Multilevel Administration

Prior to the availability of MLA, there was only one administrator login. Administrators had full read and write access to Cisco CallManager configuration. An administrator could change any parameter in the database or directory that is accessible through the Cisco CallManager Administration and Cisco CallManager Serviceability pages. The entire system could be disabled with a few mouse clicks that accidentally modified data to which the user did not need access.

MLA provides multiple levels of security to Cisco CallManager Administration. Cisco CallManager menus are grouped in functional groups. Users are grouped in user groups. MLA permits you to grant only the privileges required to a selected group of users and to limit access to the configuration menu for a particular user group .

Different access levels can be assigned to each functional group, such as no access, read-only access, and full access. The access rights can be set for every configured user group. MLA also provides audit logs of user logins and access to and modifications to Cisco CallManager configuration data.

Before installing MLA, Cisco CallManager administrators logged in using a local Windows 2000 Administrator account. After you have enabled MLA, usernames and passwords are stored in a Lightweight Directory Access Protocol (LDAP) directory and provide the basis for login authentication.

During enabling, MLA creates a predefined user called CCMAdministrator. The Windows Registry stores the user ID and the encrypted password of the CCMAdministrator user. Thus, even when the LDAP directory is unavailable, the CCMAdministrator user can log in to Cisco CallManager Administration. Only the CCMAdministrator ID and password are stored in the Windows Registry.

MLA was introduced with the Cisco CallManager Release 3.2(2c) and had to be separately installed. With Cisco CallManager Release 4.0 and later, MLA is integrated in Cisco CallManager but disabled by default.

Note

If you are upgrading from an earlier version of Cisco CallManager to Cisco CallManager release 4.0 or later and already have MLA installed and enabled, CallManager migrates your existing MLA configuration to the new MLA version and keeps it enabled. However, the upgrade process resets the existing CCMAdministrator password to a random password (displayed at the end of the upgrade).

Enabling MLA

The Enable MultiLevelAdmin enterprise parameter designates whether MLA is enabled. This enterprise parameter can be found in the Cisco CallManager menu User > Access Rights > Configure MLA Parameters , shown in Figure 21-3. You can set the Enable MultiLevelAdmin parameter to True (enabled) or False (disabled); False is the default value.

Figure 21-3. Enabling MLA

When you choose True, enter a new password at the New Password for CCMAdministrator prompt and reenter the password at the Confirm Password for CCMAdministrator prompt. Only the CCMAdministrator user can now log in to Cisco CallManager; the Windows NT Administrator account no longer has access rights to Cisco CallManager Administration.

When the Enable MultiLevelAdmin enterprise parameter value is modified, the World Wide Web Publishing Service has to be restarted. Then, reopen the browser and reauthenticate with Cisco CallManager by using the new CCMAdministrator account.

MLA Functional Groups

Cisco MLA uses two group management functions: user groups and functional groups. A user group simply contains user accounts. A functional group consists of a collection of Cisco CallManager system administration submenus. All the web pages that compose each functional group belong to a common administrative menu. Two types of functional groups exist:

Standard functional groups, which are the default functional groups
Custom-based functional groups

Standard functional groups are created as a part of MLA during Cisco CallManager installation and cannot be modified or deleted. They contain typical permissions assigned to sublevel Cisco CallManager administrators. You can define your own custom-based functional groups to allow a group of administrators access to specific Cisco CallManager Administration menus.

When you enable Cisco CallManager MLA, a complete set of standard functional groups becomes available (shown in Figure 21-4):

Standard Plugin
Standard User Privilege Management
Standard User Management
Standard Feature
Standard System
Standard Service Management
Standard Service
Standard Serviceability
Standard Gateway
Standard RoutePlan
Standard Phone

Figure 21-4. Built-In MLA Functional Groups

Caution

In the Standard System functional group, all submenus of the Cisco CallManager System menu, such as Server, Cisco CallManager, Cisco CallManager Group, and so on, are enabled. A user with full access rights in the Standard System functional group could, for example, change the IP address of the server. Be careful when you assign access rights to the fundamental Cisco CallManager menus.

MLA User Groups

Various user groups are predefined and have no members assigned when you enable MLA. The CCMAdministrator user can add users to these groups, set the access rights for the user groups, and configure additional named user groups as needed. To add users, select the relevant user group and click the Add a User to Group hyperlink in the upper-right corner of the administration window.

These user groups are created at the time of installation (shown in Figure 21-5):

PhoneAdministration
ReadOnly
ServerMonitoring
SuperUserGroup
ServerMaintenance
GatewayAdministration

Figure 21-5. Built-In MLA User Groups

Assigning MLA Access Privileges

After users are added to a user group, access privileges are then set for each functional group. The functional group defines the Cisco CallManager menus that can be used by the relevant user group.

Figure 21-6 shows the items in the CallManager Administration Device menu that are enabled for the Standard Phone functional group.

Figure 21-6. Device Menu Access for the Standard Phone Functional Group

As shown in Figure 21-7, the PhoneAdministration user group has full access rights to the Standard Phone and the Standard User Management functional groups. This means that a user assigned to the PhoneAdministration user group can add, change, or delete the configuration of the computer telephony integration (CTI) points and phones. A user in the PhoneAdministration user group can also access all Device Settings submenus.

Figure 21-7. Assigning Rights to User Groups

Creating New MLA Functional and User Groups

Cisco CallManager allows you to configure MLA groups outside the built-in defaults to provide custom administration functions for your organization. For example, imagine you had a sublevel administrator who should only have rights to change the music on hold preferences for your users. To configure a custom administrative level for this administrator, you could follow these general steps:

Step 1.	Create a new functional group and assign privileges.
Step 2.	Create a new user group and assign privileges.
Step 3.	Verify proper operation.

Initially, you would need to create a new functional group for the subadministrator defining the areas of the CallManager Administration to which they have access. You could follow this procedure to add a new functional group:

Step 1.	Choose User > Access Rights > Functional Group , and click Add a New Functional Group .

Step 2.	In the Functional Group Name field, enter the name of a new functional group (in this example, Music Only, shown in Figure 21-8). Figure 21-8. Adding a New Functional Group

Step 3.	Check the check box next to the menu that you want to include in the new functional group. In this example, check only the Media Resource->Music on Hold Audio Source check box under Service, as shown in Figure 21-9, and click Insert . Figure 21-9 results from scrolling down near the bottom of the screen shown in Figure 21-8. Figure 21-9. Assigning Functional Group Menus

After you have added the functional group to the configuration, you can create a user group for the administrator and assign the necessary functional group privileges. To create the user group, complete the following steps:

Step 1.	Choose User > Access Rights > User Group , and click Add a New User Group .
Step 2.	In the User Group Name field, enter the name of the new user group (in this example, MusicDJ), and click Insert .

Step 3.	Click Add a User to Group, and enter the username (which must already have been configured in Cisco CallManager Administration). In this example, the user JeremyD was chosen from the directory, shown in Figure 21-10. Figure 21-10. Adding a New User Group

{% if main.adsdop %}{% include 'adsenceinline.tpl' %}{% endif %}

Now that you have created the user group, you can assign the necessary privileges to the music administrator:

Step 1.	Choose User > Access Rights > Assigning Privileges to User Group.
Step 2.	Click the name of the user group to which you want to assign privileges. In this case, the MusicDJ user group is chosen.

Step 3.	Choose the privilege level for each functional group within the user group. Three privilege levels are available from the drop-down list: No Access , Read Only , and Full Access . In this case, the MusicDJ user group is assigned Full Access for the functional group Music Only (shown in Figure 21-11). After you have selected the necessary permissions for the functional groups, click Update . Figure 21-11. Assigning User Group Permissions

Finally, the last step in this configuration is to verify and test the privileges. To verify whether a specific user has the correct access rights, click the Key symbol in the Permission column in the User Group Configuration window. In Figure 21-12, the user JeremyD was chosen, and, therefore, the MusicDJ user group is displayed with the configured access rights. The privileges report shows that JeremyD has no access to any functional group except the Music Only group, to which he has full access.

Figure 21-12. Verifying User Permissions

To test the privileges, you can log in using a user account assigned to the specific user group you want to test. After logging in, attempt to access allowed and disallowed areas of the CallManager Administration. Disallowed pages will appear as shown in Figure 21-13. Allowed pages will function normally, unless you have assigned them Read-Only access.