User Access Overview
Manage user access to Cisco Unified Communications Manager by configuring the following items:
-
Access Control Groups
-
Roles
-
User Rank
Access Control Group Overview
An access control group is a list of users and the roles that are assigned to those users. When you assign an end user, application user, or administrator user to an access control group, the user gains the access permissions of the roles that are associated to the group. You can manage system access by assigning users with similar access needs to an access control group with only the roles and permissions that they need.
There are two types of access control groups:
-
Standard Access Control Groups—These are predefined default groups with role assignments that meet common deployment needs. You cannot edit the role assignments in a standard group. However, you can add and delete users, in addition to editing the User Rank requirement. For a list of standard access control groups, and their associated roles, see Standard Roles and Access Control Groups.
-
Custom Access Control Groups—Create your own access control groups when none of the standard groups contain the role permissions that meet your needs.
The User Rank framework provides a set of controls over the access control groups to which a user can be assigned. To be assigned to an access control group, a user must meet the minimum rank requirement for that group. For example, end users whom have a User Rank of 4 can be assigned only to access control groups with minimum rank requirements between 4 and 10. They cannot be assigned to groups with a minimum rank of 1.
Example - Role Permissions with Access Control Groups
The following example illustrates a cluster where the members of a testing team are assigned to access control group test_ACG. The screen capture on the right displays the access settings of test_Role, which is the role that is associated to the access control group. Also note that the access control group has a minimum rank requirement of 3. All of the group members must have a rank between 1-3 to be able to join the group.
Roles Overview
Users obtain system access privileges via the roles that are associated to the access control group of which the user is a member. Each role contains a set of permissions that is attached to a specific resource or application, such as Cisco Unified CM Administration or CDR Analysis and Reporting. For an application such as Cisco Unified CM Administration, the role may contain permissions that let you view or edit specific GUI pages in the application. There are three levels of permissions that you can assign to a resource or application:
-
Read—Allows a user to view settings for a resource.
-
Update—Allows a user to edit settings for a resource.
-
No Access—If a user has neither Read or Update access, the user has no access to view or edit settings for a given resource.
Role Types
When provisioning users, you must decide what roles you want to apply and then assign users to an access control group that contains the role. There are two main types of roles in Cisco Unified Communications Manager:
-
Standard roles—These are preinstalled default roles that are designed to meet the needs of common deployments. You cannot edit permissions for standard roles.
-
Custom roles—Create custom roles when no standard roles have the privileges you need. In addition, if you need a more granular level of access control, you can apply advanced settings to control an administrator's ability to edit key user settings. See the below section for details.
Advanced Role Settings
For custom roles, you can add a detailed level of control to selected fields on the Application User Configuration and End User Configuration windows.
The Advanced Role Configuration window lets you configure access to Cisco Unified CM Administration while restricting access for tasks such as:
-
Adding users
-
Editing passwords
-
Editing user ranks
-
Editing access control groups
The following table details more controls that you can apply with this configuration:
Advanced Resource | Access Control | ||||
---|---|---|---|---|---|
Permission Information |
Controls the ability to add or edit access control groups:
|
||||
User can update Permissions Information for own user |
Controls a user's ability to edit their own access permissions:
|
||||
User Rank |
Controls the ability to change the user rank:
|
||||
User can update User Rank for own user |
Controls a user's ability to edit their own user rank:
|
||||
Add New Users |
Controls the ability to add a new user:
|
||||
Password |
Controls the ability to change the password:
|
User Rank Overview
The User Rank hierarchy provides a set of controls over which access control groups an administrator can assign to an end user or application user.
When provisioning end users or application users, administrators can assign a user rank for the user. Administrators can also assign a user rank requirement for each access control group. When adding users to access conttrol groups, administrators can assign users only to the groups where the user's User Rank meets the group's rank requirement. For example, an administrator can assign a user whom has a User Rank of 3 to access control groups that have a User Rank requirement between 3 and 10. However, an administrator cannot assign that user to an access control group that has a User Rank requirement of 1 or 2.
Administrators can create their own user rank hierarchy within the User Rank Configuration window and can use that hierarchy when provisioning users and access control groups. Note that if you don't configure a user rank hierarchy, or if you simply don't specify the User Rank setting when provisioning users or access conrol groups, all users and access control groups are assigned the default User Rank of 1 (the highest rank possible).