.. _role-based-access-for-mv-user:
Role-based access for multi vendor users
-----------------------------------------------
.. tip::
:ref:`use-action-search-to-navigate-automate`
Overview
...........
Role access profiles define the permissions that allow users to access services and resources.
Validation checks
....................
When provisioning multi vendor services, the system runs validation checks for multi vendor
user against each of four tiers in the system, at the relevant hierarchy. The service must be
enabled at each tier before the system allows access to the service:
================================= ============================================== ======================================================================================================================================
**Validation** **Interface** **Description**
1. Global Settings Admin Portal Enable the service type at the user's hierarchy level, or above.
Go to **Global Settings (Enabled
tab)**.
2. Entitlement profile Admin Portal Enable the service in the entitlement profile assigned to the user, at the relevant site.
Services can only be provisioned to a user if their entitlement profile allows those services. The entitlement profile lists
Go to the **Profiles** page. the provisioning vendor (per service).
3. Device management Admin Portal The relevant servers must be installed and configured before a service can be provisioned.
For example, a UCM server must be installed before
Go to the **Servers** page. UCM services, such as phones, can be provisioned.
If you have two or more vendors provisioning devices,
Automate verifies that the required servers and devices
are configured and available for your system.
4. Field display policy Admin Portal Clone and edit the default multi vendor user field display policy (default name: ``MultiVendorFDP``).
Configure multi vendor FDP via
**Field Display Policies**
================================= ============================================== ======================================================================================================================================
Multi vendor user access validation example
..................................................
In this example scenario, a customer admin (or higher) provides a user with site admin role with the
ability to view and edit user voice services. The customer admin wants to control the actions
the site admin may perform.
* Only the Cisco Voice service is enabled for this site admin
* The site admin may edit user services
* The site admin may not add or delete user services
The table describes the configuration steps to set up this scenario, and the result:
.. tabularcolumns:: |p{5cm}|p{10cm}|
========================= ================================================================
**Configuration steps**
#. Ensure the system has multi vendor user functionality
installed.
#. At customer level or above, in the Global Settings
(**Enabled Services tab**), enable Cisco UCM only.
#. In the Entitlement Profile for this user, enable Cisco UCM
Voice Service only.
#. At site level, configure the multi vendor user field
display policy for the profile:
* Remove all service cards except Voice.
* Remove Add/Delete fields from the Quick Actions panel.
**Result** The site admin logs in to a multi vendor user enabled
system, at the relevant site hierarchy, and:
* Is unable to add or delete services. Only Edit
is available in the Quick Actions
========================= ================================================================
.. rubric:: Related topics
*
.. raw:: latex
Role-based access in the Core Feature Guide
.. raw:: html
Role-based access
*
.. raw:: latex
Manage users in the Core Feature Guide
.. raw:: html
Manage users
*
.. raw:: latex
Global Settings in the Core Feature Guide
.. raw:: html
Global Settings
*
.. raw:: latex
Entitlement in the Core Feature Guide
.. raw:: html
Entitlement