Avaya logins best practices

5 characteristics to help you optimize your voice system

By the end of this read, ‘Avaya logins best practices,’ you will have a better sense of login account assignments, learning which accounts should be assigned to which level user, as well as an overview of account creation for Avaya Aura and IP Office products. You will get to understand what accounts should be created for what purposes, as well as some troubleshooting techniques.

If you are like me, you have also experienced uncertainty whenever going out to service your customers. No matter how well we try to document login credentials and provide the correct ones to our customers we seem to ask ourselves, “Are we giving the customer too much power?”

In this post, I go over these bullets points to help you optimize your VoIP solution by creating the correct Avaya logins for the correct task=

• 1.- Login characteristics
• 2.- Avaya login account interaction overview
• 3.- Account restriction levels
• 4.- Troubleshooting locked accounts
• 5.- Avoid future account issues

1.- Login characteristics

Depending on which Avaya system you are working with, you must be aware of each Avaya login characteristics to help you access and administer the correct element to fulfill your tasks in hand.

Avaya Aura login characteristics = Weather you deploy SMGR, CM, or WebLM server to mention a couple, access rules are pre-configured and ready for you to assign user accounts to them. To help organize and allow different levels of system accessibility I have created these sub-steps=

Agents / Regular Users – These assign to regular day-to-day people working in different departments and areas throughout the company. You can divide these accounts into=

Everyday User/Agent Account – Responsible for receiving calls and minimal local or toll-free outbound calls. When creating policies, COR, and User-Rights use the name related to this user group and customize each group applying rules and restrictions accordingly.

Privileged User/Agent Account  – Very similar to the everyday user group, with the ability of accessing different features, normally assigned to a group’s admin or coach. These feature could be things such as call long distance, whisper page, service-observed, etc.

Operators – We can call these folks the ones responsible for managing a small group of people with the privilege of handling all the feature mentioned above, plus the ability of managing group reports and group voicemails. They should be able to configure endpoints and update names if necessary.

Managers – These are responsible for overseeing the Operators with the ability of managing hunt group membership, agent assignment, and any other feature related to users and hunt groups, as well as call routing. e.g. Call vectoring, incoming call routing, etc.

Administrators –  Their main role is to maintain the system running smoothly as possible. This account is normally used when implementing and applying new rules and policies to a telecommunication system. From ARS, to user accessibility, the Administrator should be able to handle it. 

Avaya IP Office login characteristics= In order to create or update any group or user policies you have to be able to access the IP500 security application through the IP Office Manager app. Once logged into the security section of the IP Office, you can choose=

Rights Group – When accessing this element you can apply rules and policies to a group of Services, and Manager/Operators rights. Allowing the these accounts to manage user, groups, time-profiles, among other features.

Services – Some IP Office adjuncts and 3rd party servers use service accounts to authenticate, for example the One-X portal uses a TSPI service account to allow communication between each-other.

2.- Avaya login accounts interaction overview

There are a wide variety of logins associated with Avaya systems. Depending on the platform that you are operating, it will require a unique Avaya login account to access the resources necessary for you to administer. For instance, whenever deploying Communications Manager a Craft/craft01 login is used mostly for the initial configuration. System Platform utilizes admin/admin01, and for IP Office there are three accounts pre-configured (Administrator, Manager and Operator.).

Admin accounts are most used by Business Partners and high level system administrators. For customer accounts, it is recommended to use a standard login. Accounts can also be assigned to operate services, bcms, CDR, among others.

Console and other account authentication – There are Avaya Logins that are restricted only to console accounts for system maintenance. In some systems the Root login is one of these logins.

SMI Accounts – The System Management Interface (Web-interface) is used to conduct maintenance through the web server. This type of accounts can be assigned to group managers or site administrator to allow them to run backups and reset other accounts if needed.

RBAC – Roles are another way that Avaya logins are categorized utilizing RBAC (Role-based-Access-Control) to manipulate Built-in and custom roles. The built-in roles can’t be modified but you can assign to an account as desired.

LDAP Integration – On an Active Directory environment you can integrate existing domain accounts with those Avaya LDAP capable servers.

IP Office Built-in Accounts – Avaya logins for IP Office are categorized as Service Accounts (Voicemail Pro), Local Server Accounts (Linux) and Service Users (IP500).

3.- Account restriction levels

While creating Avaya logins you can associate different restriction levels with the desired account. This process simplifies and help securing the customer data and voip applications.

Restriction best practices – For those larger systems it is always a good idea creating group policies and access levels based on geographical locations, this keeps the system administrators and operators from managing wrong systems.

4.- Troubleshooting locked accounts

Depending on rules login policies accounts can be deactivated or locked due to login failure, the following are techniques to help you troubleshoot accounts whenever they get disabled or locked.

Tools and backdoor accounts – Having a crossover cable comes in handy whenever troubleshooting and having to connect straight to the services port of the media server or LAN2 of the IP500 control unit.

Note -IP Office has port sense allowing it to communicate with a straight-through or x-cover.

Once connected to the system, use a backdoor a secondary account to connect to the system and follow the maintenance commands to unlock the desire account. It is recommended to have a secondary maintenance account created to avoid calling Avaya support to pay to unlock it.

I have listed some commands below to help unlock accounts based on different system type

Avaya Aura

Embedded Aura Messaging or CM – While connected to the shell console through the S8300 with the root account, run the ‘chage -M -1 sa or dadmin (chage will change the account expiry, the M= maximum days)

SMGR – System Manager uses LDAP services to manage and service accounts, run the=  ldappasswd -h VSP-IP-ADDRESS -D cn=Manager,dc=vsp -x -w “root01” -s admin01 uid=admin,ou=People,dc=vsp This command allows the admin account password to be set as admin01.

WebLM – the admin01 can be set by running the weblm_password reset command

Avaya IP Office – SECURITYRESETALL – Run this command from the DTE Console which is located in the back of the control unit. A serial connection through putty must be stablished, utilizing the following serial port configurations= bps= 38400, bits= 8, parity= none, stop bit= 1, flow control= none, emulation type= VT100. By running this command you will reset all IP Office accounts back to factory settings.

Do you use a single login account for you and the customer? If not, how many accounts do you normally create when implementing login accounts?

 

Resources

 

How to Create Avaya Communication Manager Profiles for Selective Administrative Access by Jerry Revier