Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
Community Member

CCM 6 Group / Role Security vulnerability!

In CCM6 if I create an application user, and give them a small subset of rights Such as phone Administration, I have noticed that if that admin has the ability to edit end users they can in turn add end users into Administrative groups! This in effect is a major security vulnerability an administrator with lower rights can create a new end user and give them every role / right to the CCM box (except super user). I have even verified that end user can log into the CCM Admin pages with full rights! What is the point of groups and roles then, am I missing something?

If I do not give phone administrators the ability to edit end user's the phone administrators cannot change an end user's password, or associate phones to their profiles…

Community Member

Re: CCM 6 Group / Role Security vulnerability!

I wish I had a solution. I am trying to sort out the same dilemma. There is little point in trying to limit access if they can elevate themselves to virtually unlimited access by having update abilities for user accounts.

CreatePlease to create content