Multiple Unity servers, grant admin rights to one AD account...

Answered Question
Apr 29th, 2010

I need the ability to grant unityaccess to one AD account and allow that single user to manage multiple unity servers.  I dont see any way to do this, we cannot create more then one AD account for these users. 

Suggestions?

I have this problem too.
0 votes
Correct Answer by David Hailey about 6 years 7 months ago

To answer the second question, Unity relies on AD/Exchange and outside of Template or CoS - there really isn’t any distinction between an admin and what you would deem a typical subscriber. A subscriber is a subscriber.

This is where Unity Connection has an advantage - since there is no reliance on AD, you have the concept of Users with Mailboxes (Subscribers) and Users without Mailboxes (Administrators - or other pre-defined roles). So going back the reliance on AD/Exchange, in Unity - every user is a user with a mailbox. So, once a Subscriber is associated with a particular Unity server an attribute is updated within the AD properties for their account. If you move users between servers within a single domain, you have to clean that association up (the GSM tool is made for this).

Hailey

Please rate helpful posts!

Correct Answer by William Bell about 6 years 7 months ago

Access to the Unity system (SAWeb) requires that accounts have permissions at two levels: the OS and the application. I am guessing you were hoping for a way to use OS permissions to allow the AD accounts to access the SAWeb. While you do need to modify local box OS permissions to facilitate this, it will not allow the user to manage the "application". That is what the grantunityaccess tool can do.

I take it you aren't a fan of that approach but I did a write up on this topic that may be helpful. It is a quick read.

http://www.netcraftsmen.net/resources/blogs/adding-unity-saweb-administr...

You don't need to associate the AD account to the EAdmin nor do you need to create a second AD account. Though, to be honest that is our recommendation. But it isn't strictly required. You will, however, need an AD account that serves as a "dummy" account for the VM mailbox that you need to create. This "dummy" account needs an exchange mailbox and is just like a standard user EXCEPT as follows:

1. The AD account itself is disabled (or can be)

2. The Unity mailbox account is configured with Unity CoS permissions so that the user of the account can do admin-level tasks

The idea is that you use grantunityaccess to associate your AD user account to the new "dummy" user. We like to use something like "tier1admin" and "tier2admin", etc. The idea here is that "tier1" may be able to add mailboxes while "tier2" can do everything.

Maybe it is a different spin on the grantunityaccess tool that you didn't account for, maybe not. Hopefully it is helpful.

Regards,

Bill

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (4 ratings)
Loading.
David Hailey Thu, 04/29/2010 - 11:58

Jeff,

I need you to clarify a bit for me.  Is the problem that you:

1) You have users that are also subscribers that you would like to give admin rights to via the Grant Unity Access tool BUT you are not allowed to create a second "admin" account for them in AD?

OR

2) You want to use a single AD account to manage multiple Unity servers and you thought you would need to use the Grant Unity Access tool for that?

I suspect option 1 but I have to ask for due diligence.

Hailey

Please rate helpful posts!

Jeff Garner Thu, 04/29/2010 - 13:02

Option 1,  the User is a subscriber on Unity box A, because of this I cannot create them as a subscriber on Unity box B which would allow me to grant their account admin access. 

So without having a second AD account and without granting them access via the grantunityaccess tool to say example adminsitrator, how do we give them access to unity box B. 

Correct Answer
William Bell Thu, 04/29/2010 - 13:24

Access to the Unity system (SAWeb) requires that accounts have permissions at two levels: the OS and the application. I am guessing you were hoping for a way to use OS permissions to allow the AD accounts to access the SAWeb. While you do need to modify local box OS permissions to facilitate this, it will not allow the user to manage the "application". That is what the grantunityaccess tool can do.

I take it you aren't a fan of that approach but I did a write up on this topic that may be helpful. It is a quick read.

http://www.netcraftsmen.net/resources/blogs/adding-unity-saweb-administr...

You don't need to associate the AD account to the EAdmin nor do you need to create a second AD account. Though, to be honest that is our recommendation. But it isn't strictly required. You will, however, need an AD account that serves as a "dummy" account for the VM mailbox that you need to create. This "dummy" account needs an exchange mailbox and is just like a standard user EXCEPT as follows:

1. The AD account itself is disabled (or can be)

2. The Unity mailbox account is configured with Unity CoS permissions so that the user of the account can do admin-level tasks

The idea is that you use grantunityaccess to associate your AD user account to the new "dummy" user. We like to use something like "tier1admin" and "tier2admin", etc. The idea here is that "tier1" may be able to add mailboxes while "tier2" can do everything.

Maybe it is a different spin on the grantunityaccess tool that you didn't account for, maybe not. Hopefully it is helpful.

Regards,

Bill

Jeff Garner Thu, 04/29/2010 - 13:30

Yes this is our current approach however we do not like it.  When you expand this to multiple admins and multiple unity boxes, what do you do for auditing, are all actions completed at the application level now recorded under the dummy account?

As a side question why does unity restrict itself to only allowing one unity server per AD account?  Why not allow the ability to create subscribers pointing to the same AD account on multiple unity boxes?

Correct Answer
David Hailey Thu, 04/29/2010 - 13:37

To answer the second question, Unity relies on AD/Exchange and outside of Template or CoS - there really isn’t any distinction between an admin and what you would deem a typical subscriber. A subscriber is a subscriber.

This is where Unity Connection has an advantage - since there is no reliance on AD, you have the concept of Users with Mailboxes (Subscribers) and Users without Mailboxes (Administrators - or other pre-defined roles). So going back the reliance on AD/Exchange, in Unity - every user is a user with a mailbox. So, once a Subscriber is associated with a particular Unity server an attribute is updated within the AD properties for their account. If you move users between servers within a single domain, you have to clean that association up (the GSM tool is made for this).

Hailey

Please rate helpful posts!

Jeff Garner Thu, 04/29/2010 - 13:42

Thanks for the information, I wonder if there was some sort of architecture reason to limit a one to one relationship between an AD mailbox and a unity subscriber.

As to the permissions, the ideal situation would to be able to pair an AD group up with access to the Unity application and be able to set COS rights to that AD group.   Then we could add admin accounts into said AD group and they would be granted access to the application...

David Hailey Thu, 04/29/2010 - 13:50

Well, technically you could do that. Unfortunately, with Unity you end up eating up licenses for administrative accounts (hence, the GrantUnityAccess method). In your case, it would also require 2 accounts for each admin. So, your AD group might UnityAdmins. John Doe would have JDoe-UnityA (AD account for admin user on UnityA) and JDoe-UnityB (AD account for admin user on UnityB). It's a little ugly (OK, more than a little actually) and not a recommendation on my part...but if that's what you want, that's essentially how it would work based on my knowledge of Unity. You should see if you can catch Jeff Lindborg on the forums at some point - he's the Unity Guru at Cisco and is on NetPro quite a bit. Great guy, if there's another way to do it - he could tell you how or why not.

Hailey

Please rate helpful posts!

William Bell Thu, 04/29/2010 - 13:53

I see that Hailey and you have a dialog going while I write this, so helpfully I am not being too redundant.

Security audit logs on the system will record access from the actual AD account, not the "dummy" account. Actually I never thought Unity had an application level accounting option that was worth anything. Meaning, the ability to say "hey, jeff was the one who deleted hailey's mailbox on 4/29/2010". Is this possible? I know that the IIS logs and OS Security event logs will record the transactions as coming from "jeff" not the bogus/dummy account.

As far as your side question, not sure. I suspect it may have something to do with the message store back end. With Exchange (at least) I believe you must maintain a 1:1 ratio between a user and a mailbox. We aren't discussing permissions to open another mailbox per se just the simple fact that one user == one mailbox. With Unity all 'subscribers' are mailbox owners. So, I suspect the hurdle to cross is with the message store. With unity connection, you can create admin-level users that are not mailbox owners and it becomes a different dynamic altogether.

Also, Unity would require a subscriber account with a mailbox which would mean an addition license unit is consumed. I would think that would tip the scales in a direction against setting up multiple accounts on multiple servers. But maybe that is just me.

HTH.

Regards,

Bill

David Hailey Thu, 04/29/2010 - 13:32

Looking at it briefly, I see 2 options off the top of my head. There may be more - but I'll have to give that further thought.

1) Users would have to share access to an admin account - UnityAdmin, EAdmin, etc. I recommend against the system default accounts typically so you could create another admin account with appropriate rights that the user's share. I don't like this approach too much myself but it works.

2) Grant Unity Access is an option. I'm not sure if you're opposed to it or if there is another reason you're ruling it out. I have, in my lab, had 2 Unity systems up. So, Unity A and Unity B. On Unity A, my test "subscribers" are different than those on Unity B; however, both reside in the same domain (e.g., LAB). On Unity B (or vice versa), I can grant access to a user's existing AD account by associating them with EAdmin or a generic Admin account I have previously created (preferred approach IMO). It requires minimal rights on the OS and it works well.

As I'm typing this, I see my colleague (Bill) just responded to this thread as well. He's provided you with the same information I was going to give as well. Go check out Bill's blog, it's straight-forward and is a good option for this sort of thing. Let us know if you have questions or were looking for a different way of doing things. Unity Connection is a bit more robust when compared to Unity for allocating admin user accounts and privileges but, nonetheless, you have to live within the capabilities of the Unity product.

Hailey

Please rate helpful posts!

Actions

This Discussion