What is user account provisioning automation for Cisco UC?

November 2, 2019 by David Levy

What is user account provisioning automation for Cisco UC?

Top 4 Benefits from Cisco UC Automation

On a high level, user account provisioning automation for Cisco unified communications (UC) is a method of leveraging technology to streamline what is typically the manual user provisioning process of:

• On-boarding employees (Adds)
• Off-boarding employees (Deletes)
• Changing the types of collaboration services an employee has (Changes)
• Moving an employee to a new division of the company (Moves)

The automation of Moves, Adds, Changes and Deletes (MACDs) will yield benefits from:

• Risk mitigation
• Simplification
• Consistency
• Access Control

Risk Mitigation
A management system that enables automated user provisioning software will minimize the security risk associated with granting access and deleting users in UC systems and applications.

Security needs to be a high priority for companies that implement Cisco unified communications technologies. While CUCM (Call Manager), Unity Connection, Webex, Jabber and related collaboration software may not have historically been attractive targets for hackers, such systems expose organizations to several operational cyber risks (i.e. risks associated with procedures rather than inherent in the software itself). This is particularly true as other areas of IT, such as networks and databases, get better protected. Attackers are now seeking to penetrate businesses through any exposed surface area, including UC.

Simplification
Integration with various other corporate systems for managing users will further automate, and thus simplify, the provisioning workflow:

• Active Directory (Microsoft AD)
• IT Service Management (ITSM)
• Identity and Access Management (IAM solution)
• Human Resources (HR Systems)

A real-time integration with Active Directory is the most common approach to enable zero-touch account provisioning. There is generally a 4-step process between a user provisioning software solution, Microsoft Active Directory and the Cisco suite of unified communications applications which is easily deployed.

• Step 1 – The provisioning automation solution looks for new employees in Active Directory. If new employees are found, the provisioning software moves on to Step 2. You can set how often you want to check AD for new employees – every day, every hour, whatever.
• Step 2 – The provisioning software should then automatically create accounts for any new employee it has found, in all the relevant Cisco unified communications applications. You can even customize which UC applications are provisioned based on AD Groups, by matching it with a Group in your provisioning solution.
• Step 3 – Your provisioning solution should then send the phone number of the new employee to Active Directory where it is stored with all the other employee information.
• Step 4 – The final step to close the loop is for the provisioning automation software to send an email to the new user with all the new details about their unified communications accounts.

All this should happen in real-time without any manual work from the telephony team or the ServiceDesk.

Consistency

Automated account management of user access to UC applications leads to more consistent user provisioning. Removal of the manual intervention in UC account provisioning eliminates variability in the way different provisioners might configure accounts.

The most advanced approached to ensuring consistency is to use predefined jobs that are responsible for performing the provisioning tasks. Jobs should made up of one or more templates to create a desired provisioning result. Jobs need to be very flexible and will vary depending on an organization’s needs. Jobs should be able to include multiple templates which work across CUCM clusters and applications to provision user accounts.

Access Control

Account provisioning across multiple Cisco UC applications is useful to control who is accessing resources. In order to efficiently manage access, integration with your access management IAM solution is key.

Access control is an important component of your security posture. An automation solution should have the capability to provide granular roles-based access control at various levels. With this level of flexibility around roles-based access control, large organizations can customize what they feel their teams and users should get based on their internal best practices.

Groups are used to provide a common class of users with permissions and access to items within a provisioning automation solution. Groups are the foundation of security.  User must belong to a group which provides the user permissions.  Users may be part of multiple groups.

The systems are generally configured with four default groups:

• Administrator
• Editor
• Provision
• Template Manager

These groups will define the role-based access to jobs, site templates and devices and settings.

Conclusion

User account provisioning automation for Cisco UC is a cost-effective way to securely streamline what would otherwise be a manual process subject to errors and risks.