Cisco Unity Connection Administration is a web application that
you use to do most administrative tasks. An administrative account can be used
to access Connection Administration to define how Cisco Unity Connection works
for individual users (or for a group of users), to set system schedules, to set
call management options, and to make changes to other important data, all
depending on the roles to which the administrative account is assigned. If your
site is comprised of multiple Unity Connection servers, an account that is used
to access Connection Administration on one server may be able to authenticate
and gain access to Connection Administration on the other networked servers as
well. To secure access to Connection Administration, consider the following
best practices.
Best Practice: Limit the
Use of the Application Administration Account
Until you create a Unity Connection user account specifically
for the purpose of administering Unity Connection, you sign in to Cisco Unity
Connection Administration using the credentials that are associated with the
default administrator account. The default administrator account is created
during the installation of Unity Connection with the application user username
and password you specify during installation. The default administrator account
is automatically assigned to the system administrator role, which offers full
system access rights to Connection Administration. This means that not only can
the administration account access all pages in Connection Administration, but
it also has read, edit, create, delete and execute privileges for all
Connection Administration pages. For this reason, you should limit the use of
this highly privileged account to only one or to very few individuals.
As an alternative to the default administrator account, you can
create additional administrative accounts that are assigned to roles that have
fewer privileges based on what is appropriate to the administrative tasks that
each person performs.
Note |
Make sure you do not use the following application usernames as this
generate an error:
|
-
CCMSysUser
-
WDSysUser
-
CCMQRTSysUser
-
IPMASysUser
-
WDSecureSysUser
-
CCMQRTSecureSysUser
-
IPMASecureSysUser
-
TabSyncSysUser
-
CUCService
Best Practice: Use Roles to
Provide Different Levels of Access to Cisco Unity Connection Administration
When modifying role assignments to secure access to Cisco Unity
Connection Administration, consider the following best practices:
-
Do not modify the role assignment of the default administrator
account. Instead, create additional administrative user accounts that offer the
appropriate levels of access to Connection Administration. For example, you may
want to assign an administrative user account to the User Administrator role,
which allows the administrator to manage user account settings and access all
user administration functions. Or you may want to assign an administrative user
account to the Help Desk Administrator role, which allows the administrator to
reset user passwords and PINs, unlock user accounts, and view user setting
pages.
-
Create additional administrative user templates that are
assigned to roles that provide varying levels of access. By default, the
Administrator user template is assigned to the System Administrator role. Any
administrative user accounts that are created from the Administrator user
template is assigned to the System Administrator role, which gives
administrators full access to all Unity Connection administrative functions.
Use this Administrator template sparingly to create accounts for administrative
users.
-
By default, the Voicemail User Template is not assigned to any
roles, and should not be assigned to any administrative roles. Instead, use
this template to create accounts for end users with mailboxes. (The only role
that should be assigned to an end user with a mailbox is the Greeting
Administrator role; with this role, the only “administrative” function is to
have access to the Cisco Unity Greetings Administrator, which allows users to
manage the recorded greetings for call handlers by phone.)
Best Practice: Use
Different Accounts to Access a Voice Mailbox and Cisco Unity Connection
Administration
We recommend that Cisco Unity Connection administrators do not
use the same account to access Cisco Unity Connection Administration that they
use to sign in to the Cisco Personal Communications Assistant (PCA) or the
phone interface.