Restricting Access to Corporate & Personal Directory

How you can restrict access to corporate directory?

If you remember, corporate directory is accessible globally from a cluster and restricting its access needs some configuration changes. In pre-CUCM 7.x you cannot accommodate it at individual level but in CUCM7.x you have flexibility.

You can run a sql command to access corporate directory information from ‘enduser’ table.

admin:run sql select userid,firstname,lastname,telephonenumber from enduser
userid firstname lastname telephonenumber
====== ========= ======== ===============
hqph1            hqph1
hqph2            hqph2
br1ph1           br1ph1
br1ph2           br1ph2
JTAPI            JTAPI

In Pre-CUCM 7.x build you can disable corporate directory by following these steps:

  • Go to Enterprise parameters and go down in Phone URL parameters and delete the URL. Click save and reset the phones.

But  if you want to restrict few users then you will have to delete the URL from Enterprise parameters and enter manually under each phone the URL of Services (under External Data Locations Information). You may use Bulk Admin tool to speed up the process (Bulk Admin > Phones > Update phones > Query).

In CUCM7.x and later various directories like Missed calls, Received calls etc are now IP phone services as you can see below:

An IP phone service if setup as Enterprise Subscription, it is accessible automatically from every phone in the cluster. There are some services which are ‘enterprise’ enabled and cannot be changed easily. In CUCM 7.x there is a new feature called “Enhanced Service Provisioning”.  It basically allows an administrator to set a parameter which tells a phone to get service configurations either internally (using TFTP config file) or externally (using service URLs).

The behavior of phones is controlled by enterprise parameter ‘Service Provisioning’.

This can also be controlled from Device > Device settings > Common Phone Profile:

The default under common phone profile is to use Service Provisioning which means Message/Directories URL Parameters are not used and Phone services are provisioned using IP phone services. When the Parameter is set to external that would use URLs from Enterprise parameters and Internal is default.

To disable Personal directory across the cluster you may do by un-checking the checkbox from Enable field under Device > Device settings > Phone services. This will disable Personal directory across each Phone. What if we want to do this for few phones? By default phones use internal service provisioning which means Directory URL is ignored. Also, if we use external service provisioning we wont get a separate link for Personal directory. The personal directory has ‘Enterprise Subscription’ flag enabled. So, to provision few phones for Personal directory, you may have to delete and re-create Personal directory service with same parameters but by NOT enabling enterprise subscription. You may then go in each phone and subscribe it to Personal directory. You can also do this from Bulk Admin > Phones > update Phones.

If we want to disable ‘directories’ button for some phones in a cluster then we can do by configuring a separate common phone profile and selecting External URL in there. We then need to delete the ‘URL directories’ to completely disable the button.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s