Role Based Access - RBAC

The WebConfigurator Role Based Access Control (RBAC) allows you assign permissions to users that have been added to LUCS. It is worth noting that LUCS uses the term "Agents" as a subgroup of users, however it is the role assigned in RBAC that enables a user to perform more tasks within LUCS front- and backend.

LUCS distinguishes by the following roles:

A System Administrator is a user with full privileges. Usually performs the basic system Installation and Upgrades as well as first Essential Topology Settings.
System Administrators are not controlled by LUCS but by granting them Admin Group Permissions on Application Machines. Changing their permissions within the LUCS RBAC UI will have no effects.
An Administrator is a LUCS user with administrative rights within the application itself. Admins are capable of creating Organizational structures and (commonly-used) LUCS data entities as Workflows, Resources and templates. Admins also define visibility of those entities to other users via Role Based Access.
A Supervisor manages basic settings in the for services in the backend configuration. Has access to Frontend reporting features according to his permissions. He mostly works from the LUCS Web FrontEnd and occasionally configures Workflows for his service.
An Agent works mostly on the LUCS Web FrontEnd or Agent Assistant to handle calls and tasks. He has basic viewing permissions.

Important notes about Roles

By default new users added via Webconfigurator do not have assigned roles and permissions. Only the System Administrator may access the system at this point.
RBAC permissions are given to individual agents when editing individual Agent Roles.
All RBAC permissions are granted with Organization Units (OU) structure acting as framework for inheritance. Child Organization Units inherit all the permissions contained in an upper (parent) OU.
- A "System" level OU is defined in LUCS as a default, which cannot be superseded by any OU. System privileges will always inherit down to any OU, even if added later. This will ensure that a System level administrator is never locked out of the System.
- The table below lists available roles & permissions independent of OU structures. You can basically define any organizational structure you want first and then grant rights as you see fit.

Role and OU mixtures are possible. The roles mentioned in this table can be mixed and matched to have LUCS users perform multiple functions depending on which OU they are in.
Further API-based roles and rights are described on the LUCS API pages.

Administrator Roles

In context of this manual the term "Administrator" ADMINISTRATOR will be used, generally referring to to any admin role mentioned below with according permissions.

Role-Mixtures are possible. The roles mentioned in this table can be mixed and matched to have LUCS users perform multiple functions. A "System Administrator" will always have all privileges mentioned below.

Administrator Permissions table. C = Create, R = Read, U = Update, D = Delete

Role	Privileges
System	Prerequirement: Needs to have Admin Group Permissions on Application Machines Admin Permissions. Has full privileges (any of the below roles) Can log in to both front and backend Can access Configuration and create all basic entities in LUCS (Traits, Users, Profiles, Organization Units) Adds further users as agents and assigns roles to them in RBAC
Organization Units	Can manage Organization Units (CRUD)
Distribution	Can manage Distribution Policies and Traits (CRUD)
User	Can manage users (CRUD) Performs all Agent Management related tasks in Backend (Webconfigurator) Manages user dependent entities such as: Traits and Duty Profiles, Common Settings (First Name, Last Name, Email, SIP URI), Assign Agent/Supervisor Roles
UserReadOnly	Similar to the User Administrator but only with read access on user details and part of the settings.
Service	Can manage Services (CRUD) Manages all service dependent entities such as: Recording Definitions, Messages and Standby Duty Notifications Can Manage Opening Hours Calendars Can edit Service details to include the previously defined entities
Service Extended	CANNOT manage Services (CRUD) Can Manage Opening Hours Calendars Can read a subset of service dependent entities Name, Organization Unit, Common Settings (SIP URI, Display Name, Telephone URI, TelSipURI) Can manage a subset of service dependent entities (CRUD) such as: Placeholders, Workflows, Completion Codes
Agent	Can read and update Agent Traits and Duty Profiles for his assigned agents Can read and update Agent Assistant Configuration for his assigned agents Can read several Agent specific user field such as: Common Settings (First Name, Last Name, Email, SIP URI), Organization Unit
Agent Extended	Similar to Agent Administrator but with some limitations such as: CANNOT read Skype for Business relevant settings like Line Uri, Private Line Uri, LYNC POOL REGISTRAR CANNOT read and update settings like Busy on Busy in a call enabled, Can login to Recording manager
AgentReadOnly	Same as Agent Administrator but only with read access on agent traits, profiles and configuration settings
Workflow	Manage (CRUD) Workflows including all dependent entities and resources
Topology	Manage (CRUD) Essential Topology Settings for configuration of endpoints, mailboxes, tenants, API tokens, trusted applications
Web	Manages Walls in the LUCS Web FrontEnd. Has read access on all FE Frontend Widgets and Groups Manages Dashboards and Manages Dashboard Properties, including Ownership
DataPrivacy	Execute Data Privacy related actions in the backend (customer data anonymization)
Roles	This user can freely assign roles and elevate users, up to system level! Assign this role sparingly and only to trusted parties.

Supervisor Roles

In context of this manual the term "Supervisor" SUPERVISOR will be used, generally referring to to any role mentioned below with according permissions.

Supervisor Permissions

Area	Role	Privileges
Web Frontend	Agent	Can Read Frontend Walls Can change Agent traits in the Frontend Can read and update Agent presence states and reset RONA state Can switch Agent Duty Profiles
	Service	Can Read Frontend Walls Can read Service states Can Initiate CallBack Tasks and set Set Emergency Cases
	Supervision	Can Read Frontend Walls Can initiate Agent Session Supervision and Agent Permanent Supervision
Web Reporting Portal	Agent	Currently unused.
	Customer	Access to the Customer Journey Page
	Service	Access to the Reporting Overview Page and Service Overview Page
Dashboard	Agent	Can edit properties of owned dashboards Can set dashboards public Can see public dashboards within his OU Can see agent-related data under his OU in Dashboard Widgets
Dashboard	Service	Can edit properties of owned dashboards Can set dashboards public Can see public dashboards within his OU Can see service-related data under his OU in Dashboard Widgets
Dashboard Reporting _{Requires Power-BI Pro account for the accessing user. Refer to Managing BI User and Data access.}	Agent	Can access Agent-related BI Reporting data
	Customer	Can access Customer-related BI Reporting data
	Service	Can access Service-related BI Reporting data
Historic Reporting _{Excel / Power BI templates using SSRS database exports. See → Historic Reporting section}	Agent	Access to Agent-Related SSRS Reports as well as related facts and dimensions
	Customer	Access to Customer the corresponding Service-Related SSRS Reports as well as related facts and dimensions
	Service	Access to all Service-Related facts and dimensions, KPI

Agent Roles

In context of this manual the term "Agent" AGENT will be used, generally referring to to any role mentioned below with according permissions.

Area	Role	Privileges
Web Frontend	Agent	Can Read Frontend Walls Access to Agent-related Widget Types
Web Frontend	Service	Can Read Frontend Walls See data in Service-related Widget Types
Dashboard	Agent	Can see public dashboards within his OU Can edit properties of own dashboard Can see agent-related data under his OU in Dashboard Widgets
Dashboard	Service	Can see public dashboards within his OU Can edit properties of own dashboards Can see service-related data under his OU in Dashboard Widgets

Agent Permissions