Today I finished up going back over a weak topic on the CIPT1 exam since I always use the canned roles and groups within CUCM. For those of you that don't know what roles, resources, privileges, applications, and user groups are, you are about to get a quick crash course. So to start off, roles are basically a collection of privileges based on a resource. I hope I didn't already lose you on that statement. Let me back that statement up with an image from Call Manager to help you get a picture of what I'm talking about.
So with the above image, you can see a resource is simply a web page on CUCM of some sort. For example, the Application Dial Rule web pages would let you access that particular page if you check the "Read" privilege to the right. If you select "Update" as well then the user would also be able to make changes. So let's break this down even further. I made a custom Role as you can see which I named Read only to phones only. This is more of an identifier than anything else as it has no influence on anything other than a name.
Above you can see I set permissions to let the user with this role to be able to see the phone webpage. Basically, they can look at the settings but can't actually change anything. Here is what the page looks like with read-only access:
As you can see, the command bar to add, delete, reset, etc. is missing at the top. If I select a phone as this user I see this:
Again, no save, update, delete buttons are available. If you click on a field, you can edit it all you want but you cannot save the changes. Additionally, the modify buttons will not let you do anything either because I have not granted "Update" privileges. Now lets compare a full admin page to giggles:
Notice the giant bar that now appears as a administrator with update access. I can now save, delete, copy, reset, apply config, and add new. That is the difference between update and read access. Again, you pick an application then add a role with the appropriate resources and their privileges.
Now this is all find and dandy to add these privileges but how to we get the user to inherit these traits we have assigned? I spent some time today figuring out why my roles were assigned but not fully working. It comes to pass that ANY role you set up and assign to a user also REQUIRES that you assign Standard CCM Admin User Group as well or they can't get into the web admin page. Basically, the admin user page does nothing but let them access the initial screen after logging into the CUCM. If they click any menu from there they get a pretty access denied page that looks like this:
So with that given, you would then see the images I first posted when they went into something they did have read-only access to. Now back to the meat. You need to assign the roles to a user group then assign the user to that group or vice versa, it really doesn't matter. So, go to User Management --> User Groups and see this page:
Now by default there aren't any custom user groups. I have two created, one was for the ICVA Informacast application that comes with the Business Edition but that is another discussion. The one we are concerned with here is the one I made called RO Phones. This usergroup will be where I place the users that need RO (Read Only) access to the phone webpages within CUCM. Also note the CCM Admin Users here, this is required for the user to even get into the web admin page so the user would have at minimum two groups assigned to them. So if we create that RO Phones group it looks like this:
In this case, I had already assigned a user but you can see how to do it from here and it's very straight forward. Once this is done, you need to assign the roles to this usergroup that the user inserted will inherit. You do this by using the Related Links drop down on the upper right of the screen and click Assign Role to User Group then click Go. Once you do this, you will be presented with this screen:
Normally the Role Assignment box will be blank, you would click Assign Role to Group and get a popup box asking you which roles to assign. Once you do this, you are officially good to go. Whatever users you add to the group will inherit the privileges you have put in from here. The lesson to learn here is that you need to create these custom groups and assign roles to the users. These users can be assigned to one or more groups and can inherit the roles from those groups cumulatively. So you can essentially create a very modular privilege system and assign users roles in based on user group. Luckily, CUCM already has most of what you need on a regular basis already created so you just go to the end user and assign whatever you need.
I know this topic is confusing, it was for me when I first started and I just had to get into it and get my hands dirty. If I were to get questioned on this and asked to explain it to a third grader I probably could given the examples I've provided here. It's something you don't mess with often since the canned privileges are always in most circumstances good enough. I hope this has been informative and will be posting more as I develop more impromptu content.
No comments:
Post a Comment