By default the administrator created during the installation of Communications Manager is the only account that has administrative rights to the administrative web page. If you are the only administrator on the system, this might be fine for you. However, there may be times when you would like to give people access to the administrator without giving them complete access. This can be done by configuring Roles.
Roles are objects within Communications Manager that define which configuration parameters can be accessed. This is done by assigning rights to what are refereed to as resources. There are over 250 resources that can be configured. Many of these resources relate to specific administrative web pages. By granting the read and update rights to a role, you allow users with that role to have access to that web page. For instance, if a role had the read right assigned to the resource called Phone Web Pages, a user with the associated role would have read only access to the phone’s web page.
While you are allowed to create new roles, in most cases you don’t need to. Communications Manager has over 35 pre-configured roles which should suit most environments. For a list of these roles refer to this link.
While role define the administrative rights, a user has roles not assigned directly to users. Instead they are assigned to user groups. This means that the groups a user belongs to actually determines the administrative rights they have. Again, there are a number of pre-configured groups that you can use. These groups have roles assigned to them already. Since groups have can have more than one role assigned to them, you need to make sure you have a good understanding of all the rights a group has before assigning it to a user. Take the Standard CCM Gateway Administrator group. It would seem that this group grants the right to read and update gateways. While it does, it also gives read rights to all other pages in the Communications Manager administrative interface. Since you are not able to edit predefined groups, you have to create a new group if you did not want the user to be able to have read rights to everything else. The easiest way to do this is to copy the existing group and remove the roles you don’t want the user to have. One thing to keep in mind is that any group that is allowed to login to the administrative page should have the Standard CCM Admin Users role assigned.
Now that you have a better understanding of what roles are and how they work, spend sometime examining them in CM. To better understand them create a few new groups in CMand experiment with the effects the roles play on administrative rights. Of course, you should do this on a test system as you should never use a live system as a learning platform.