×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.
Chris Deren Wed, 11/30/2005 - 10:17
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,
  • Cisco Designated VIP,

    2017 IP Telephony, Contact Center, Unified Communications

Are you talking about CallManager?

What do you mean when you say "phone service"? Do you mean subscribe to IP phone service?

You can enable or install MLA (depending on your version of CCM) and create functional and user group which does not have access to "Cisco IP Phone Services" and assign that group to the restricted user.



Chris

glenn_c_martindell Wed, 11/30/2005 - 11:06
User Badges:

I guess I should have been more specific.

Yes, I meant ip phone services.

I want to be able to give user 1 access to phone service A and B but only allow user 2 access to phone service A. Is this possible?


Thanks, Glenn

sdejustine Thu, 12/15/2005 - 14:27
User Badges:

Absolutely. IP Phone services can be assigned on an individual device basis. One user can have many services, while another may only have one or none at all.

aaronw.ca Fri, 12/16/2005 - 07:43
User Badges:
  • Silver, 250 points or more

If users have access to the CCMUser web interface and if you have "Show Cisco IP Phone Services Settings" enabled (it is enabled by default) in Enterprise Parameters then users can subscribe to any service that you have configured on the CallManager.


In this case, one way to block access to services is to add a password parameter to the restricted services. Users who are allowed access to this service would enter the password when subscribing to the service, and those who are not allowed access would not have the password and would therefore not be able to enter the valid password when subscribing to the service. What would happen here is that when the user called the service from their phone (at run-time), the service (web page) would check the password parameter to make sure this was an authorized request, and if not, would return an "unauthorized" message to the user. A bit of a hack, but it would do the trick.


A second, more complicated solution would involve the restrictied service(s) doing a lookup of the device name using the IP address through the devicelistx report, and you would configure the devices (listing the device names SEP...) that have access to the service in advance. This way you wouldn't have to implement the password scheme (telling authorized users the password, and risking the passwords being shared with unauthorized users) and could have more central control over who executes the services. This wouldn't be as effective in an extension-mobility environment, though (there are ways around that too, but it just complicates things a bit more!). As in the above solution, this allows anyone to subscribe to the service and security is enforced at run-time to block out unauthorized use of the services.


If users do not have access to the CCMUser web interface or if you turn off their access to subscribe to their own services (which means an administrator would be responsible for subscribing users to services; that administrator would be your "security" to ensure that only authorized users received access to certain services), then you wouldn't have to modify the services themselves with the password parameter.


Sorry if that sounds confusing. The short answer is no, you can't control which services a user can subscribe to; either users can subscribe to services themselves or they can't and the administrator does it for them through the admin interface.

Actions

This Discussion