.. _create_a_user: Add an Admin User ------------------ .. _20.1.1|VOSS-551: .. _20.1.1|EKB-6059: .. _21.2|VOSS-873|EKB-10405: .. _21.3|VOSS-911: .. _21.3|VOSS-891: This procedure adds an admin (administrator) user, using VOSS Automate. **To manually create an Admin user**: .. important:: If the user is to be a multi-role admin user, the user should first reside at site level and then be assigned a self-service **Role** by the administrator, as well as a selected **Authorized Admin Hierarchy** instance that has an administrator role. If needed, this step should also be carried out manually in the case of synced in users or users moved to a site. Note that enabling the system setting **Additional Role Access Profile Validation** will restrict **Authorized Admin Hierarchy** roles to those with linked access profiles that are in the *subset* of the administrator's own access profile. .. raw:: latex See: Additional Role Access Profile Validation in the Advanced Configuration Guide. .. raw:: html See: Additional Role Access Profile Validation If the role is set to an administrator role and an **Authorized Admin Hierarchy** instance is also specified for the user, the role on **Authorized Admin Hierarchy** takes precedence. This is not a recommended configuration. .. note:: Fill out at least the mandatory details on the form. Note that the read-only User Type field can have the values: * "Admin". This value is defined by the admin role. * "End User + Admin". This value is defined by a ``data/AuthorizedAdminHierarchy`` instance associated to the user as well as a self-service role. 1. Log in at the hierarchy node where you want to create the Admin user. 2. Go to (default menu) **User Management > Users** to open the **Users** form. 3. Click **Add**. 4. On the tabbed pages of the Users form, fill out field values. 5. Click **Save**. The new admin user is added. .. important:: Users are typically added or updated on VOSS Automate from the sync source, such as LDAP, CUCM, or CUC. See :ref:`user-sync-source` for more details. Sync source precedence may override user input. When updating a user on VOSS Automate and the following conditions exist, field values are updated from the sync source and not from data input to VOSS Automate (in this case, the fields are read-only in the Admin Portal): * Exists on a sync source * Has mapped fields * Has a higher precedence than LOCAL (VOSS Automate) data .. rubric:: Related Topics * :ref:`user-field-mapping` * :ref:`authorized-admin-hierarchies` * :ref:`user-login-auth-method-srv-auth-scope` * :ref:`update-a-user` * :ref:`cisco-ms-hybrid-subscribers` User Details Tab ................. .. tabularcolumns:: |p{2.5cm}|p{12.5cm}| +--------------------------+----------------------------------------------------------------------+ | Fields | Description | +==========================+======================================================================+ | User Name\* | Sign-in username. This field is mandatory. | +--------------------------+----------------------------------------------------------------------+ | Role\* | Choose the user's role. This field is | | | mandatory. | +--------------------------+----------------------------------------------------------------------+ | | Choose the entitlement profile that | | Entitlement Profile | specifies which devices and services the | | | user is entitled to. | +--------------------------+----------------------------------------------------------------------+ | | Choose the user's language. | | | | | | Note: | | | | | | If no language is selected, the language is | | | inherited from the nearest hierarchy node | | | (at or above the user) that has a default | | | language configured. If no default language | | | is configured anywhere in the hierarchy at | | | or above the user, the user's language is | | Language | English. | | | | | | Note: | | | | | | If a language is manually set for a user, | | | that language remains unchanged even if the | | | user is moved to a new place in the | | | hierarchy. However, if the language is | | | inherited, then the user's language changes | | | when the user is moved to a hierarchy node | | | that has a different default language. | +--------------------------+----------------------------------------------------------------------+ | Exclude from | If this check box is selected, the user will **not** appear in | | Directory | the corporate directory accessed via VOSS Automate Phone Services | | | - [#]_ | +--------------------------+----------------------------------------------------------------------+ | Sync Source | Identifies the application from which the | | | user (and user data) was synced, i.e. LOCAL | | | (VOSS Automate), CUCM or MS-LDAP. This field is | | | read only. | +--------------------------+----------------------------------------------------------------------+ | User Type | Read-only. Determined by the role interface. | | | ("Admin", "End User" or "End User + Admin") - [#]_ | +--------------------------+----------------------------------------------------------------------+ | Auth Method | Identifies the authentication method for the | | | user - [#]_ | | | | | | This section is *applicable to End Users only*. | | | | | | * Local - VOSS Automate User | | | * Automatic - If LDAP or SSO set at hierarchy or above, use this | | | * LDAP - [#]_ | | | * SSO - [#]_ | +--------------------------+----------------------------------------------------------------------+ | LDAP Server and Username | Only editable when **Auth Method** is LDAP | +--------------------------+----------------------------------------------------------------------+ | LDAP Username | Only editable when **Auth Method** is LDAP | +--------------------------+----------------------------------------------------------------------+ | SSO Identity Provider | Only editable when **Auth Method** is SSO | +--------------------------+----------------------------------------------------------------------+ | SSO Username | Only editable when **Auth Method** is SSO. Defaults to VOSS Automate | | | username. | +--------------------------+----------------------------------------------------------------------+ | Authorized Admin | Selected for users with multiple user roles to enable administrative | | Hierarchy | capabilities for end users. [#]_ | +--------------------------+----------------------------------------------------------------------+ .. [#] See :ref:`phone-services-feature-setup` .. [#] See Authorized Admin Hierarchies and Roles under :ref:`role_based_access` .. [#] See :ref:`user-authentication-methods` .. [#] See :ref:`view_and_update_ldap_authentication_users` .. [#] See :ref:`sso-overview` .. [#] See :ref:`authorized-admin-hierarchies` Account Information Tab ......................... This tab allows the administrator to manage user account information, including: * Change Password on next Login * Credential Policy * Disabled (Y/N) * Reason for Disable * Time Locked Due to Failed Login Attempts * Time of Last Successful Login * Locked (Y/N) * Number of failed login attempts since last successful login * Time of last password change * Time of last password change by user Contact Information Tab ........................ This tab is relevant only to end users. Defines contact information for the user, such as employee number, employee type, country, state, state, street, department, manager, Fax number, directory URL, Jabber ID, telephone number, mobile, and IP phone. Hybrid Status Tab .................. This tab is relevant only to end users and is available if the Global Setting **Enable Cisco / Microsoft Hybrid** is enabled on the **Enabled Services** - see :ref:`global-settings`. For details on the **Hybrid Status** tab and managing hybrid users, see: :ref:`cisco-ms-hybrid-subscribers`. Provisioning Status .................... Provides a read-only view of the user's provisioning status, including multi-vendor provisioning if applicable. Assigned Lines Tab ................... This tab is relevant only for hybrid multi vendor scenarios. The fields are blank by default. The fields on this tab are used to capture line details for users set up with an integrated service between two vendors (for example, Cisco and Microsoft). Provisioning Status Tab ........................ This tab is relevant only to end users. Provides a view showing the composition of the user, this typically includes: * CUCM * CUC * VOSS User Hierarchy * CUCM User Hierarchy * CUC User Hierarchy * CUCM 1 to N Select the **Provisioned** check box to view additional CUCM's if applicable. If the user is added to an LDAP server (see the **LDAP** section below), then the provisioning status will also show the server here next to the **LDAP** label. Services Tab ............. This tab is relevant only to end users, and provides direct links to the associated user apps, including: CUCM User, CUC User Voicemails, Webex App user, Pexip, UCCX Agent, MS 365 user, MS Teams user, and MS Exchange user. For example, clicking on the link for MS Exchange user opens the user's User Mailboxes settings page. Custom Tab ........... This tab is relevant only to end users. User defined customized strings and booleans. LDAP Tab ......... If a secure Microsoft Active Directory LDAP server (port ``636``) is configured higher in the user hierarchy and the server has **Enable Write Operations** checked, user details can be managed on the server if it is selected from the **LDAP Server** drop down list. Only secure LDAP servers are listed. If no suitable servers have been set up, then the tab will not display any fields. If no such Microsoft Active Directory LDAP server is configured and enabled, the tab will show a message to indicate this. For setup server details, see: :ref:`set_up_an_ldap_server`. If the Microsoft Active Directory LDAP server is configured and the user already exists on this server, the tab will show a message to indicate this. The **User Account Control** dropdown supports the following values: **Normal Account**, **Enabled, Password Not Required** and **Enabled, Password Doesn't Expire**. .. important:: * User management on the LDAP server from this tab is *not* supported if the **LDAP server** is not secure, in other words if indicated with port ``389``. * When adding a user to the LDAP server for the *first* time: * A **Password** is required. * The **Action > Push To Ldap** menu must be used to add the user. The **Save** menu can then be used upon subsequent user updates on the LDAP server. (If the **Save** button is used the first time, other user details will be saved, but no LDAP user is added.) When the LDAP user is added, the **User Details** tab will show the **Sync Source** and **Sync Type** of the user as ``LDAP``. For details on updating and deleting the user on the LDAP server, see: :ref:`update-a-user`. .. note:: * If SSO is enabled for the hierarchy node where the user is added, the corresponding SSO user is created. * IdPs are not configured at the site hierarchy node. Therefore, you can enable SSO for a user created at the site level only by performing these steps. Open the **SSO User** form (default menu **Single Sign On > SSO User**), click **Add**, and choose the IdP that can authenticate the user.