The SOAP make call request does require the user's password (and not pin) by design.  Have you investigated the webdialer proxy user functionality?  Using this you would be able to either make the call without user input via the proxy user, or validate the user pin via your app (using AXL doAuthenticateUser request) then place the call on their behalf using the proxy user.

can anybody answer to this subject?

The question is about Web Dialer PIN authentication.
 
I read through the documentation http://cisco.biz/en/US/docs/voice_ip_comm/cucm/devguide/7_1_2/wd.html and found nothing helpful.

David,
your proposal seems to me not as secure, as I need it.
 
Let me describe the application - I want to make a desktop client that will be able to setup a call from user's phone without need to type the number on the phone. The preferred way is to avoid setting up any additional services. I also want to avoid password authentication (or just let the user choose authentication method - by password or pin) because I want to store credentials on user's machine. Storing user's domain password on the computer is not a good way in case of security.
 
I know that I can set up some additional service that will have access to all phones giving it abbility to setup a call for any user. So my desktop client could then send user/pin to that service which will make a call on behalf that user.
 
But I want to restrain to the basic services - no additional systems etc.
I don't want to use doAuthenticateUser, because access to it needs some credentials which should be stored on client's machine to be used by this desktop client.
 
I find creating additional application user with group 'Standard EM Authentication Proxy Rights' insecure, because this user credentials should be stored on client's machine and can be somehow extracted and used to setup a call on behalf of any user by anybody.
 
So, why WebDialer (to be strict - makeSoapCall) doesn't allow to
authenticate by PIN?