Cisco Cisco Unified Contact Center Enterprise 9.0(1)
Serviceability Best Practices Guide for Unified ICM/Unified CCE & Unified CCH
©2012 Cisco Systems, Inc.
152
d. Save the file and quit Notepad.
e. Restart the Diagnostic Framework service.
Note: A Diagnostic Framework user does not require administrative privileges on the server to access the service.
The user authentication, validating username and password, is managed by Windows or
Active Directory. Therefore, all valid or invalid sign in attempts are logged in the Windows
Event Viewer (provided that login/logout auditing is enabled). The user authorization,
validating group membership and optionally Unified ICM instance access, is managed by the
Diagnostic Framework service. Hence, all authorization requests can be audited through the
Diagnostic Framework logs.
Active Directory. Therefore, all valid or invalid sign in attempts are logged in the Windows
Event Viewer (provided that login/logout auditing is enabled). The user authorization,
validating group membership and optionally Unified ICM instance access, is managed by the
Diagnostic Framework service. Hence, all authorization requests can be audited through the
Diagnostic Framework logs.
Note: A user may be a valid Windows or Active Directory user but may not be a member of the required security
groups for access to Diagnostic Framework service. As a result, even though the user may pass authentication, it
may not pass authorization.
groups for access to Diagnostic Framework service. As a result, even though the user may pass authentication, it
may not pass authorization.
Because the Diagnostic Framework user is managed by Windows or by Active Directory, the
user is subjected to the password policies of the server or the domain. Always follow best
practices and set strong password policies. For more information about system hardening and
password policies, see the Security Best Practices Guide for Unified ICM/Unified
CCE/Unified CCH Release 8.0.
user is subjected to the password policies of the server or the domain. Always follow best
practices and set strong password policies. For more information about system hardening and
password policies, see the Security Best Practices Guide for Unified ICM/Unified
CCE/Unified CCH Release 8.0.
10.1.3.1.1 Special Consideration for Servers with Multiple Unified ICM Instances
This section applies to environments similar to service providers, who have multiple Unified
ICM instances on each server.
ICM instances on each server.
The domain user is authorized against the CONFIG domain security group of the Unified
ICM instance. If there are multiple instances on the server, then the service needs to know
which instance security group to authorize against. Therefore, on a multiple Unified ICM
instance server, the ICM instance name must be passed as one of the parameters for each
request when authorizing a domain user. If an instance name parameter is not passed then the
domain user authorization fails. The local user is free from this requirement because there is
only one local group per server. Furthermore, when a domain user is used to access the
service, the response is crafted only for the specific instance that user belongs to. However,
when a local user tries to access the service, the response includes information for all
instances on that server. This gives service providers flexibility to access control information
collection for a one or all instances.
ICM instance. If there are multiple instances on the server, then the service needs to know
which instance security group to authorize against. Therefore, on a multiple Unified ICM
instance server, the ICM instance name must be passed as one of the parameters for each
request when authorizing a domain user. If an instance name parameter is not passed then the
domain user authorization fails. The local user is free from this requirement because there is
only one local group per server. Furthermore, when a domain user is used to access the
service, the response is crafted only for the specific instance that user belongs to. However,
when a local user tries to access the service, the response includes information for all
instances on that server. This gives service providers flexibility to access control information
collection for a one or all instances.
On a single instance server, the instance name is not required when you access an API.
Because there is only one instance on the server, the domain user is authorized against the
CONFIG domain security group of that instance.
Because there is only one instance on the server, the domain user is authorized against the
CONFIG domain security group of that instance.
The table below summarizes the all authorization combinations. Remember that you can
completely disable domain authorization through the service configuration file.
completely disable domain authorization through the service configuration file.
Table 10-2: Domain Authorization Combination
Unified
ICM
Instances
on Server
ICM
Instances
on Server
User
Type
Type
Instance
Name
Provided
Name
Provided
Authorization Criteria
Response Content on
Successful Authorization
Successful Authorization
Multiple
Domain No
Fail authorization, user must
HTTP 403 – Access