This page explains the access concept of Nimbus. In the first part we explain how user rights are synched between Nimbus and MS Teams and where Nimbus acts with standalone concepts. The second part covers Roles available in Nimbus and their detailed permissions.

Introduction

Nimbus has a user roles and permissions system that grants permissions based on a Organization Units hierarchical structure. By using this concept, access to configuration entities of Nimbus can be granted on a very granular level. To understand this permission system we need to explain a few related concepts in the following.

ConceptDetailsDiagram
User roles and sync between MS Teams

Nimbus syncs users from your tenant's user directory. Each user can then added in a Nimbus role, e.g. as Admin, Owner or Member/ Agent of a service. The role determines, what a user can do within Nimbus. (info) You can find detailed permissions behind each role explained in the "Role Permission Matrix" table below.

Depending on what Nimbus Service types are being provisioned on your Tenant, the user synchronization and role assignments are handled slightly different. Nimbus distinguishes by User assignment types.

Examples of user assignment

MS Teams based: A Tenant or Partner Administrator has provisioned a new Service directly within Microsoft Teams.
Nimbus will now automatically sync the Teams Owners and Members as Nimbus Service users, with their respective "Service Owner / Member" role and permissions.

Skill-Based assignment: A Tenant or Partner Administrator has provisioned a new Service via the Service Administration backend. Typical use cases are Contact Center Services that favor a specific Distribution Order, selecting "Agents" with Skills and Responsibilities over a teams-based approach. 
Nimbus service owners and agents are manually assigned via the Service Permissions tab of the respective services.

Services of "User assignment type: None" can remain remain without users. Examples could be automated IVR or rerouting services that function autonomously after their initial setup.

(info) More details on the assignment type and role naming also explained in the "Role Permission Matrix" table below.

Access to data entities within an Organization Unit scope

As established previously, Users on your Tenant get roles assigned in order to perform various tasks within Nimbus. Now it's important to determine where users can act in their role. This is where the Organization Unit concept comes into place:

OU structures and RBAC permissions

To understand Organization Units, it is important to know their relationship with Roles and Permissions:

  • Each configurable element in Nimbus is called a data entity.
  • Organization Units provide a structure to Nimbus's data entities, e.g. by mirroring a company's organization levels and departments.
(lightbulb) Organization Units determine where a configurable data entity is placed.
(lightbulb) Each data entity must belong to exactly one Organization Unit.  This includes all Nimbus users, as their OUs determines from which "point of view" they can act in their role.
  • RBAC - Role Based Access Control restricts and grants access within any Organization Unit, e.g. by assigning functions to users according to their role in the organization.
(lightbulb) RBAC determines which actions (Create, Read, Update, Delete) are possible on configurable entities.
(lightbulb) User roles define sets of action permissions granted within an OU.

User Role Permission Matrix

These tables contain the Role Based Access Concept (RBAC) listed by Nimbus Features distinguished by Frontend (Portal) and Backend (Admin). User permissions are structured by the CRUD (Create, Read, Update, Delete) principle. For functionality that is just interacted with, there is an Execute right.

Portal

Users roles with access to the Nimbus Frontend portal:
Frontend Portal Permissions (Create, Read, Update, Delete)

SUPERVISOR

USER

TEAM / SERVICE OWNER

UserServiceTeam MemberSkill-BasedAgentOwnerOwner Limited
My ServicesMy Services
RR
RRR
Access Service Settings
E


EE
Call on Behalf

E-EEE
Users - Self-Active Toggle
N/ARU
N/ARURU
Users - Other-Active Toggle
RUR
N/ARURU
Pickup

E
N/AEE
ServiceDashboardDashboard
RR
RRR
Users List
RR
RRR
Users - Self-Active Toggle
N/ARU
N/ARURU
Users - Other-Active Toggle
RUR
N/ARURU
Pickup

E
N/AEE
Today's Reporting KPIs
RR
RRR
ReportingReporting
RR
RRR
Users Statistics
RR
RRR
Tasks Heatmap
RR
RRR
SettingsGeneralName
R


RUR
Service Display Name
R


RUR
Service UPN
R


RUR
Application ID
R


RR
Organization Unit
R


RUR
PSTN Active
R


RUR
PSTN E.164 Number
R


RUR
Opening Hours
RU


RURU
Reporting - SLA
RU


RURU
Reporting - User Statistics
R


RR
WorkflowActive Workflow
R


RUR
Voice Message Channel
R


RUR
DistributionUser Assignement Type
R


RUR
Distribution Policy
R


RUR
Users Immediatly Active
R


RUR
Conversation Distribution (Busy, Away)
R


RUR
Conversation Distribution (Available, DND, Offline)
R


RR
Task Priority 
R


RUR
After Call Work (ACW)
R


RUR
RONA
R


RUR
Outbound
R


RUR
ContextPortal & Assistant Context
R


RUR
Codes (Primary, Secondary)
R


RUR
ExtensionsMy Sessions Dashboard
R


RUR
AgentsService Agents List
R


RR
Service Agents Levels and Profiles




RU
Service Owners List
R


RR
Service Owners Levels and Profiles




RU
Frontend Configuration Permissions (Create, Read, Update, Delete)

SUPERVISOR

USER

TEAM / SERVICE OWNER

UserServiceTeam MemberSkill-BasedAgentOwnerOwner Limited
ConfigurationWorkflowsResources (Audio Files)




CRUDCRUD
Playlists




CRUDCRUD
Workflows (Instances)




CRUDCRUD
CodesPrimary Codes




CRUD
Secondary Codes




CRUD
ServiceConversation Context




CRUD
Parameters




CRUD
Opening Hours
CRUD


CRUDCRUD
Dashboard and Reporting Permissions (Create, Read, Update, Delete)

SUPERVISOR

USER

TEAM / SERVICE OWNER

UserServiceTeam MemberSkill-BasedAgentOwnerOwner Limited
Personal DashboardPersonal Dashboards

RU
RURURU
Non Personal DashboardsNon Personal DashboardsRR

R


Service SupervisionRR




Dashboard WidgetsServiceService KPI
R

RRR
Service KPI Tabular
R

RRR
Service KPI Comparison Chart
R

RRR
Service Queue Tabular
R

RRR
Live Service Tasks Tabular
R

RRR
Service Outbound Tasks Tabular
R

RRR
SupervisionService Supervision
R


RR
Supervision Controls
E




UserUser State TabularR





User State ChartR





User TileR





Common WidgetsMarkdownRRRRRRR
Date & TimeRRRRRRR
Embedded WebsiteRRRRRRR
Reporting (OData)Service Sessions
R


RR
UserSessions
R


RR
StatesR





­

Notes

These roles have access to the Nimbus portal using the following links:

Portal URLs:

(tick) Make sure to configure your web proxies to allow access to these domains or whitelist the complete *.luware.cloud domain.

(info) These roles are granted depending on Service type, as each scenario defines a certain method of User assignment:

User

All Nimbus user accounts are synched from the Customer Tenant's user directory. Users log into Nimbus using O365 credentials, but only see Nimbus services and data when they become Team members or Service Agents respectively.

Team MembersFor Auto-Synced to MS Teams Channel roles. No manual assignment needed.
Team OwnersAuto-Synced to MS Teams Channel roles. Automatically granted rights to fully manage the respective Nimbus service.  No manual assignment needed.
Skill-Based Users 

Contact Center Requires a Contact Center license on the user. Skills are granted via User Administration > "Skills"  Tab per user. Skill-based users get tasks distributed via Distribution Policies, based on their Skills and Responsibilities, distributed in pools of users with similar skills assigned.

Interaction with Service pages of the Nimbus UI  or an associated MS Teams channel is not necessarily required.

Service Agents

Contact Center Requires a Contact Center license on the user . Role is granted via Service Administration > "Permissions " Tab per service. Compared to Skill-based users, Agents have access to additional Service Portal UI elements.

An associated Microsoft Teams channel is not required.

Service Owner

Contact Center Requires a Contact Center license on the user. Manually granted via Service Administration > "Permissions " Tab.

An associated Microsoft Teams channel is not required.

Supervisor

Contact Center Requires a Contact Center license on the user. An addition to an Owner-type role, manually granted via User Administration > Roles Tab. Can access Power BI OData interface to access extended User State reporting.

LIMITATION BY DESIGN If a user has only Supervisor and not a Team Owner / Service Admin role, only the "UserStates" datasets in the report will be shown: UserStates, StateTypes, ResponsibilityProfile, OU, Users. Other tabs and queries in the BI Report may appear blank.
→ This is intended by design to prevent exposure of individual Service/User/Session data to the wrong audiences. To see a full dataset, the same user also needs a "Service/Team Owner" role assigned.

Admin

User roles with access to the Nimbus Admin panel:
Individual Setting Permissions (Create, Read, Update, Delete)

ADMINISTRATOR

TenantOrganization
OverviewTotal ServicesR
Call VolumeR
Total UsersR
TenantGeneralTenant & Billing InformationNameR
O365 DomainR
O365 NameR
Tentant IdR
Tenant Administration Security GroupR
Tenant Administration Security Group InformationE
CRM Id

PartnerR
Partner Administration Security Group

Partner Administration Security Group Information

Billing AddressRU
ContactTechnical Contact InformationNameRU
EmailRU
Phone NumberRU
SIP AddressRU
Data Privacy Data Privacy SettingsUser IdentifiersR
Customer IdentifiersR
Track User StatesRU
ProvisioningProvisioning DefaultsDefault OU for MS Teams creationRU
Allow service provisioning via MS TeamsRU
Default Team Owner RoleRU
ExtensionsOutboundMax Scheduled Outbound Tasks per ServiceR
InteractInteract enabledRU
ACS connection stringRU
O365 UserIdRU
Widget KeyRE
Session Recovery Timeout in SecondsRU
AuthorizationRU
AssistantUse Own ACS InstanceRU
Attendant ConsoleGlobal Contact Search MS Graph FilterRU
Team VisibilityRU
Presence TrackingTrack Presence over Guest AccountsRU
Grant PermissionE
Primary AccountR
Test UPN (primary)RU
Secondary AccountR
Test UPN (secondary)RU
ServicesOverviewServicesManage ServicesCRUDCRUD
TasksTask ListRDRD
Download TracesEE
Copy Trace LinkEE
Provisioning ScriptDownload Powershell ScriptEE
SettingsGeneralNameRURU
Display NameRURU
UPNRURU
Application IDRR
Organization UnitRURU
PSTN ActiveRURU
E.164 NumberRURU
Primary Opening Hours BoxRURU
Secondary Opening Hours BoxRURU
SLA Acceptance TimeRURU
SLA Hangup TimeRURU
User StatisticsRURU
License - Service TypeRUR
WorkflowActive WorkflowRURU
Voice Message ChannelRURU
DistributionUser Assignement TypeRURU
Distribution PolicyRURU
New Users Immediatly ActiveRURU
Conversation DistributionRURU
Task PriorityRURU
ACWRURU
RONARURU
Outbound Service CallRURU
ContextPortal Conversation ContextRURU
Assistant Context and TemplatesRURU
Primary CodesRURU
Secondary CodesRURU
ExtensionsMy Session WidgetsRURU
Permissions (Skill-Based Services)Service AgentsRURU
Service OwnersRURU
Users (MS Teams Based Services)Default Team Owner RoleRURU
Active ToggleRURU
Team Owner RolesRURU
InteractInteract FeaturesInteract ActiveRURU
Restrict AccessRURU
Domain TemplateRURU
Integration (Service Snippet)RR
UsersOverviewUsersCRUDCRUD
SettingsGeneralDisplay NameRR
Organization UnitRURU
First/Last NameRR
UPNRR
O365 IDRR
License ChangeRURU
ServicesMembershipRR
RolesRoles ListRR
Role AssignmentRURU
SkillsSkill ManagementRURU
ProfilesProfile ManagementRURU
N/A ReasonsN/A Feature ToggleRURU
Manage N/A ReasonsRURU
InteractInteract ActiveRURU
Allowed ModalitiesRURU
Restrict AccessRURU
Domain TemplateRURU
Integration (User Snippet)RR
AssistantDirect Call TemplatesCRUDCRUD
Shared Configuration Permissions (Create, Read, Update, Delete)

ADMINISTRATOR

TenantOrganization
ConfigurationResourcesResources (Audio File)CRUDCRUD
PlaylistPlay ListCRUDCRUD
WorkflowWorkflow InstancesCRUDCRUD
Workflow TemplatesWorkflow TemplatesCRUDCRUD
Primary CodesPrimary CodesCRUDCRUD
Secondary CodesSecondary CodesCRUDCRUD
Not Available ReasonsNot Available ReasonsCRUDCRUD
Conversation ContextConversation ContextCRUDCRUD
ParametersParametersCRUDCRUD
Opening HoursOpening HoursCRUDCRUD
SkillsSkillsCRUDCRUD
Skill CategoriesSkill CategoriesCRUDCRUD
Distribution ProfilesDistribution ProfilesCRUDCRUD
Responsibility ProfilesResponsibility ProfilesCRUDCRUD
Non Personal DashboardsNon Personal DashboardsCRUDCRUD
Address BooksNameCRUDCRUD
Automation Flow ActionsRURU
Domain Templates (CORS)Domain Templates (CORS)CRUDCRUD
Direct Call TemplatesAssistant Direct Call TemplatesCRUDCRUD
Service Call TemplatesAssistant Service Call TemplatesCRUDCRUD
OperationsServiceCall HistoryR
Download Trace FilesR
CustomerCall HistoryR
Download Trace FilesR

 ­

Notes

These roles have access to the Nimbus admin backend panel using the following links:

Admin Panel URLs:

(tick) Make sure to configure your web proxies to allow access to these domains or whitelist the complete *.luware.cloud domain.

(info) These roles are granted by Luware Support or selected Service Partners. Details will be discussed during your Onboarding and first Nimbus Installation .

Tenant Administrator
  • Can perform all necessary activities to set up services.
  • Has full access to the OData Interface for Power BI historical tracking (except User States tracking) → See Supervisor role .
Organization Unit Administrator
  • Are delegates with the same privileges. However their scope is limited to the configuration, service and user entities within their Organization Units.