Configure UCCE 12.0(X) Local Authorization

Available Languages

Download Options

  • PDF     (730.0 KB)
    View with Adobe Reader on a variety of devices
  • ePub     (763.4 KB)
    View in various apps on iPhone, iPad, Android, Sony Reader, or Windows Phone
  • Mobi (Kindle)     (436.7 KB)
    View on Kindle device or Kindle app on multiple devices
Updated:June 19, 2019
Document ID:214524

Bias-Free Language

The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.

    Introduction

    This document describes the steps needed to remove the dependency of microsoft active directory (AD) to manage authorization in Unified Contact Center Enterprise (CCE) components.

    Contributed by Anuj Bhatia, Cisco TAC Engineer.

    Prerequisites

    Requirements

    Cisco recommends that you have knowledge of these topics: 

    • Cisco Unified Contact Center Enterprise
    • Microsoft Active Directory

    Components Used

    The information used in the document is based on UCCE solution 12.0(1) version.

    The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, ensure that you understand the potential impact of any step.

    Background Information

    The UCCE 12.X release provides user membership privileges to local user groups on the local Administration Server (AW), which allows users to move authorization out of Active Directory (AD). This is controlled by the registry ADSecurityGroupUpdate which by defult is enabled and avoids the use of Microsoft AD Security Groups to control user access rights to perform setup and configuration tasks.

    Note: If business wishes to choose the prior behaviour, ADSecurityGroupUpdate flag can be changed to 1 which allows updated to Active Directory (AD)

    To move authorization out of AD requires a one-time task on each AW server machine to grant the required permissions for the UcceConfig group and this document aims to showcase the steps needed to configure these permission's along with an example of how to map a domain user as a part of CCE Configuration and Setup group.

    Configure

    To Grant UcceConfig group permissions in local AW server is a two step process: first, permissions are provided at the registry level, and second, passed on to the folder level.

    Step 1. Configure Registry Permissions

    1.  Run the regedit.exe utility.

    2.  Select HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\WinSock2.

    3.  In Permissions under security tab Select UcceConfig group and check Allow for the Full Control option.

    4. Repeat the previous steps to grant Full Control to the UcceConfig group for registries

    • Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Cisco Systems, inc.\ICM
    • Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Cisco Systems, inc.\ICM

    Step 2. Configure Folder Permissions

    1. In Windows Explorer, select C:\icm and go to Properties.


    2. In Security tab, select UcceConfig and check Allow for the Full Control option.

    3. Select OK to save the change.

    4. Repeat the previous steps to grant full control to the UcceConfig group for C:\Temp folder. 

    As Day 0 preliminary configuration has been acheived, look at the steps on how you can promote a domain user to have configuration and setup rights.

    Step 3: Domain User Configuration 

    1. Create a domain user in AD, for this excercise testconfig1 user had been  created.

    2. Log in into the AW server with a domain adim or local admin account. 

    3. In configuration manager through User list tool add the user and check the configuration option.

    Prior to 12.0 version this change would have updated the Config security groups in the domain under an instance Organizational Unit (OU), but with 12.0 the default behaviour is that it does not add that user to the AD group. As shown in the image, there is no update of this user in the domain ICM Config security group.

    4.  In the AW Server under computer management > Local Users and Groups > Groups select UcceConfig and add testconfig1 user into it.

    5. Log out from the machine and log in with the crendentials of testconfig1 user. As this user has configuration rights it will be able to run CCE configuration tools such as the Configuration Manager , Script or Internet Script  Editor.


    6. However , If the user tries to execute any task which require setup rights it fails.

    This example showcases testconfig1 user  changing peripheral gateway (pg) configuration and system restricts the change with a warning message.

    7. If business requires this user to have setup rights along with config, then you has to ensure the user is added to the AW server Local Admin group.

    8. In order To acheive, log in to the AW server with the domain or local admin rights account and via computer management > Local Users and Groups > groups select Groups and in Administrators add the user to the user.

    9. In Configuration manager through User list tool select the user and check the setup option.

    10. The user is now able to access all the resources of CCE application in that AW server and make desired changes. 

    Verify

    The verification procedure is actually part of the configuration process.

    Troubleshoot

    There is currently no specific troubleshooting information available for this configuration.

    TAC Authored

    Contributed by Cisco Engineers

    • Anuj Bhatia
      Cisco TAC Engineer

    Was this Document Helpful?

    FeedbackFeedback

    Contact Cisco

    This Document Applies to These Products