Unity Connection 7 Roles

Unanswered Question
Jan 9th, 2009

I noticed that I cannot modify, add or delete any roles in Unity Connection. Are there any plans to change this and allow us to create new roles?

I was hoping to configure a user to be able to reset passwords only for a particular group of users based on partition for example.

Also, why does the documentation suggest to use a seperate account for administration rather than the voicemail account?

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
lindborg Fri, 01/09/2009 - 19:57

Currently there's nothing on any roadmaps I've seen for customizable roles - I think a few more granular roles may be added to the system.

however it sounds like a custom role isn't really what you want - you want to be able to apply that role to a user who then has a limited scope to apply it (i.e. limit their activity to a defined set of users/handlers/objects). this has been talked about in the context of tenant type application administration but so far as I know nothing is comitted at this point.

I've been toying with the idea of scope access using external tools like Audio Text manager but it's a tough problem to solve well given all the possible links into/off of every object - it'll take a chunk of work.

The suggestion to use a seperate account for admin rights is pretty standard best-practice stuff - as a rule you don't want to have, say, super user (root) rights on the account you log into the network with every day for checking email and such - you want to use a seperate account that you use for special access. The same applies here - as a rule it's best to have your everyday voice mail access account seperate from your super-user admin account. One of those things like not running with scissors, it's just a good idea.

lfulgenzi Fri, 01/09/2009 - 20:52

I think custom roles would be a good thing. For example, the User Administrator has a few extra things I'd rather not give to people. A lot of viewing, and some creating/deleting where I wouldn't expect it, i.e. partitions and search spaces.

The tenant based approach is something that I'm looking for as well.

Regarding the seperate userIDs, still not getting the picture. We would only log into the admin console when we would need to do admin things anyways. Having everyone have to remember another userID/password is going to end up with a "group" userID/password, which I think is worse. I'll have to think about that some more.

Any thought about putting the admin console on a different port than the user pages? I'd like to be able to use ACLs to allow only trusted networks to access the admin web pages.

lindborg Fri, 01/09/2009 - 20:57

no argument about custom roles - not arguing otherwise. Opening them up for custom setting is a bit more involved than it probably should be (some custom code for enforcing a few of those such as the remote admin role that make it tricky).

The seperate logins is just a suggestion, not a directive - ultimately such things come down to personal taste.

not sure on the ports - something the admin crew and the security OS folks would have to agree on - I can ping the Admin folks for an opinion at any rate...

lfulgenzi Fri, 01/09/2009 - 21:41

OK. Thanks. Let me know what the admin folks say. Even with no role assigned the user can log into the admin console and see the menu in the left hand side - that makes people nervous 'round here.

vivian.le Mon, 07/06/2009 - 11:20

I created a new account that was given just the help desk role and this user was allowed to change the password of the system administrator. This doesn't seem logical that a help desk user is allowed to change the password of a system administrator. This is UC version 7.


This Discussion