.. _user-management-overview:
Introduction to user management
----------------------------------
.. _20.1.1|VOSS-551|EKB-4393:
.. _25.4|EKB-27248:
.. index:: Feature;Feature User Management
.. index:: User Management (Feature)
.. tip::
:ref:`use-action-search-to-navigate-automate`
Overview
..........
VOSS supports various types of users:
===================== =========================================================================
Administrators * Administrator users access the system to perform admin tasks
* Can be assigned to any hierarchy (provider, customer, or site)
End users * End users are provisioned with services
* Can be created at any level of the hierarchy, but can only be
assigned services at a site.
End User + Admin A single user account can be configured as *both* an End User
(with services) and as an Administrator by assigning an Authorized
Admin Hierarchy containing a self-service role to the user - see:
:ref:`authorized-admin-hierarchies`.
===================== =========================================================================
A VOSS user exists only on VOSS and represents local data associated with that user,
including their user details. This user can exist on different hierarchies, and can be created independently,
either on VOSS directly, or imported from an external source, such as LDAP.
Non-VOSS users exist on the UC applications, such as Cisco UCM, CUC, Microsoft, Avaya, or Webex. These users
represent UC application data and are always associated with a VOSS user since they are created
once the corresponding VOSS user is sent downstream to the UC application. Users brought in from the UC applications
are provisioned with phones and/or services only at a site on VOSS.
.. note::
Users provisioned on UC applications (for example Cisco UCM, Microsoft, or Webex) have vendor-specific
identity values associated with them. These identities are automatically populated and maintained by VOSS
provisioning and lifecycle workflows, based on the user's services and sync source, and are not manually
managed as part of normal user administration.
.. rubric:: Related topics
*
.. raw:: latex
User provisioning use cases in the Core Feature Guide
.. raw:: html
User provisioning use cases
*
.. raw:: latex
Manage users in the Core Feature Guide
.. raw:: html
Manage users
* :ref:`user-authentication-methods`
* :ref:`role-based-access-admins`
* :ref:`user-settings`
* :ref:`user-management-scenarios`
* :ref:`user-sync-source`
* :ref:`user-field-mapping`
* :ref:`set-localization-language-at-hierarchy-node`
Users and the provisioning workflow
....................................
Users are impacted during user provisioning operations, such as
LDAP sync, CUCM sync, or user bulk loading.
A typical "top-down" approach to user provisioning progresses from LDAP to VOSS user, to provisioned user.
#. Sync user from LDAP into VOSS. A VOSS user is created.
#. Move the VOSS user to a site via **Move Users**.
#. Push the user to the UC applications. The corresponding provisioned user is created either via Quick
Add User or the Users page in the VOSS GUI
.. note::
You don't need to send all VOSS users to a UC application, such as Cisco UCM, and have a
corresponding provisioned user created; this is the administrator's decision, based
on criteria associated with each user. It is recommended that you filter out any users
from LDAP that are not eligible for UC services. It is possible that some
ineligible users can't be filtered due to missing attributes and thus get synced
into VOSS. These users remain un-provisioned.
.. rubric:: Additional functionality of VOSS user
VOSS users also allow:
===================== ===================================================
LDAP sync The workflows to manage syncing users from LDAP.
LDAP authentication Enabling and disabling LDAP authentication.
SSO Enabling and disabling SSO authentication.
Provisioning status Tracking where the user comes from (LDAP, CUCM,
manual configuration), and the
hierarchy the user was originally added to.
Moving users Between hierarchy nodes.
===================== ===================================================
VOSS user and corresponding provisioned user
..................................................
All provisioned users have a corresponding VOSS user. This allows the user to sign
in to VOSS (using either local authentication, LDAP authentication, or SSO
authentication), and to track the provisioning status.
You can create a provisioned user via the Admin Portal, bulk load, or sync from the UC application, such as a
Cisco UCM sync.
A VOSS user instance is created automatically. If staging is not required (such
as when configuring a user directly on a site, using bulk loading), the
admin doesn't need to add a VOSS user explicitly (as a separate step).
Provisioned users at a site provide all of the UC application provisioning logic by distributing
the user configuration to each of the UC applications, and combine most of the
data associated with a user into one logical entity:
* Cisco UCM users
* Phones
* Lines
* Extension Mobility profiles
* Remote destinations
* Voicemail
* Webex users
A provisioned user is simply a representation of data in the UC applications. Each provisioned user
is created when the UC application end user is created,
and disappears when the UC application end user is deleted (either on the UC application, such as
Cisco UCM directly or from VOSS). This user is removed even if there are phones, lines, or profiles
remaining that were previously associated with the corresponding user.
When the UC application data is created (such as the Cisco UCM end user), you can
view the user in the summary list view. When the UC application
data is deleted (such as the Cisco UCM end user), the provisioned user disappears.
A provisioned user is based on data in the UC applications. A VOSS user is associated with
local data. Any user with a UC applications end user instance displays in the **Users** list view,
regardless of whether they are associated with any other data (such as phone or line).
.. note::
Any changes on the UC application, such as adding or deleting end users,
appear in VOSS only after syncing. Refer to the "Data Sync"
section of the Guide for more information on data syncing.
Provisioned users are a representation of the data in the UC applications and may be
updated either in VOSS or in the UC applications directly.
How users are added to VOSS
...................................
Users may be added to VOSS from these sources:
* Synced in from LDAP, and promoted to a user (including flow through provisioning)
* Synced from Cisco UCM
* Synced from Azure (Microsoft users)
* Bulk loaded, via a Bulk loader template
* Manually created
.. note::
Conflicts between users synced from different sources are handled according to the strategy described
in :ref:`managing-duplicate-usernames`. For information about user password management, depending on the source of the user,
see Password Management.
Users are typically associated with a site. You can create move filters to automatically assign users to sites once
they are synced from LDAP or from CUCM. Bulk loaded and manually created users can be moved using filters or
by individually selecting users.
Cisco users associated with a site can be added to the UCM that appears
in the network device list (NDL) assigned to that site.
For details around how Microsoft users are synced in from Azure and then moved to the sites, refer to
:ref:`ms-subscribers`
Authentication on log in
..........................
Authentication (auth) methods define how a user is authenticated when logging in
to VOSS, either Automatic, LDAP, SSO, or Local.
If an identity provider (IdP) server is deployed at a hierarchy node above the site,
you can configure VOSS to provide single sign-on (SSO) support for users created
or synced at that hierarchy node.
.. note::
Typically, Microsoft users will not need to log in to VOSS. Their default auth method is Automatic.
When the default auth method is set to
LDAP, VOSS checks with the LDAP server to verify the user's credentials. Once verified, the user is
logged in to VOSS.