04-19-2014 03:30 PM - edited 03-16-2019 10:31 PM
Hello Cisco Support Community,
i'm searching for a way to give a user the permission to use the Real-Time Monitoring Tool.
i tried to give the user the same roles as my default admin acount has (Audit Administrator and System Administrator).
now the user can do all the admin tasks, but when he starts rtmt it gives me: "Access forbidden"
any ideas?
i tried it with CUC 9.1(2)SU1
04-22-2014 01:02 AM
Hi,
Try to add this Role in the Application User or End User:
The user can access to the admin page of cucm but only with read permission and he can access to the RTMT.
Regards.
04-22-2014 01:22 AM
hello romeo,
thanks for the answer, but this does not work in unity connection.
04-22-2014 01:41 AM
OK, that is for CUCM. So sorry.
Regards
04-23-2014 12:50 PM
Hello r.rung,
On "searching for a way to give a user" do you mean a mailbox user or an admin user?
If you just try with the System Administrator role do you get the same message?
Are you using an RTMT (Real Time Monitoring Tool) version downloaded from the CUC admin page or are you attempting with the RTMT donwloaded from CUCM?
If you CUC is a cluster have you tried logging into the other node?
Have you tried re-installing rtmt?
Regards,
9avi9
04-24-2014 07:17 AM
Hello davrojas,
thanks for the answer.
basically i wanted to give a mailbox user the right to start rtmt. but for you i tested both:
1. an LDAP Imported mailbox user with the Role "System Administrator"
2. an LDAP Imported admin user with the Role "System Administrator"
3. an AXL-Imported mailbox user with the Role "System Administrator"
all 3 are giving me: Access forbidden. Forbidden
If i type in a different password i get another error, so the authentication works correct.
i tried reinstalling RTMT and the same RTMT works fine for the default admin user which i created in the installation phase.
just to give you an idea why i want to do this: i want to enable Single Singn on for RTMT for Unity Connection. and when i enabled it i need the Permission for an LDAP User because there is no way to enter credentials any more after that.
04-25-2014 03:49 PM
Hello r.rung,
Unfortunately i must say this is a bottleneck type of situation and expected as this uses the OS admin account. You can only have one OS admin account and several application admin users, you cannot create other separate OS admin accounts.
Regards,
9avi9
05-02-2014 12:34 PM
ok, so this means:
Basically Single Sign on for RTMT Tool is a supported Feature for Unity Connection, but you can't really use it because there is no way to give an ldap user the permission to use RTMT, right?
05-02-2014 12:51 PM
Hello r.rung,
Based on the following link:
http://www.cisco.com/c/en/us/td/docs/voice_ip_comm/connection/8x/security/guide/8xcucsecx/8xcucsec061.html
"
Cisco Unity Connection 8.6 and later versions support the single sign-on feature that allows end users to log in once and gain access to use the following Cisco Unity Connection applications without signing on again:
•Cisco Personal Communications Assistant
•Web Inbox
•Cisco Unity Connection Administration
•Cisco Unity Connection Serviceability
"
Where exactly did you read it was supported for RTMT (Real Time Monitoring Tool) ?
05-07-2014 08:54 AM
ohh your right.
i'm sorry. just the availability of the option to enable sso for rtmt is no indication that this is really supported. my mistake...
05-07-2014 09:04 AM
Hello r.rung,
The option to enable sso depends on the version of RTMT (Real Time Monitoring Tool) and the Application you are using it for as well.
On the guide below for RTMT version 9.0.1 you will see it is supported for IM and Presence server, but nowhere is CUC mentioned.
Cisco Unified Real-Time Monitoring Tool Administration Guide, Release 9.0(1)
http://www.cisco.com/c/en/us/td/docs/voice_ip_comm/cucm/service/9_0/rtmt/CUCM_BK_CA3A517A_00_cisco-unified-rtmt-administration-90/CUCM_BK_CA3A517A_00_cisco-unified-real-time-monitoring-tool_chapter_01000.html
So i think we can wrap this one up :)
04-24-2014 06:41 PM
Hi
Try to create an additional user in CUC CLI using set account command with the privilege 0 or 1, I hope it may workout.
04-25-2014 02:05 AM
i tried it with the set account cli command, but it gives me: Access is denied, please make sure user name and password ... are correct.
because you can't use an os account for RTMT...
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: