Access to services

glenn_c_martindell · ‎11-30-2005

Is there a way to allow certain users to install a phone service but restrict it from other users?

Thanks, Glenn

Chris Deren · ‎11-30-2005

Are you talking about CallManager?

What do you mean when you say "phone service"? Do you mean subscribe to IP phone service?

You can enable or install MLA (depending on your version of CCM) and create functional and user group which does not have access to "Cisco IP Phone Services" and assign that group to the restricted user.

Chris

glenn_c_martindell · ‎11-30-2005

I guess I should have been more specific.

Yes, I meant ip phone services.

I want to be able to give user 1 access to phone service A and B but only allow user 2 access to phone service A. Is this possible?

Thanks, Glenn

sdejustine · ‎12-15-2005

Absolutely. IP Phone services can be assigned on an individual device basis. One user can have many services, while another may only have one or none at all.

aaronw.ca · ‎12-16-2005

If users have access to the CCMUser web interface and if you have "Show Cisco IP Phone Services Settings" enabled (it is enabled by default) in Enterprise Parameters then users can subscribe to any service that you have configured on the CallManager.

In this case, one way to block access to services is to add a password parameter to the restricted services. Users who are allowed access to this service would enter the password when subscribing to the service, and those who are not allowed access would not have the password and would therefore not be able to enter the valid password when subscribing to the service. What would happen here is that when the user called the service from their phone (at run-time), the service (web page) would check the password parameter to make sure this was an authorized request, and if not, would return an "unauthorized" message to the user. A bit of a hack, but it would do the trick.

A second, more complicated solution would involve the restrictied service(s) doing a lookup of the device name using the IP address through the devicelistx report, and you would configure the devices (listing the device names SEP...) that have access to the service in advance. This way you wouldn't have to implement the password scheme (telling authorized users the password, and risking the passwords being shared with unauthorized users) and could have more central control over who executes the services. This wouldn't be as effective in an extension-mobility environment, though (there are ways around that too, but it just complicates things a bit more!). As in the above solution, this allows anyone to subscribe to the service and security is enforced at run-time to block out unauthorized use of the services.

If users do not have access to the CCMUser web interface or if you turn off their access to subscribe to their own services (which means an administrator would be responsible for subscribing users to services; that administrator would be your "security" to ensure that only authorized users received access to certain services), then you wouldn't have to modify the services themselves with the password parameter.

Sorry if that sounds confusing. The short answer is no, you can't control which services a user can subscribe to; either users can subscribe to services themselves or they can't and the administrator does it for them through the admin interface.