Unity Administration Delegation

Unanswered Question
Sep 17th, 2007

We have a helpdesk and we would like to delegate to them the ability to change Unity subscriber information and passwords without sharing the administrator level passwords. I don't see where this is possible from within the Unity Admin pages. Does anyone have an idea of how this can be done? We are using Unity 4(2).1

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
rob.huffman Mon, 09/17/2007 - 06:28

Hi Abraham,

This is possible via the Subscriber COS.Have a look;

For Unity 4.0.5 and later

Class of Service System Access Settings

Class of service system access settings specify which tasks, if any, subscribers including other system administrators can do in the Cisco Unity Administrator. You can customize access to Cisco Unity in several ways. For example, you can deny access to the Cisco Unity Administrator, or deny access to specific pages in the Cisco Unity Administrator, such as COS, subscriber, or distribution list pages.

When you deny access to specific pages in the Cisco Unity Administrator, the links for these pages are disabled for the subscriber. Alternatively, you can specify read, edit, add, or delete privileges for these pages, or can allow subscribers access to subscriber pages only for the purpose of unlocking subscriber accounts or changing subscriber passwords.

Before modifying system access settings for a COS, consider the best practices outlined in the Cisco Unity Security Guide. Refer to the "Best Practices for Modifying and Assigning Classes of Service" section in the "Accounts and Permissions" chapter. The guide is available at http://www.cisco.com/univercd/cc/td/doc/product/voice/c_unity/unity40/usg/ex/index.htm.

From this good Unity doc;

http://www.cisco.com/en/US/products/sw/voicesw/ps2237/products_administration_guide_chapter09186a0080449c55.html#wp1053445

Hope this helps!

Rob

Ginger Dillon Mon, 09/17/2007 - 14:19

Hi Abraham -

In addition to Rob's excellent post, I have some additional information in case you have multiple Unity servers which need to be handled by your Help Desk. The COS will only work for the Unity server in which your Help Desk are subscribers. If your Help Desk need to administer passwords, for example, on other Unity servers, here is how to do this:

- On each Unity server, create a new subscriber. You can standardize on a name like HelpDesk_unityservername. Use a dummy extension, which you can get from your CallManager's dial plan.

- Put this userid into the COS that has only the SA access required, i.e. authorized to reset subscriber passwords.

- Using the grantunityaccess utility in Unity Tools Depot, associate each Help Desk user's domain account (domain\userid) with this HelpDesk_unityservername userid.

- Repeat this step for each Unity server you have in your environment.

Regards, Ginger

P.S. Kudos and 5-points to Rob for the great response :-)

rob.huffman Tue, 09/18/2007 - 04:28

Thanks Ginger :) This means alot to me, especially coming from one of my FAVE NetPros!

Take care,

Rob

abendayan Mon, 09/24/2007 - 12:24

Hello,

Thanks for the information it helped a lot. I am using the method Ginger suggested because I have three unity servers that I need them to administer. These boxes are all part of the same AD Domain. Now I have another problem, I can run the GrantUnityAccess from one of the servers, but on the other two I get the following error when I try to run the utility:

D:\CommServer>grantunityaccess -u SVMUNITY.IPT\DCMHelpdesk -s AbrahamBendayan

Failed getting subscriber's object ID from database.

Logfile generated: E:\CommServer\Logs\GrantUAccess_46f81c57.txt

-- Operation FAILED --

Here are the contents of that log file.

Mon Sep 24 15:21:43.65 Entering Initialize \ConnectorClientBase.cpp (line 48)

Mon Sep 24 15:21:44.471 Exiting Initialize \ConnectorClientBase.cpp (line 89)

Mon Sep 24 15:21:44.471 Entering GetSimpleFilter \ConnectorClientBase.cpp (line 412)

Mon Sep 24 15:21:44.487 Exiting GetSimpleFilter \ConnectorClientBase.cpp (line 428)

Mon Sep 24 15:21:44.487 Entering GetRowSet \ConnectorClientBase.cpp (line 105)

Mon Sep 24 15:21:44.487 Exiting GetRowSet \ConnectorClientBase.cpp (line 121)

Mon Sep 24 15:21:44.487 Entering GetOneRow \ConnectorClientBase.cpp (line 127)

Mon Sep 24 15:21:44.502 spRowset->Item(0) reports no more rows. Exiting function. \ConnectorClientBase.cpp (line 134)

Mon Sep 24 15:21:44.518 Failed getting rowset for subscriber AbrahamBendayan Exiting Function. 0x8004010f \GrantAccess.cpp (line 356)

Ginger Dillon Mon, 09/24/2007 - 12:49

Hi -

In the command syntax, the -s xxxxx must be a local subscriber on that Unity server. If AbrahamBendayan is a subscriber on another Unity server, this is why the command is not working. If that is the case, create a dummy subscriber on the Unity server and give it a dummy phone extension. Assign it to the correct COS. Then rerun the grantunityaccess and use that account for the -s xxxxx.

Ginger

abendayan Mon, 09/24/2007 - 13:26

Ginger,

Thanks for writing back. Duh, I was using the command in reverse. That worked great, thanks for the help, sorry for the reply, my brain is still off from the weekend!

AB

Actions

This Discussion