Prior to the availability of MLA, there was only one administrator login. Administrators had full read and write access to Cisco CallManager configuration. An administrator could change any parameter in the database or directory that is accessible through the Cisco CallManager Administration and Cisco CallManager Serviceability pages. The entire system could be disabled with a few mouse clicks that
MLA provides multiple levels of security to Cisco CallManager Administration. Cisco CallManager
Different access levels can be assigned to each functional group, such as no access, read-only access, and full access. The access rights can be set for every configured user group. MLA also provides audit logs of user logins and access to and modifications to Cisco CallManager configuration data.
Before installing MLA, Cisco CallManager administrators logged in using a local Windows 2000 Administrator account. After you have enabled MLA, usernames and passwords are stored in a Lightweight Directory Access Protocol (LDAP) directory and provide the basis for login authentication.
During enabling, MLA creates a predefined user called CCMAdministrator. The Windows Registry stores the user ID and the encrypted password of the CCMAdministrator user. Thus, even when the LDAP directory is unavailable, the CCMAdministrator user can log in to Cisco CallManager Administration. Only the CCMAdministrator ID and password are stored in the Windows Registry.
MLA was introduced with the Cisco CallManager Release 3.2(2c) and had to be separately installed. With Cisco CallManager Release 4.0 and later, MLA is integrated in Cisco CallManager but disabled by default.
If you are upgrading from an earlier version of Cisco CallManager to Cisco CallManager release 4.0 or later and already have MLA installed and enabled, CallManager migrates your existing MLA configuration to the new MLA version and keeps it enabled. However, the upgrade process resets the existing CCMAdministrator password to a random password (displayed at the end of the upgrade).
The Enable MultiLevelAdmin enterprise parameter designates whether MLA is enabled. This enterprise parameter can be found in the Cisco CallManager menu User > Access Rights > Configure MLA Parameters , shown in Figure 21-3. You can set the Enable MultiLevelAdmin parameter to True (enabled) or False (disabled); False is the default value.
Figure 21-3. Enabling MLA
When you choose True, enter a new password at the New Password for CCMAdministrator prompt and reenter the password at the Confirm Password for CCMAdministrator prompt. Only the CCMAdministrator user can now log in to Cisco CallManager; the Windows NT Administrator account no longer has access rights to Cisco CallManager Administration.
When the Enable MultiLevelAdmin enterprise parameter value is modified, the World Wide Web Publishing Service has to be restarted. Then, reopen the browser and reauthenticate with Cisco CallManager by using the new CCMAdministrator account.
MLA Functional Groups
Cisco MLA uses two group management functions: user groups and functional groups. A user group simply contains user accounts. A functional group consists of a collection of Cisco CallManager system administration submenus. All the web pages that compose each functional group belong to a common administrative menu. Two types of functional groups exist:
Standard functional groups are created as a part of MLA during Cisco CallManager installation and cannot be modified or deleted. They contain typical permissions assigned to sublevel Cisco CallManager administrators. You can define your own custom-based functional groups to allow a group of administrators access to specific Cisco CallManager Administration menus.
When you enable Cisco CallManager MLA, a complete set of standard functional groups becomes available (shown in Figure 21-4):
Figure 21-4. Built-In MLA Functional Groups
In the Standard System functional group, all submenus of the Cisco CallManager System menu, such as Server, Cisco CallManager, Cisco CallManager Group, and so on, are enabled. A user with full access rights in the Standard System functional group could, for example, change the IP address of the server. Be careful when you assign access rights to the fundamental Cisco CallManager menus.
MLA User Groups
Various user groups are predefined and have no
These user groups are created at the time of installation (shown in Figure 21-5):
Figure 21-5. Built-In MLA User Groups
Assigning MLA Access Privileges
After users are added to a user group, access privileges are then set for each functional group. The functional group defines the Cisco CallManager menus that can be used by the relevant user group.
Figure 21-6 shows the items in the CallManager Administration Device menu that are enabled for the Standard Phone functional group.
Figure 21-6. Device Menu Access for the Standard Phone Functional Group
As shown in Figure 21-7, the PhoneAdministration user group has full access rights to the Standard Phone and the Standard User Management functional groups. This means that a user assigned to the PhoneAdministration user group can add, change, or delete the configuration of the computer telephony integration (CTI) points and phones. A user in the PhoneAdministration user group can also access all Device Settings submenus.
Figure 21-7. Assigning Rights to User Groups
Creating New MLA Functional and User Groups
Cisco CallManager allows you to configure MLA groups outside the built-in defaults to provide custom administration functions for your organization. For example, imagine you had a sublevel administrator who should only have rights to change the music on hold preferences for your users. To configure a custom administrative level for this administrator, you could follow these general steps:
Initially, you would need to create a new functional group for the subadministrator defining the areas of the CallManager Administration to which they have access. You could follow this procedure to add a new functional group:
After you have added the functional group to the configuration, you can create a user group for the administrator and assign the necessary functional group privileges. To create the user group, complete the following steps:
Now that you have created the user group, you can assign the necessary privileges to the music administrator:
Finally, the last step in this configuration is to verify and test the privileges. To verify whether a specific user has the correct access rights, click the Key symbol in the Permission column in the User Group Configuration window. In Figure 21-12, the user JeremyD was chosen, and, therefore, the MusicDJ user group is displayed with the configured access rights. The privileges report shows that JeremyD has no access to any functional group except the Music Only group, to which he has full access.
Figure 21-12. Verifying User Permissions
To test the privileges, you can log in using a user account assigned to the specific user group you want to test. After logging in, attempt to access allowed and disallowed areas of the CallManager Administration.
Figure 21-13. Testing User Permissions