear as grayed out to prevent modifications to database and directory data.

Access privilege Full Access specifies that users in a user group with this privilege defined for a particular functional group can view and change any windows that belong to that functional group. Users with full access privilege can perform operations such as Insert, Delete, Update and Reset, as well as executive functions that can start or stop a process or service from Cisco Unified CallManager Administration and Serviceability.

Install assigns default access privileges to the user groups for the functional groups that are created at install time.

Access Logs

MLA generates a log with a record of login attempts. The log includes the user name, group name, date, time, and success or failure status of the login session.

The log also contains a file report of access/change attempts. That is, MLA generates a record of attempts to access or modify any directory or database component through Cisco Unified CallManager Administration. The change record includes the user name, date, time, menu accessed, window from which the change was made, and the success or failure status of the update.

Find the log file under the Log directory in c:\Program Files\Cisco\Trace\MLA, filename Accessxx.log (where xx are numeric digits).

The ISAPI permission logs store additional data. Filenames include ISAPIFilter*.txt and Permissions*.txt, where * represents the trace file number.

Failed Login Attempts

The Cisco CallManager service generates an alarm when a login attempt to the Multilevel Administration component fails.

The MLAUserLoginFailed Alarm gets sent to the Real-time Information System (RIS), to the Syslog, and to the Windows 2000 Event Log.

You can use the Real-time Monitoring Tool (RTMT) to configure a corresponding clusterwide MLAUserLoginFailed alert, which can include e-mail notification.

Refer to the Cisco Unified CallManager Serviceability Administration Guide for a discussion of the MLAAlarmCatalog, an alarm definition catalog that contains the MLAUserLoginFailed alarm.

MLA Enterprise Parameters

MLA uses the following enterprise parameters:

User Group Base

Administrative User Base

Debug Level

Effective Access Privileges For Overlapping User Groups

Effective Access Privileges For Overlapping Functional Groups

Enable MultiLevelAdmin

User Cache Flush Timeout (Minutes)

User Group Base

The User Group Base enterprise parameter designates the user group base that MLA uses.

The User Group Base enterprise parameter includes the following default values:

In DC Directory, User Group Base parameter is set to ou=MultiLevelAdmin, ou=Admins, <Cisco-base>.

In Netscape Directory, User Group Base parameter is set to ou=MultiLevelAdmin, ou=CCN, <Cisco-base>.

In Active Directory, User Group Base parameter is set to ou=MultiLevelAdmin, <Cisco-base>.

You can change this enterprise parameter to make use of the windows groups that are created in Active Directory.

Administrative User Base

The Administrative User Base enterprise parameter designates the administrative user base that MLA uses.

The Administrative User Base enterprise parameter gets set, by default, to the enterprise user base that is found in the system profile.You can change this enterprise parameter to make use of the windows groups that are created in Active Directory.

Debug Level

The Debug Level enterprise parameter designates a value that is used to set debug level (None, Trace, or Debug) for MLA debug logs. Set this parameter to None to turn off debug, to Trace to generate trace information, and to Debug to generate debug information.

The Debug Level enterprise parameter specifies a default value of Trace. The directory c:\Program Files\Cisco\Trace\MLA stores the debug log files in filename DirAndUI**.log.

Effective Access Privileges for Overlapping User Groups

The Effective Access Privileges For Overlapping User Groups enterprise parameter determines the level of user access for users that belong to multiple user groups and have conflicting privileges.

You can set this enterprise parameter to the following values:

Maximum—The effective privilege represents the maximum of the privileges of all the overlapping user groups.

Minimum—The effective privilege represents the minimum of the privileges of all the overlapping user groups.

The Effective Access Privileges For Overlapping User Groups enterprise parameter specifies the following default value: Maximum.

Effective Access Privileges for Overlapping Functional Groups

The Effective Access Privileges For Overlapping Functional Groups enterprise parameter determines the level of user access for Cisco Unified CallManager windows that belong to multiple functional groups and have conflicting privileges.

You can set this enterprise parameter to the following values:

Maximum—The effective privilege represents the maximum of the privileges of all the overlapping functional groups.

Minimum—The effective privilege represents the minimum of the privileges of all the overlapping functional groups.

The Effective Access Privileges For Overlapping Functional Groups enterprise parameter specifies the following default value: Maximum.

Enable MultiLevelAdmin

The Enable MultiLevelAdmin enterprise parameter designates whether MLA is enabled.

You can set this enterprise parameter to the following values:

True—MLA is enabled.

False—MLA is disabled.

The Enable MultiLevelAdmin enterprise parameter specifies the following default value: False.

If True is selected, enter a new password at the prompt "New password for CCMAdministrator" and reenter the password at the prompt "Confirm password for CCMAdministrator."

When the Enable MultiLevelAdmin enterprise parameter value is modified, the CCMAdministrator must perform the following steps to act on the modified value:

1. Go to Start > Programs > Administrative Tools > Services.

2. Select and right-click the Worldwide Web Publishing service.

3. Click Stop; then, click Start.

User Cache Flush Timeout (Minutes)

The User Cache Flush Timeout enterprise parameter designates the interval (in minutes) between flushes of the MLA cache that contains user credentials. Every time that MLA flushes the cache, it synchronizes itself with the latest user credentials information from the integrated enterprise directory server.

The higher the value of this parameter, the greater the possibility that credentials of a user changed (in the enterprise directory) since the last flush and no longer match the cached values. This means that a user can be authenticated based on cached credentials when, in fact, authentication should have been denied.

The lower the value of this parameter, the higher the potential for performance degradation in outside polling applications such as the Real-Time Monitoring Tool (RTMT).

An appropriate value for this parameter minimizes the security risk while maintaining an acceptable performance level for polling applications.

You can set this enterprise parameter to any of the following values:

No Caching

5

10

20

30

45

60

The User Cache Flush Timeout enterprise parameter specifies the default value of 5 minutes.

Standard User Groups and Functional Groups

This section provides the complete list of standard user groups and standard functional groups that become available when you enable Cisco Unified CallManager MLA. This section comprises the following topics:

Standard Functional Groups

Standard User Groups

Standard User Group and Functional Group Privilege Mapping

Standard Functional Groups

Cisco Unified CallManager MLA creates standard functional groups. The following functional groups comprise the standard functional groups:

Standard Plugin

Standard User Privilege Management

Standard User Management

Standard Feature

Standard System

Standard Service Management

Standard Service

Standard Serviceability

Standard Gateway

Standard RoutePlan

Standard Phone

Standard User Groups

Cisco Unified CallManager MLA creates standard user groups at installation. The following user groups comprise the standard user groups:

SuperUserGroup

ReadOnly

PhoneAdministration

GatewayAdministration

ServerMonitoring

ServerMaintenance

Standard User Group and Functional Group Privilege Mapping

Table 4-1 provides the default mapping of privileges for the standard user groups and functional groups.

Table 4-1 Standard User/Functional Group Mapping 

User Group
Functional Group
Permission

GatewayAdministration

Standard Feature

Read Only

Standard Gateway

Full Access

Standard Phone

Read Only

Standard Plugin

Read Only

Standard RoutePlan

Full Access

Standard Service

Read Only

Standard Service Management

Read Only

Standard Serviceability

Read Only

Standard System

Read Only

Standard User Management

Read Only

Standard User Privilege Management

Read Only

PhoneAdministration

Standard Feature

Read Only

Standard Gateway

Read Only

Standard Phone

Full Access

Standard Plugin

Read Only

Standard RoutePlan

Read Only

Standard Service

Read Only

Standard Service Management

No Access

Standard Serviceability

Read Only

Standard System

No Access

Standard User Management

Full Access

Standard User Privilege Management

Read Only

ReadOnly

Standard Feature

Read Only

Standard Gateway

Read Only

Standard Phone

Read Only

Standard Plugin

Read Only

Standard RoutePlan

Read Only

Standard Service

Read Only

Standard Service Management

Read Only

Standard Serviceability

Read Only

Standard System

Read Only

Standard User Management

Read Only

Standard User Privilege Management

Read Only

ServerMaintenance

Standard Feature

Full Access

Standard Gateway

Read Only

Standard Phone

Read Only

Standard Plugin

Full Access

Standard RoutePlan

Read Only

Standard Service

Full Access

Standard Service Management

Full Access

Standard Serviceability

Read Only

Standard System

Full Access

Standard User Management

Read Only

Standard User Privilege Management

Full Access

ServerMonitoring

Standard Feature

Read Only

Standard Gateway

Read Only

Standard Phone

Read Only

Standard Plugin

Read Only

Standard RoutePlan

Read Only

Standard Service

Read Only

Standard Service Management

Read Only

Standard Serviceability

Full Access

Standard System

Read Only

Standard User Management

Read Only

Standard User Privilege Management

Read Only

SuperUserGroup

Standard Feature

Full Access

Standard Gateway

Full Access

Standard Phone

Full Access

Standard Plugin

Full Access

Standard RoutePlan

Full Access

Standard Service

Full Access

Standard Service Management

Full Access

Standard Serviceability

Full Access

Standard System

Full Access

Standard User Management

Full Access

Standard User Privilege Management

Read Only


Where to Find More Information

Related Topic

Multilevel Administration Configuration, Cisco Unified CallManager Administration Guide

Additional Cisco Documentation

Installing Cisco Unified CallManager

Cisco Unified CallManager Administration Guide

Cisco Unified CallManager Serviceability System Guide

Cisco Unified CallManager Serviceability Administration Guide