In CCM6 if I create an application user, and give them a small subset of rights Such as phone Administration, I have noticed that if that admin has the ability to edit end users they can in turn add end users into Administrative groups! This in effect is a major security vulnerability an administrator with lower rights can create a new end user and give them every role / right to the CCM box (except super user). I have even verified that end user can log into the CCM Admin pages with full rights! What is the point of groups and roles then, am I missing something?
If I do not give phone administrators the ability to edit end user's the phone administrators cannot change an end user's password, or associate phones to their profilesâ¦