About Access Control Group Setup
The role and access control group menu options in the Cisco Unified Communications Manager (Unified CM) Administration User Management menu allow users with full access to configure different levels of access for Unified CM administrators. Users with full access configure roles, access control groups, and access privileges for roles. In general, full-access users configure the access of other users to Unified CM Administration.
Access control groups comprise lists of application users and end users. A user may belong to multiple access control groups. After you add an access control group, you then add users to an access control group. After these steps, you can assign roles to an access control group. If a user belongs to multiple access control groups, the MLA permission enterprise parameter determines the effective privilege of the user.
Reduced Permissions for Access Control Groups
Problem When you add a new access control group to existing users, the level of privileges for some pre-existing access control groups is unexpectedly reduced.
Solution Users can belong to multiple access control groups. When you add a new access control group to existing users, the current level of privileges for some pre-existing access control groups may be reduced if the new access control group has the "Effective Access Privileges for Overlapping User Groups and Roles" Enterprise parameter set to minimum.
Access privilege reduction can occur inadvertently, for example, during an upgrade of Cisco Unified CM Administration. If the upgrade version supports the Standard RealTimeAndTrace Collection user group, which has the "Effective Access Privileges for Overlapping User Groups and Roles" Enterprise parameter set to minimum, all users are automatically added to that user group during the upgrade. To resolve the permissions issue in this example, you can remove users from the Standard RealTimeAndTrace Collection user group.