Delegate permisson to sync LDAP

Unanswered Question
Aug 17th, 2010
User Badges:

Is there a way to grant a user the ability to synchronize LDAP without giving them full admin rights?  This applies to both UCM and Unity Connection.  When adding new users to the system we add them to Active Directory, and then create their phone & voice mailbox.  After creating their AD account we synchronize LDAP in UCM and UC so the new accounts are visible to those systems.  When I do it myself it's not a problem because I have full admin rights, but I'd like to delegate the permission to sync LDAP to our technical support staff who don't have full admin rights on the phone system.  It's not realistic to expect them to wait for the next scheduled LDAP sync to occur.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
philip.e.denton Tue, 08/17/2010 - 11:43
User Badges:
  • Silver, 250 points or more

Try using End User Roles to delegate administrative rights to the end users you want to promote to various administrative roles.  I don't have access to a CUCM or UConn cluster at the moment to verify that LDAP Syncing is a task that can be delegated; however, use the guide linked below to guide you through the role administration process.  Sorry I couldn't be of more help!

craig.petty Wed, 08/25/2010 - 06:24
User Badges:

Unfortunately there is not enough granularity to allow users to 'Perform Full Sync Now' without also granting permission to make LDAP directory configuration changes.  The closest thing you can do in a role is grant read/update on 'LDAP Directory Configuration Pages'.

too bad.

philip.e.denton Wed, 08/25/2010 - 06:33
User Badges:
  • Silver, 250 points or more

Well dang.  I don't feel like there's a ton of danger allowing access to that portion of CCMAdmin as long as they know the only button they're supposed to press on that screen is "Perform Full Sync Now"!

chirpari Wed, 05/24/2017 - 14:41
User Badges:
  • Cisco Employee,

Any third party tool or AXL API that can be used to achieve this?

thawthorne_6 Wed, 03/13/2013 - 08:04
User Badges:

I have this problem too. The LDAP Directory Configuration Pages option works perfectly for the Call Manager LDAP sync, but that setting doesn't transfer over to Unity. And the Unity roles don't allow you to copy and reconfigure them like Call Manager does. So right now its either give them the technician role or no LDAP sync


This Discussion