Jump to: navigation, search

CCAdv/WA Access Privileges

You can control access to information in the Genesys Contact Center Advisor/Workforce Advisor (CCAdv/WA) dashboards and on the CCAdv/WA administration page using roles, and associating permissions and privileges with each role. Controlling information using roles, and associated privileges and permissions, is called Role-Based Access Control (RBAC).

Performance Management Advisors support role-based access control (RBAC). You can use RBAC to control which users can access specific components—for example, use Genesys' RBAC to configure access to the Administration module for a specific subset of managers.

Advisors use Configuration Manager business attributes, which means Advisors can take advantage of Genesys roles for controlling access at a detailed level to Advisors' business objects and metrics.

RBAC is enforced primarily by visibility in the interface. What a user sees is determined by the roles which have been assigned. If the user is not assigned a role that grants them access to a piece of functionality, that functionality is not displayed to the user.

There are three important concepts associated with RBAC:

  • Permissions
    Permissions protect access to a whole object; if you have access permissions, you see the entire object.
  • Roles
    Roles protect properties of an object by hiding or disabling those properties to which you want to restrict access. Roles are intended to work with permissions to more finely tune what a user can access.
  • Privileges
    Privileges determine what tasks or functions a user can execute on objects to which he or she has access. You assign privileges to roles to further refine access to objects and object functionality.

What are RBAC permissions?

Elementary permissions protect access to a whole object. Permissions applied to an object apply equally to all properties of the object – if you have access permissions, you see the entire object.

Object permissions determine which users have access to a certain object or to what objects a given user has access. This is done through the use of access groups or on an individual user basis. Objects include the following:

  • Contact Center Advisor and Workforce Advisor
    • Metrics
    • Operating Units
    • Reporting Regions
    • Geographic Regions
    • Contact Centers
    • Application Groups
  • Frontline Advisor
    • Metrics
    • Levels of the Frontline Advisor hierarchy (that is, the folders and agent groups)
Tip
In Advisors release 8.1.1, three special access groups were introduced to represent the three different types of users in Advisors (Super Administrator, Partition Administrator and Dashboard User). Starting in release 8.1.2, these access groups are no longer required. Unless they are used to actively manage object permissions, they can be removed from the Configuration Manager.

What are RBAC roles?

The major component of RBAC is a role. Roles define what facilities are provided to users to review and manipulate various types of data. These include which property controls are available for items permitted by object permissions, what modules are visible, and access control for entities not represented by configuration objects. A role is assigned to a user, and that user is then able to do only what that role permits. One user can be assigned multiple roles, and one role can be assigned to multiple users. A role may also be assigned to an access group, and users in that access group are then able to do what the role permits.

Different roles can have different access and allowed functionality for the same objects. In essence, roles resolve both problems associated with using only permissions – users can access and work with only those parts of the object to which they are allowed.

Roles can also be used to protect access to entities that are not configured as configuration objects, such as logs. In general, when determining the accessibility to an object by a user, the user session cannot retrieve objects if they are not among those objects to which the user has access (as defined by object-access permissions). For data that is available in the session, role privileges refine what can be done with the data.

Assigning Roles to Users and Access Groups

Roles can be assigned to either users or access groups. This assignment is done on the Members tab of the role.

Important
To inherit permissions, access groups and users must belong to the tenant specified in the Advisors Platform installer.
Assigning Roles to Users and Access Groups

In the screenshot to the right, the role FA Supervisor has been assigned to:

  • The TeamLeaders access group
  • User Amy Walker

Once a role is assigned to an access group, all users in the access group are assigned that role. The access groups and/or users must have Read access to the role in the Security tab to be able to access the role.

Important
Names of access groups must not contain spaces.

New Users

By default, new users are not assigned any default roles. They must be assigned roles by a System Administrator or by an existing user with appropriate privileges.

Default Roles Created by Migration

Module access is no longer determined by entries in a user’s Annex tab. Instead, module access is determined by the roles associated with the user’s profile. An optional section of the migration utility provided in the software distribution package creates this new module access schema.

Seven default roles are created by the utility in the Configuration Manager, with each one representing access to a particular module. Each role has a limited set of privileges associated with it. The default roles are:

  • AdvisorsAdmin
  • AdvisorsFAUser
  • AdvisorsFAAdmin
  • AdvisorsFAAgent
  • AdvisorsCCAdvUser
  • AdvisorsWAUser
  • AdvisorsAlertMgmtUser

You can change the preceding role names post-migration.

Further Reading on Roles

Additional sources of information on role-based access, privileges and permissions are:

What are RBAC privileges?

Roles consist of a set of role privileges (Read, Change, Execute, and so on). Privileges determine what tasks or functions a user can execute on objects to which he or she has access. Role privileges are defined in Genesys Configuration Manager.

By default, role privileges are not assigned to any role, so you must explicitly assign privileges to roles. Role privileges range from general to very specific tasks. An authorized user, normally a System Administrator, bundles these tasks into roles. These roles are then assigned to users. As a result, each user can perform only those tasks for which they have privileges.

Functionality permissions, or privileges, determine what tasks or functions a user can execute on objects to which he or she has access. Privileges for each role are stored as key-value pairs in the Annex tab of that role in Genesys Configuration Manager. If a privilege is present in a role, then any users assigned that role have access to the functionality controlled by that privilege. The value for the privilege key can be anything, or can be left blank.

Where do I configure roles, permissions, and privileges?

You must have access to the Genesys Configuration Manager to complete the configuration of an Advisors installation and perform administrative functions. Roles are defined, maintained, and associated with users in the Genesys Configuration Server using the Configuration Manager.

Typically, you configure RBAC in Configuration Manager in the following order:

  1. Add roles.

  2. Add tasks to roles.

  3. Assign Access Groups to Business Attribute instances.

  4. Assign users to roles.

Add users to a role on the Members tab of the properties dialog box for that role. Add users with one of the following methods:

  • indirectly, as a member of an Access Group

  • directly, as a member of a role

Assign permissions for a role on the Security tab of the properties dialog box for that role. A user must have Read access to the role (either directly or through an Access Group) to which he is assigned.

Annex tab for FA Supervisor role in Configuration Manager

Privileges for each role are stored as key-value pairs in the Annex tab of the properties dialog box for each role in Genesys Configuration Manager. The screenshot to the left shows the Annex tab of a new role called FA Supervisor – a user who can view the Agent Alerts pane on the FA dashboard.

The privileges for Advisors are bundled under a single section in the Annex tab with the title Advisors. Each privilege name uses the following general structure:

[application name].[module name].[task grouping].[privilege name]

Important
Ensure you copy the exact privilege with no leading or trailing spaces. Some privileges work as single entries; some require a group of privileges to ensure full access as you expect. In the preceding example, all three privileges shown in the screenshot above are required so the user can view the Agent Alerts pane. See the list of privileges in the Privileges tab on this page for more information.

Am I limited to a specific number of users, access groups, or roles?

There is no limit on:

  • the number of roles that can be present in the Configuration Manager
  • the number of access groups or users that can be present in the Configuration Manager
  • the number of roles supported by Advisors
  • the number of access groups that are supported by Advisors

Roles, and the privileges associated with roles, are cumulative. A single user or access group can be assigned multiple roles. In such cases, the user will have the combined set of privileges granted by each role. In other words, the user is granted any privilege that is granted by at least one of the assigned roles. This ensures that the user is able to perform the tasks of all roles in which they participate.

Each user can also belong to multiple access groups, with different permissions coming from each group. In such scenarios, the user’s permissions are a union of the permissions of all the access groups to which he or she belongs, unless access is specifically denied for one group, which takes precedence (see the following scenarios).

Advisors follow the principle of least privilege. The following scenarios show how this union should work:

  • User A is part of access groups X and Y. Group X does not have any defined access to a metric. Group Y has explicit access granted to the metric. In this case, user A is granted access to the metric.
  • User A is part of access groups X and Y. Group X is explicitly denied access to a metric. Group Y is explicitly given access to the same metric. In this case, user A is denied access to the metric.
  • User A is part of access groups X and Y. Group X is explicitly denied access to a metric. Group Y does not have any defined access to the same metric. In this case, user A will be denied access to the metric.
  • User A is part of access groups X and Y. Neither group has defined access to the metric. In this case, user A will be denied access to the metric.


The following Tables list all Contact Center Advisor/Workforce Advisor privileges available in Configuration Manager. The Tables include a description of the consequence to the user if the privilege is present or absent.

The Administration module Users page is not controlled by an option; all users who can access the Administration module have access to the Users page. However, the Users page no longer displays any information about the user accounts, so there is no need to control access to this page. Please refer to the following documents for more information about configuring user profiles:

Advisors Interface

Privilege Behavior When Present Behavior When Absent
Advisors.ChangePassword.canView User sees the Change Password button located at the top of the Advisors interface. Change Password button is hidden.

Contact Center Advisor

Privilege Behavior When Present Behavior When Absent
ContactCenterAdvisor.ActionManagementReport.canView

Introduced in release 8.1.3.
NOTE: The privilege to grant access to the Action Management Report in Contact Center Advisor or Workforce Advisor is related to the Alert Management privilege. That is, if a user has the ContactCenterAdvisor.ActionManagementReport.canView privilege, then that user should also have the privilege to view Alert Management (AlertManagement.canView).

User can access an Action Management Report by double-clicking on an Alert tile in the Map pane, or by clicking on the arrow for each alert in the Alerts pane. Clicking on the tiles in the Map pane does not launch an Action Management Report, and the Action Management Report arrow for alerts in the Alerts pane is not shown.
ContactCenterAdvisor.Dashboard.canView User can access the CCAdv dashboard. This is a replacement for the module access that was previously assigned on a user-by-user basis. User cannot access CCAdv dashboard, and the Contact Center Advisor tab is not shown to the user.
ContactCenterAdvisor.Dashboard.AgentGroupsPane.canView User can see data in the Agent Groups pane. User sees an empty Agent Groups pane at all times.
ContactCenterAdvisor.Dashboard.ColumnChooser.canView User has access to the column chooser button on the dashboard. Column chooser button is not displayed on dashboard.
ContactCenterAdvisor.Dashboard.EnterpriseStats.canView User can see the Enterprise row and statistics on the dashboard. The Enterprise row is not sent from the server to the dashboard, which means the user does not see it.
ContactCenterAdvisor.PerformanceMonitor.canView User can access Performance Monitor. User does not see the Performance Monitor button on the dashboard.
ContactCenterAdvisor.PerformanceMonitor.CallFlowPane.canView

NOTE: If both ContactCenterAdvisor.PerformanceMonitor.CallFlowPane.canView and ContactCenterAdvisor.PerformanceMonitor.CurrentCapacity.canView are excluded from a user’s role, then the left side of the Performance Monitor window is not displayed to the user.

User can see the Call Flow pane and metrics in the Performance Monitor window. The Call Flow pane is shown, but no metrics or values are displayed.
ContactCenterAdvisor.PerformanceMonitor.CurrentCapacity.canView

NOTE: If both ContactCenterAdvisor.PerformanceMonitor.CallFlowPane.canView and ContactCenterAdvisor.PerformanceMonitor.CurrentCapacity.canView are excluded from a user’s role, then the left side of the Performance Monitor window is not displayed to the user.

User can see the Current Capacity pane and metrics in the Performance Monitor window. The Current Capacity pane is shown, but no metrics or values are displayed.
ContactCenterAdvisor.Dashboard.PivotSelect.canView User has access to the pivot drop-down list that allows them to switch views of the pivot table. Pivot drop-down list is not shown in the top left pane.
ContactCenterAdvisor.AlertManagement.canView

NOTE: In release 8.1.3, this privilege was replaced with Alert Management–specific privileges.

User has access to the Alert Management tab and the Action Management Report page. User can access the Action Management Report either by clicking on the Alert Management tab, by double-clicking on the alert tiles in the map, or by clicking on the arrow for each alert in the Alerts pane. The Alert Management tab is not shown; clicking on the tiles in the map does not launch the Action Management Report; and the Action Management Report arrow for alerts in the Alerts pane is not shown.

Workforce Advisor

Privilege Behavior When Present Behavior When Absent
WorkforceAdvisor.ActionManagementReport.canView

This privilege is applicable to Release 8.1.3 and later. In a migration scenario, this privilege is not defined in any existing Advisors role in the Configuration Server settings. An administrative user must update existing roles, or create new roles, and add the privilege to allow the described access or activity.

User can access an Action Management Report page by double-clicking on an Alert tile in the Map pane, or by clicking on the arrow for each alert in the Alerts pane. Clicking on the tiles in the Map pane does not launch an Action Management Report page, and the Action Management Report arrow for alerts does not display in the Alerts pane.
WorkforceAdvisor.Dashboard.AgentGroupsPane.canView

Introduced in release 8.1.3.

User can see data in the Agent Groups pane. User always sees an empty Agent Groups pane with a message stating the lack of access to the Agent Groups pane.
WorkforceAdvisor.Dashboard.canView User can access the WA dashboard. User cannot access WA dashboard, and the Workforce Advisor tab is not shown to the user.
WorkforceAdvisor.Dashboard.ColumnChooser.canView

Introduced in release 8.1.3.

User has access to the Column Chooser button on the dashboard. The Column Chooser button is not displayed on the dashboard.
WorkforceAdvisor.Dashboard.EnterpriseStats.canView

Introduced in release 8.1.3.

User can see the Enterprise row in the pivot table (Contact Centers pane). The Enterprise row does not display in the pivot table (Contact Centers pane).
WorkforceAdvisor.Dashboard.PivotSelect.canView

NOTE: Because there are additional hierarchies in WA specifically to display agent group contact centers, users must have permission to access the hierarchy grouping (WorkforceAdvisor.Dashboard.PivotSelect.canView) if agent group contact centers are configured.
Introduced in release 8.1.3.

User has access to the hierarchy drop-down list on the Contact Centers pane. The hierarchy drop-down list does not display on the Contact Centers pane.

Alert Management

Privilege Behavior When Present Behavior When Absent
AlertManagement.canView

Introduced in release 8.1.3.

User has access to the Alert Management tab. The Alert Management tab does not display for the user.
AlertManagement.ActionManagementReport.canView

Introduced in release 8.1.3.

User can create a new Action Management Report, and update or delete an existing report. The New and Delete buttons are not displayed in the Action Management Report pane, and the Edit/Delete column is not shown.

Administration Module

Privilege Behavior When Present Behavior When Absent
AdvisorsAdministration.canView User has access to the Administration module. User cannot access the Administration Module, and the module tab is not shown to the user.
AdvisorsAdministration.SystemConfiguration.canView User can access System Configuration page; option is shown on menu. System Configuration option is not shown on the Administration menu.
AdvisorsAdministration.Regions.canView User can access the Regions page; option is shown on the Administration menu. Regions option is not shown on the Administration menu.
AdvisorsAdministration.ApplicationGroups.canView User can access the Application Groups/Thresholds page; option shown on menu. Application Groups/Thresholds option is not shown on the Administration menu.
AdvisorsAdministration.ContactCenters.canView User can access the Contact Centers page; option shown on menu. Contact Centers option is not shown on the Administration menu.
AdvisorsAdministration.ApplicationConfiguration.canView User can access the Application Configuration page; option shown on menu. Application Configuration option is not shown on the Administration menu.
AdvisorsAdministration.AgentGroupConfiguration.canView User can access the Agent Group Configuration page; option shown on menu. Agent Group Configuration option is not shown on the Administration menu.
AdvisorsAdministration.ContactGroupConfiguration.canView User can access the Contact Group Configuration page; option shown on menu. Contact Group Configuration option is not shown on the Administration menu.
AdvisorsAdministration.Metrics.canView
User can access the Report Metrics page; option shown on menu. Metrics option is not shown on the Administration menu.
AdvisorsAdministration.MMW.canCreate

Introduced in release 8.1.3.

User can create custom metrics. The Create function and the Copy function do not display in the Metric Manager.
AdvisorsAdministration.MMW.canEdit

Introduced in release 8.1.3.

Grants privilege to edit any metrics. The Edit function does not display in the Report Metrics Manager.
AdvisorsAdministration.MMW.canDelete

Introduced in release 8.1.3.

Grants privilege to delete custom metrics. The Delete function does not display in the Report Metrics Manager.
New3.png AdvisorsAdministration.MMW.SourceMetrics.canView Grants privilege to view the Source Metrics page. The Source Metrics page, and the link to it in the Administration module, do not display.
New3.png AdvisorsAdministration.MMW.SourceMetrics.canCreate Grants privilege to create custom source metrics. The Create Source Metrics button does not display on the Source Metrics page.
New3.png AdvisorsAdministration.MMW.SourceMetrics.canEdit Grants privilege to edit source metrics. The Edit function does not display on the Source Metrics page.
New3.png AdvisorsAdministration.MMW.SourceMetrics.canDelete Grants privilege to delete custom source metrics. The Delete function does not display on the Source Metrics page.
AdvisorsAdministration.DistributionLists.canView User can access the Distribution Lists page; option shown on menu. Distribution Lists option is not shown on the Administration menu.
AdvisorsAdministration.ManualAlerts.canView User can access the Manual Alerts page; option shown on menu. Manual Alerts option is not shown on the Administration menu.
AdvisorsAdministration.AlertManagement.AlertCauses.canView User can access the Alert Causes page; option shown on menu. Alert Causes option is not shown on the Administration menu.
AdvisorsAdministration.AlertManagement.KeyActions.canView User can access the Key Actions page; option shown on menu. Key Actions option is not shown on the Administration menu.
AdvisorsAdministration.GenesysAdapter.Configuration.canView User can access the Genesys Adapter Objects Configuration page; option shown on menu. The Genesys Adapter section (which includes the Object Configuration and Manage Adapters options) is not shown on the Administration menu.
AdvisorsAdministration.RMC.canView User can access the Resource Management-related pages, which are Notification Lists and Notification Templates; both options shown on menu. Control Panel section (which includes the Notification Lists and Notification Templates options) is not shown on the Administration menu.
AdvisorsAdministration.PeripheralGateways.canView User can access the Switches/Peripherals page. Switches/Peripherals option is not shown on the Administration menu.
AdvisorsAdministration.DeletedObjects.canView User can see the deleted objects in Configuration Manager server in the corresponding Administration pages. Deleted objects in Configuration Manager are not shown in the corresponding Administration page.
This page was last modified on May 19, 2014, at 08:45.

Feedback

Comment on this article:

blog comments powered by Disqus