User Access Overview
You can manage user access to Cisco Unified Communications Manager by assigning the following items to your end users:
Access Control Groups
Roles, access control groups and user rank controls provide multiple levels of security to Cisco Unified Communications Manager. Each role defines a set of permissions for a specific resource within Cisco Unified Communications Manager. When you assign a role to an access control group and then assign end users to that access control group, you grant those end users all the access permissions that are defined by the role.
The User Rank framework overlays the roles and access control group framework and governs which groups are available for an end user. End users and application users can be assigned to only those access control groups that their user rank allows.
When you provision end users, you must decide on what roles you want to assign to your users. You can assign roles to an end user, application user, or to an access control group. You can assign multiple roles to a single user.
Each role contains a set of privileges that are attached to a specific resource or application. For example, the Standard CCM End Users role provides users who are assigned that role with access to the Cisco Unified Communications Self Care Portal. You can also assign roles that provide access to resources such as Cisco Unified Communications Manager Administration, Cisco CDR Analysis and Reporting, the Dialed Number Analyzer, and the CTI interface. For most resources with graphical user interfaces, such as a specific configuration window, the privileges that are attached to the role allow the user to view or update data in that window, or in a group of related windows.
Configuring and Assigning Roles
You must decide whether you want to assign standard roles to your users, or create custom roles:
Standard roles—Standard roles are predefined, default roles that come installed in Cisco Unified Communications Manager. You cannot edit the privileges or modify the role in any way.
Custom roles—Custom roles are roles that you create. You can create custom roles when there are no standard roles that contain the privileges that you want to assign to your users. For example, if you want to assign a standard role, but want to modify one of the privileges, you can copy the privileges of the standard role into a custom role and then edit the privileges in that custom role.
Each role contains a set of privileges that are attached to a specific resource. There are two types of privileges that you can assign to a resource:
Read—Read privilege gives the user the ability to view the settings for that resource, but the user cannot make any configuration updates. For example, the privilege may allow the user to view the settings on a particular configuration window, but the configuration window for that application will not display update buttons or icons.
Update—Update privileges give the user the ability to modify the settings for that resource. For example, the privileges may allow the user to make updates in a specific configuration window.
End User and Administrator Roles
The Standard CCM End Users role provides end users with access to the Cisco Unified Communications Self Care Portal. For additional privileges, such as CTI access, you must assign additional roles, such as the Standard CTI Enabled role.
The Standard CCM Admin Users role is the base role for all administration tasks and serves as the authentication role. This role provides users with administrative access to the Cisco Unified Communications Manager Administration user interface. Cisco Unified Communications Manager Administration defines this role as the role that is necessary to log in to Cisco Unified Communications Manager Administration.
Access Control Group Overview
You can use access control groups along with roles to quickly assign network access permissions to a group of users with similar access requirements.
An access control group is a list of end users and application users. You can assign end users or application users who share similar access needs to an access control group that contains the roles and permissions that they need. For an end user or application user to be assigned to an access control group, the user must meet the minimum rank requirement for that access control group. For example, an end user with a User Rank of 4 can be assigned only to access control groups with minimum rank requirements between 4 and 10.
The system includes a set of predefined standard access control groups. Each standard access control group has a set of roles assigned by default. When you assign a user to that access control group, those roles are also assigned to that end user.
You cannot edit the roles that are assigned to standard access control groups. However, you can create customized access control groups and assign the roles that you choose to your customized access control groups.
User Rank Overview
User Rank Access Control provides a set of controls over the level of access that an administrator can provide to an end user or application user. The User Rank parameter is a 1–10 integer with 1 being the highest possible rank. The user rank is assigned to both users and access control groups thereby creating a rank hierarchy that governs which users can be assigned to a particular access control group.
When provisioning end users or application users, administrators must assign a user rank for each user. Administrators must also assign a user rank to each access control group. Administrators can assign users to only those access control groups with the same or lower rank. For example, if an end user has a user rank of 3, they can be assigned to access control groups that have a user rank between 3 and 10. That user cannot be assigned to an access control group that requires a user rank of 1.
Administrators can customize user rank hierarchy within the User Rank Configuration window and then assign those ranks to end users, application users, and access control groups.