Role Access Concept

This page explains the access concept of Nimbus. In the first part we explain how user rights are synched between Nimbus and MS Teams and where Nimbus acts with standalone concepts. The second part covers Roles available in Nimbus and their detailed permissions.

Introduction

Nimbus has a user roles and permissions system that grants permissions based on a Organization Units hierarchical structure. By using this concept, access to configuration entities of Nimbus can be granted on a very granular level. To understand this permission system we need to explain a few related concepts in the following.

Concept

Details

Diagram

User roles and sync between MS Teams

Nimbus syncs users from your tenant's user directory. Each user can then added in a Nimbus role, e.g. as Admin, Owner or Member/ Agent of a service. The role determines, what a user can do within Nimbus. You can find detailed permissions behind each role explained in the "Role Permission Matrix" table below.

Depending on what Nimbus Service types are being provisioned on your Tenant, the user synchronization and role assignments are handled slightly different. Nimbus distinguishes by User assignment types.

Examples of user assignment

MS Teams based: A Tenant or Partner Administrator has provisioned a new Service directly within Microsoft Teams.
Nimbus will now automatically sync the Teams Owners and Members as Nimbus Service users, with their respective "Service Owner / Member" role and permissions.

Skill-Based assignment: A Tenant or Partner Administrator has provisioned a new Service via the Service Administration backend. Typical use cases are Contact Center Services that favor a specific Distribution Order, selecting "Agents" with Skills and Responsibilities over a teams-based approach.
Nimbus service owners and agents are manually assigned via the Service Permissions tab of the respective services.

Services of "User assignment type: None"  can remain remain without users. Examples could be automated IVR or rerouting services that function autonomously after their initial setup.

More details on the assignment type and role naming also explained in the "Role Permission Matrix" table below.

Access to data entities within an Organization Unit scope

As established previously, Users on your Tenant get roles assigned in order to perform various tasks within Nimbus. Now it's important to determine where users can act in their role. This is where the Organization Unit concept comes into place:

OU structures and RBAC permissions

To understand Organization Units, it is important to know their relationship with Roles and Permissions:

Each configurable element in Nimbus is called a data entity.

Organization Units provide a structure to Nimbus's data entities, e.g. by mirroring a company's organization levels and departments.

Organization Units determine where a configurable data entity is placed.
Each data entity must belong to exactly one Organization Unit. This includes all Nimbus users, as their OUs determines from which "point of view" they can act in their role.

RBAC - Role Based Access Control restricts and grants access within any Organization Unit, e.g. by assigning functions to users according to their role in the organization.

RBAC determines which actions (Create, Read, Update, Delete) are possible on configurable entities.
User roles define sets of action permissions granted within an OU.

User Role Permission Matrix

These tables contain the Role Based Access Concept (RBAC) listed by Nimbus Features distinguished by Frontend (Portal) and Backend (Admin). User permissions are structured by the CRUD (Create, Read, Update, Delete) principle. For functionality that is just interacted with, there is an Execute right.

Portal

Users roles with access to the Nimbus Frontend portal:

Frontend Portal Permissions (Create, Read, Update, Delete)				SUPERVISOR		USER			TEAM / SERVICE OWNER
Frontend Portal Permissions (Create, Read, Update, Delete)				User	Service	Team Member	Skill-Based	Agent	Owner	Owner Limited
My Services			My Services		R	R		R	R	R
			Access Service Settings		E				E	E
			Call on Behalf			E	-	E	E	E
			Users - Self-Active Toggle		N/A	RU		N/A	RU	RU
			Users - Other-Active Toggle		RU	R		N/A	RU	RU
			Pickup			E		N/A	E	E
Service	Dashboard		Dashboard		R	R		R	R	R
			Users List		R	R		R	R	R
			Users - Self-Active Toggle		N/A	RU		N/A	RU	RU
			Users - Other-Active Toggle		RU	R		N/A	RU	RU
			Pickup			E		N/A	E	E
			Today's Reporting KPIs		R	R		R	R	R
	Reporting		Reporting		R	R		R	R	R
			Users Statistics		R	R		R	R	R
			Tasks Heatmap		R	R		R	R	R
	Settings	General	Name		R				RU	R
			Service Display Name		R				RU	R
			Service UPN		R				RU	R
			Application ID		R				R	R
			Organization Unit		R				RU	R
			PSTN Active		R				RU	R
			PSTN E.164 Number		R				RU	R
			Opening Hours		RU				RU	RU
			Reporting - SLA		RU				RU	RU
			Reporting - User Statistics		R				R	R
		Workflow	Active Workflow		R				RU	R
		Workflow	Voice Message Channel		R				RU	R
		Distribution	User Assignement Type		R				RU	R
			Distribution Policy		R				RU	R
			Users Immediatly Active		R				RU	R
			Conversation Distribution (Busy, Away)		R				RU	R
			Conversation Distribution (Available, DND, Offline)		R				R	R
			Task Priority		R				RU	R
			After Call Work (ACW)		R				RU	R
			RONA		R				RU	R
			Outbound		R				RU	R
		Context	Portal & Assistant Context		R				RU	R
		Context	Codes (Primary, Secondary)		R				RU	R
		Extensions	My Sessions Dashboard		R				RU	R
		Agents	Service Agents List		R				R	R
			Service Agents Levels and Profiles						RU
			Service Owners List		R				R	R
			Service Owners Levels and Profiles						RU
Frontend Configuration Permissions (Create, Read, Update, Delete)				SUPERVISOR		USER			TEAM / SERVICE OWNER
				User	Service	Team Member	Skill-Based	Agent	Owner	Owner Limited
Configuration	Workflows		Resources (Audio Files)						CRUD	CRUD
			Playlists						CRUD	CRUD
			Workflows (Instances)						CRUD	CRUD
	Codes		Primary Codes						CRUD
	Codes		Secondary Codes						CRUD
	Service		Conversation Context						CRUD
			Parameters						CRUD
			Opening Hours		CRUD				CRUD	CRUD
Dashboard and Reporting Permissions (Create, Read, Update, Delete)				SUPERVISOR		USER			TEAM / SERVICE OWNER
				User	Service	Team Member	Skill-Based	Agent	Owner	Owner Limited
Personal Dashboard			Personal Dashboards			RU		RU	RU	RU
Non Personal Dashboards			Non Personal Dashboards	R	R			R
			Service Supervision	R	R
Dashboard Widgets	Service		Service KPI		R			R	R	R
			Service KPI Tabular		R			R	R	R
			Service KPI Comparison Chart		R			R	R	R
			Service Queue Tabular		R			R	R	R
			Live Service Tasks Tabular		R			R	R	R
			Service Outbound Tasks Tabular		R			R	R	R
	Supervision		Service Supervision		R				R	R
	Supervision		Supervision Controls		E
	User		User State Tabular	R
			User State Chart	R
			User Tile	R
	Common Widgets		Markdown	R	R	R	R	R	R	R
			Date & Time	R	R	R	R	R	R	R
			Embedded Website	R	R	R	R	R	R	R
Reporting (OData)	Service		Sessions		R				R	R
	User		Sessions		R				R	R
	User		States	R

Notes

These roles have access to the Nimbus portal using the following links:

_{Portal URLs:}

Switzerland: https://portal.luware.cloud/
Germany: https://portal.dewe-01.luware.cloud/
UK: https://portal.ukso-01.luware.cloud/

Make sure to configure your web proxies to allow access to these domains or whitelist the complete *.luware.cloud domain.

These roles are granted depending on Service type, as each scenario defines a certain method of User assignment:

User	All Nimbus user accounts are synched from the Customer Tenant's user directory. Users log into Nimbus using O365 credentials, but only see Nimbus services and data when they become Team members or Service Agents respectively.
Team Members	For Auto-Synced to MS Teams Channel roles. No manual assignment needed.
Team Owners	Auto-Synced to MS Teams Channel roles. Automatically granted rights to fully manage the respective Nimbus service. No manual assignment needed.
Skill-Based Users	Contact Center Requires a Contact Center license on the user. Skills are granted via User Administration > "Skills" Tab per user. Skill-based users get tasks distributed via Distribution Policies, based on their Skills and Responsibilities, distributed in pools of users with similar skills assigned. Interaction with Service pages of the Nimbus UI or an associated MS Teams channel is not necessarily required.
Service Agents	Contact Center Requires a Contact Center license on the user . Role is granted via Service Administration > "Permissions " Tab per service. Compared to Skill-based users, Agents have access to additional Service Portal UI elements. An associated Microsoft Teams channel is not required.
Service Owner	Contact Center Requires a Contact Center license on the user. Manually granted via Service Administration > "Permissions " Tab. An associated Microsoft Teams channel is not required.
Supervisor	Contact Center Requires a Contact Center license on the user. An addition to an Owner-type role, manually granted via User Administration > Roles Tab. Can access Power BI OData interface to access extended User State reporting. LIMITATION BY DESIGN If a user has only Supervisor and not a Team Owner / Service Admin role, only the "UserStates" datasets in the report will be shown: UserStates, StateTypes, ResponsibilityProfile, OU, Users. Other tabs and queries in the BI Report may appear blank. → This is intended by design to prevent exposure of individual Service/User/Session data to the wrong audiences. To see a full dataset, the same user also needs a "Service/Team Owner" role assigned.

Admin

User roles with access to the Nimbus Admin panel:

Individual Setting Permissions (Create, Read, Update, Delete)				ADMINISTRATOR
				Tenant	Organization
Overview			Total Services	R
			Call Volume	R
			Total Users	R
Tenant	General	Tenant & Billing Information	Name	R
			O365 Domain	R
			O365 Name	R
			Tentant Id	R
			Tenant Administration Security Group	R
			Tenant Administration Security Group Information	E
			CRM Id
			Partner	R
			Partner Administration Security Group
			Partner Administration Security Group Information
			Billing Address	RU
	Contact	Technical Contact Information	Name	RU
			Email	RU
			Phone Number	RU
			SIP Address	RU
	Data Privacy	Data Privacy Settings	User Identifiers	R
			Customer Identifiers	R
			Track User States	RU
	Provisioning	Provisioning Defaults	Default OU for MS Teams creation	RU
			Allow service provisioning via MS Teams	RU
			Default Team Owner Role	RU
	Extensions	Outbound	Max Scheduled Outbound Tasks per Service	R
		Interact	Interact enabled	RU
			ACS connection string	RU
			O365 UserId	RU
			Widget Key	RE
			Session Recovery Timeout in Seconds	RU
			Authorization	RU
		Assistant	Use Own ACS Instance	RU
		Attendant Console	Global Contact Search MS Graph Filter	RU
		Attendant Console	Team Visibility	RU
		Presence Tracking	Track Presence over Guest Accounts	RU
			Grant Permission	E
			Primary Account	R
			Test UPN (primary)	RU
			Secondary Account	R
			Test UPN (secondary)	RU
Services	Overview	Services	Manage Services	CRUD	CRUD
		Tasks	Task List	RD	RD
			Download Traces	E	E
			Copy Trace Link	E	E
		Provisioning Script	Download Powershell Script	E	E
	Settings	General	Name	RU	RU
			Display Name	RU	RU
			UPN	RU	RU
			Application ID	R	R
			Organization Unit	RU	RU
			PSTN Active	RU	RU
			E.164 Number	RU	RU
			Primary Opening Hours Box	RU	RU
			Secondary Opening Hours Box	RU	RU
			SLA Acceptance Time	RU	RU
			SLA Hangup Time	RU	RU
			User Statistics	RU	RU
			License - Service Type	RU	R
		Workflow	Active Workflow	RU	RU
		Workflow	Voice Message Channel	RU	RU
		Distribution	User Assignement Type	RU	RU
			Distribution Policy	RU	RU
			New Users Immediatly Active	RU	RU
			Conversation Distribution	RU	RU
			Task Priority	RU	RU
			ACW	RU	RU
			RONA	RU	RU
			Outbound Service Call	RU	RU
		Context	Portal Conversation Context	RU	RU
			Assistant Context and Templates	RU	RU
			Primary Codes	RU	RU
			Secondary Codes	RU	RU
		Extensions	My Session Widgets	RU	RU
		Permissions (Skill-Based Services)	Service Agents	RU	RU
		Permissions (Skill-Based Services)	Service Owners	RU	RU
		Users (MS Teams Based Services)	Default Team Owner Role	RU	RU
			Active Toggle	RU	RU
			Team Owner Roles	RU	RU
	Interact	Interact Features	Interact Active	RU	RU
			Restrict Access	RU	RU
			Domain Template	RU	RU
			Integration (Service Snippet)	R	R
Users	Overview		Users	CRUD	CRUD
	Settings	General	Display Name	R	R
			Organization Unit	RU	RU
			First/Last Name	R	R
			UPN	R	R
			O365 ID	R	R
			License Change	RU	RU
		Services	Membership	R	R
		Roles	Roles List	R	R
		Roles	Role Assignment	RU	RU
		Skills	Skill Management	RU	RU
		Profiles	Profile Management	RU	RU
		N/A Reasons	N/A Feature Toggle	RU	RU
		N/A Reasons	Manage N/A Reasons	RU	RU
		Interact	Interact Active	RU	RU
			Allowed Modalities	RU	RU
			Restrict Access	RU	RU
			Domain Template	RU	RU
			Integration (User Snippet)	R	R
		Assistant	Direct Call Templates	CRUD	CRUD
Shared Configuration Permissions (Create, Read, Update, Delete)				ADMINISTRATOR
				Tenant	Organization
Configuration	Resources		Resources (Audio File)	CRUD	CRUD
	Playlist		Play List	CRUD	CRUD
	Workflow		Workflow Instances	CRUD	CRUD
	Workflow Templates		Workflow Templates	CRUD	CRUD
	Primary Codes		Primary Codes	CRUD	CRUD
	Secondary Codes		Secondary Codes	CRUD	CRUD
	Not Available Reasons		Not Available Reasons	CRUD	CRUD
	Conversation Context		Conversation Context	CRUD	CRUD
	Parameters		Parameters	CRUD	CRUD
	Opening Hours		Opening Hours	CRUD	CRUD
	Skills		Skills	CRUD	CRUD
	Skill Categories		Skill Categories	CRUD	CRUD
	Distribution Profiles		Distribution Profiles	CRUD	CRUD
	Responsibility Profiles		Responsibility Profiles	CRUD	CRUD
	Non Personal Dashboards		Non Personal Dashboards	CRUD	CRUD
	Address Books		Name	CRUD	CRUD
	Address Books		Automation Flow Actions	RU	RU
	Domain Templates (CORS)		Domain Templates (CORS)	CRUD	CRUD
	Direct Call Templates		Assistant Direct Call Templates	CRUD	CRUD
	Service Call Templates		Assistant Service Call Templates	CRUD	CRUD
Operations	Service		Call History	R
	Service		Download Trace Files	R
	Customer		Call History	R
	Customer		Download Trace Files	R

Notes

These roles have access to the Nimbus admin backend panel using the following links:

_{Admin Panel URLs:}

Switzerland: https://admin.luware.cloud/
Germany: https://admin.dewe-01.luware.cloud/
UK: https://admin.ukso-01.luware.cloud/

Make sure to configure your web proxies to allow access to these domains or whitelist the complete *.luware.cloud domain.

These roles are granted by Luware Support or selected Service Partners. Details will be discussed during your Onboarding and first Nimbus Installation .

Tenant Administrator	Can perform all necessary activities to set up services. Has full access to the OData Interface for Power BI historical tracking (except User States tracking) → See Supervisor role .
Organization Unit Administrator	Are delegates with the same privileges. However their scope is limited to the configuration, service and user entities within their Organization Units.