Cisco CallManager System Guide, Release 4.0(1)
Multilevel Administration Access

Table Of Contents

Multilevel Administration Access

Key Features

Login Authentication

Functional Groups

User Groups

User Group Access Privileges

Access Logs

MLA Enterprise Parameters

Standard User Groups and Functional Groups

Standard Functional Groups

Standard User Groups

Standard User Group and Functional Group Privilege Mapping

Where to Find More Information


Multilevel Administration Access


Multilevel administration access provides multiple levels of security to Cisco CallManager Administration. This technique permits granting only the required privileges for a selected group of users and limits the configuration functions that users in a particular user group can perform.

Prior to the availability of multilevel administration access, administrators with read/write access to Cisco CallManager configuration could change any or all the database/directory elements that are accessible through Cisco CallManager Administration and Cisco CallManager Serviceability. Users could inadvertently disable the entire system with a few mouse clicks by accidentally modifying the data to which they do not need access.

Use the following topics to understand multilevel administration access:

Key Features

Login Authentication

Functional Groups

User Groups

User Group Access Privileges

Access Logs

MLA Enterprise Parameters

Standard User Groups and Functional Groups

Where to Find More Information

Key Features

Multilevel administration access provides multiple levels of security to Cisco CallManager Administration. Cisco CallManager Administration functions comprise functional groups. Each functional group can have different access levels, such as no access, read-only access, and full access, to different user groups. Multilevel administration access also provides audit logs of user logins and access and modifications to Cisco CallManager configuration data.

Login Authentication

Prior to the availability of multilevel administration access, Cisco CallManager administrators logged in using a local NT administration account. With multilevel administration access, directory user names and passwords stored in Lightweight Directory Access Protocol (LDAP) provide the basis for login authentication. Multilevel administration access creates a predefined super user called the CCMAdministrator.

The windows registry stores the CCMAdministrator's user ID and encrypted password. Thus, even when the directory is unavailable, CCMAdministrator can log in to take corrective action. When the user attempts direct access by entering a URL in the browser, a login window displays first to authenticate a user.


Note MLA provides authentication for Cisco CallManager (CCM) Administration, CCM Serviceability, CCM Trace Analysis, CCM Trace Collection Tool, Real Time Monitoring Tool (RTMT), Admin Serviceability Tool (AST), and Serviceability SOAP applications. If MLA is enabled, login works only for the CCMAdministrator.



Note or any other LDAP user belonging to a MLA usergroup.After upgrade to Cisco CallManager 4.0(x) from either Cisco CallManager 3.3(x) or Cisco CallManager 3.2(x) with multilevel administration access enabled, the password for the super user CCMAdministrator is reset. At the end of the upgrade, a message box displays the new CCMAdministrator password. Use this password and change it to a unique value.

If installation of Cisco CallManager 4.0(x) is an upgrade of a previous version for which MLA was not enabled, change the Enable MultiLevelAdmin enterprise parameter to enable multilevel administration access. Refer to "Enable MultiLevelAdmin" in the "MLA Enterprise Parameters" section.


Functional Groups

A functional group includes a collection of Cisco CallManager system administration functions. All the web pages that compose each functional group belong to a common administrative menu. Two types of functional groups exist: standard functional groups, which are the default functional groups, and custom functional groups. Standard functional groups are created as part of multilevel administration access installation. Users may define custom functional groups.


Note All standard functional groups get created at installation. You cannot modify or delete standard functional groups.


The system creates the following standard functional groups at the time of installation:

Standard System

Standard RoutePlan

Standard Service Management

Standard Feature

For the complete listing of functional groups, see the "Standard User Groups and Functional Groups" section.

User Groups

A user group comprises a collection of Cisco CallManager users that are grouped together for the purpose of assigning an access privilege level to the members in the user group.

Various named user groups that are predefined have no members assigned to them at install time. The Cisco CallManager super user or a user with access to user group configuration should add users to these groups and set the access rights for the user groups. The super user or a user with access to user group configuration can configure additional named user groups as needed.

The following user groups get created at the time of installation:

SuperUserGroup

ReadOnly

PhoneAdministration

GatewayAdministration


Note The SuperUserGroup represents a named user group that always has full access permission to all named functional groups. You cannot delete this user group. You can only make additions and deletions of users to this group.



Note CCMAdministrator always represents a super user, even though CCMAdministrator is not a member of the SuperUserGroup.



Note You can delete standard user groups that are created at installation, except for the SuperUserGroup.


For the complete listing of user groups, see the "Standard User Groups and Functional Groups" section.

User Group Access Privileges

One of the following access privileges applies to named user groups for access to the functional groups:

No Access

Read Only

Full Access

For each user group, one of these privilege levels applies for access to each of the functional groups. The access privileges specify the following privileges:

Access privilege No Access specifies that users in a user group with this privilege defined for a particular functional group can neither view nor change any pages that belong to that functional group. No access exists to pages in a functional group for which a user has access privilege No Access.

Access privilege Read Only specifies that users in a user group with this privilege defined for a particular functional group can only view the pages that belong to that functional group, but cannot modify these pages. Access privilege Read Only limits access to pages in a functional group to read operations. Buttons such as Insert, Delete, Update, and Reset appear as grayed out to prevent modifications to database and directory data.

Access privilege Full Access specifies that users in a user group with this privilege defined for a particular functional group can view and change any pages that belong to that functional group. Users with full access privilege can perform operations such as Insert, Delete, Update and Reset, as well as executive functions that can start or stop a process or service from the Cisco CallManager Administration and Serviceability pages.

Install assigns default access privileges to the user groups for the functional groups that are created at install time.

Access Logs

Multilevel administration access generates a log with a record of login attempts. The log includes the user name, group name, date, time, and success or failure status of the login session.

The log also contains a file report of access/change attempts. That is, multilevel administration access generates a record of attempts to access or modify any directory or database component through the Cisco CallManager system administration. The change record includes the user name, date, time, menu accessed, web page from which the change was made, and the success or failure status of the update.

Find the log file under the Log directory in c:\Program Files\Cisco\Trace\MLA, filename Accessxx.log (where xx are numeric digits).

Additional data is stored in the ISAPI permission logs. Filenames are ISAPIFilter**.exe and Permissions**.exe.

MLA Enterprise Parameters

Multilevel administration access uses the following enterprise parameters:

User Group Base

Administrative User Base

Debug Level

Effective Access Privileges For Overlapping User Groups

Effective Access Privileges For Overlapping Functional Groups

Enable MultiLevelAdmin

User Group Base

The User Group Base enterprise parameter designates the user group base that multilevel administration access uses.

The User Group Base enterprise parameter includes the following default values:

In DC Directory, User Group Base parameter is set to ou=MultiLevelAdmin, ou=Admins, <Cisco-base>.

In Netscape Directory, User Group Base parameter is set to ou=MultiLevelAdmin, ou=CCN, <Cisco-base>.

In Active Directory, User Group Base parameter is set to ou=MultiLevelAdmin, <Cisco-base>.

You can change this enterprise parameter to make use of the windows groups that are created in Active Directory.

Administrative User Base

The Administrative User Base enterprise parameter designates the administrative user base that multilevel administration access uses.

The Administrative User Base enterprise parameter is set, by default, to the enterprise user base found in the system profile.You can change this enterprise parameter to make use of the windows groups that are created in Active Directory.

Debug Level

The Debug Level enterprise parameter designates a value that is used to set debug level (None, Trace, or Debug) for MLA debug logs. Set this parameter to None to turn off debug, to Trace to generate trace information, and to Debug to generate debug information.

The Debug Level enterprise parameter specifies a default value of Trace. The debug log files are stored in the directory c:\Program Files\Cisco\Trace\MLA in filename DirAndUI**.log.

Effective Access Privileges for Overlapping User Groups

The Effective Access Privileges For Overlapping User Groups enterprise parameter determines the level of user access for users that belong to multiple user groups and have conflicting privileges.

You can set this enterprise parameter to the following values:

Maximum—The effective privilege represents the maximum of the privileges of all the overlapping user groups.

Minimum—The effective privilege represents the minimum of the privileges of all the overlapping user groups.

The Effective Access Privileges For Overlapping User Groups enterprise parameter specifies the following default value: Maximum.

Effective Access Privileges for Overlapping Functional Groups

The Effective Access Privileges For Overlapping Functional Groups enterprise parameter determines the level of user access for Cisco CallManager web pages that belong to multiple functional groups and have conflicting privileges.

You can set this enterprise parameter to the following values:

Maximum—The effective privilege represents the maximum of the privileges of all the overlapping functional groups.

Minimum—The effective privilege represents the minimum of the privileges of all the overlapping functional groups.

The Effective Access Privileges For Overlapping Functional Groups enterprise parameter specifies the following default value: Maximum.

Enable MultiLevelAdmin

The Enable MultiLevelAdmin enterprise parameter designates whether multilevel administration access is enabled.

You can set this enterprise parameter to the following values:

True—Multilevel administration access is enabled.

False—Multilevel administration access is disabled.

The Enable MultiLevelAdmin enterprise parameter specifies the following default value: False.

When the Enable MultiLevelAdmin enterprise parameter value is modified, the CCMAdministrator must perform the following steps to act on the modified value:

1. Go to Start > Programs > Administrative Tools > Services.

2. Select and right-click the Worldwide Web Publishing service.

3. Select Stop, then select Start.

Standard User Groups and Functional Groups

This section provides the complete list of standard user groups and standard functional groups that become available when you enable Cisco CallManager multilevel administration access. This section comprises the following topics:

Standard Functional Groups

Standard User Groups

Standard User Group and Functional Group Privilege Mapping

Standard Functional Groups

Cisco CallManager multilevel administration access creates standard functional groups. The following functional groups comprise the standard functional groups:

Standard Plugin

Standard User Privilege Management

Standard User Management

Standard Feature

Standard System

Standard Service Management

Standard Service

Standard Serviceability

Standard Gateway

Standard RoutePlan

Standard Phone

Standard User Groups

Cisco CallManager multilevel administration access creates standard user groups at installation. The following user groups comprise the standard user groups:

SuperUserGroup

ReadOnly

PhoneAdministration

GatewayAdministration

ServerMonitoring

ServerMaintenance

Standard User Group and Functional Group Privilege Mapping

Table 4-1 provides the default mapping of privileges for the standard user groups and functional groups.

Table 4-1 Standard User/Functional Group Mapping 

User Group
Functional Group
Permission

GatewayAdministration

Standard Feature

Read Only

Standard Gateway

Full Access

Standard Phone

Read Only

Standard Plugin

Ready Only

Standard RoutePlan

Full Access

Standard Service

Read Only

Standard Service Management

Read Only

Standard Serviceability

Read Only

Standard System

Read Only

Standard User Management

Read Only

Standard User Privilege Management

Read Only

PhoneAdministration

Standard Feature

Read Only

Standard Gateway

Read Only

Standard Phone

Full Access

Standard Plugin

Read Only

Standard RoutePlan

Read Only

Standard Service

Read Only

Standard Service Management

No Access

Standard Serviceability

Read Only

Standard System

No Access

Standard User Management

Full Access

Standard User Privilege Management

Read Only

ReadOnly

Standard Feature

Read Only

Standard Gateway

Read Only

Standard Phone

Read Only

Standard Plugin

Read Only

Standard RoutePlan

Read Only

Standard Service

Read Only

Standard Service Management

Read Only

Standard Serviceability

Read Only

Standard System

Read Only

Standard User Management

Read Only

Standard User Privilege Management

Read Only

ServerMaintenance

Standard Feature

Full Access

Standard Gateway

Read Only

Standard Phone

Read Only

Standard Plugin

Full Access

Standard RoutePlan

Read Only

Standard Service

Full Access

Standard Service Management

Full Access

Standard Serviceability

Read Only

Standard System

Full Access

Standard User Management

Read Only

Standard User Privilege Management

Full Access

ServerMonitoring

Standard Feature

Read Only

Standard Gateway

Read Only

Standard Phone

Read Only

Standard Plugin

Read Only

Standard RoutePlan

Read Only

Standard Service

Read Only

Standard Service Management

Read Only

Standard Serviceability

Full Access

Standard System

Read Only

Standard User Management

Read Only

Standard User Privilege Management

Read Only

SuperUserGroup

Standard Feature

Full Access

Standard Gateway

Full Access

Standard Phone

Full Access

Standard Plugin

Full Access

Standard RoutePlan

Full Access

Standard Service

Full Access

Standard Service Management

Full Access

Standard Serviceability

Full Access

Standard System

Full Access

Standard User Management

Full Access

Standard User Privilege Management

Read Only


Where to Find More Information

Related Topic

Multilevel Administration Access Configuration, Cisco CallManager Administration Guide

Additional Cisco Documentation

Installing Cisco CallManager

Cisco CallManager Administration Guide

Cisco CallManager Serviceability System Guide

Cisco CallManager Serviceability Administration Guide