This page explains the access concept of Nimbus. In the first part we explain how user rights are synched between Nimbus and MS Teams and where Nimbus acts with standalone concepts. The second part covers Roles available in Nimbus and their detailed permissions.

Introduction

Nimbus has a user roles and permissions system that grants permissions based on a Organization Units hierarchical structure. By using this concept, access to configuration entities of Nimbus can be granted on a very granular level. To understand this permission system we need to explain a few related concepts in the following.

ConceptDetailsDiagram
User roles and sync between MS Teams

Nimbus syncs users from your tenant's user directory. Each user can then added in a Nimbus role, e.g. as Admin, Owner or Member/ Agent of a service. The role determines, what a user can do within Nimbus. (info) You can find detailed permissions behind each role explained in the "Role Permission Matrix" table below.

Depending on what Nimbus Service types are being provisioned on your Tenant, the user synchronization and role assignments are handled slightly different. Nimbus distinguishes by the following User assignment types:

  • MS Teams-based: Directly tied to your "Teams" the users get automatically added to a Nimbus service
  • None: For IVR or first-level redirection services
  • Skill-based: Manual skill-assignment from users you add from within your tenant directory.

Examples of user assignment

MS Teams based: A Tenant or Partner Administrator has provisioned a new Service directly within Microsoft Teams.
Nimbus will now automatically sync the Teams Owners and Members as Nimbus Service users, with their respective "Service Owner / Member" role and permissions.

Skill-Based assignment: A Tenant or Partner Administrator has provisioned a new Service via the Service Administration backend. Typical use cases are Contact Center Services that favor a specific Distribution Order, selecting "Agents" with Skills and Responsibilities over a teams-based approach. 
Nimbus service owners and agents are manually assigned via the Service Permissions tab of the respective services.

Services of "User assignment type: None" can remain remain without users. Examples could be automated IVR or rerouting services that function autonomously after their initial setup.

(info) More details on the assignment type and role naming also explained in the "Role Permission Matrix" table below.

Access to data entities within an Organization Unit scope

As established previously, Users on your Tenant get roles assigned in order to perform various tasks within Nimbus. Now it's important to determine where users can act in their role. This is where the Organization Unit concept comes into place:

OU structures and RBAC permissions

To understand Organization Units, it is important to know their relationship with Roles and Permissions:

  • Each configurable element in Nimbus is called a data entity.
  • Organization Units provide a structure to Nimbus's data entities, e.g. by mirroring a company's organization levels and departments.
(lightbulb) Organization Units determine where a configurable data entity is placed.
(lightbulb) Each data entity must belong to exactly one Organization Unit.  This includes all Nimbus users, as their OUs determines from which "point of view" they can act in their role.
  • RBAC - Role Based Access Control restricts and grants access within any Organization Unit, e.g. by assigning functions to users according to their role in the organization.
(lightbulb) RBAC determines which actions (Create, Read, Update, Delete) are possible on configurable entities.
(lightbulb) User roles define sets of action permissions granted within an OU.

Role Permission Matrix

Table: Nimbus role based access concept (RBAC)
Nimbus RoleAccess to
Backend Admin UI
Access to Frontend Portal UI and Live Call DataAccess to Reporting (BI) OData InterfacePermissions Scope (within the assigned Organization Unit)Notes
Partner Administrator(plus) (minus)(minus)

Granted by Luware Support for selected Service Partners.

Tenant Administrator

TENANT ADMIN

(plus) (minus)(plus)

Granted by Luware Support or selected Service Partners.

(lightbulb) Details will be discussed during your Onboarding and first Nimbus Installation .

Organization Unit (OU) Administrator

OU ADMIN

(plus) (plus)

(minus)

Manually delegated role by a Tenant Admin via User Administration > Roles. OU Admins can perform most administrative configuration tasks 

(lightbulb) Details will be discussed during your Onboarding and first Nimbus Installation.

Team/Service Owner

TEAM OWNER

(minus)(plus)(plus)
  • Full access to data entities (services, users, configuration) within the assigned organization unit.
  • Can perform all "User / Agent" duties (e.g. take calls, do after-call work)
  • Can access to Historical Reporting Data directly from the database, via Power BI OData Interface, e.g. by using the Power BI Template.

Granted and named depending on Service type

  • Team Owners - For Auto-Synced to MS Teams Channel roles. Automatically granted rights to fully manage the respective Nimbus service.  No manual assignment needed.
  • Contact Center Nimbus Service Owner - a manually granted role Contact Center-exclusive role. Granted via Service Administration > "Permissions " Tab. An associated Microsoft Teams channel is not required.

(lightbulb) Regardless of name, both types "Team/Service Owners" have the same rights to fully configure their own services.

Service Supervisor

SERVICE SUPERVISOR

(minus)(plus)

See (info)


(info) Power BI 

    • Can access Power BI OData interface to view service sessions and related user sessions. 
    • No access to extended User States reporting metrics. 

  • No access to
    • Call pickup controls in the frontend UI when applied as standalone role.

Manually granted by a Tenant Admin via  User Administration > Roles.

(lightbulb) An optionally granted role to add to any existing user permission set.

Contact Center Requires a Contact Center license on the user.


User Supervisor

USER SUPERVISOR

(minus)(plus)

See (info)


(info) Power BI 


  • No access to
    • Call pickup controls in the frontend UI when applied as standalone role.
    • Service-Metrics in the corresponding frontend Reporting views. → Also refer to the Notes.

Manually granted by a Tenant Admin via  User Administration > Roles.

(lightbulb) An optionally granted role to add to any existing user permission set.

Contact Center Requires a Contact Center license on the user.

KNOWN LIMITATION If a user has only Supervisor and not a Team Owner / Service Admin role, only the "UserStates" datasets in the report will be shown: UserStates, StateTypes, ResponsibilityProfile, OU, Users. Other tabs and queries in the BI Report may appear blank.
→ This is intended by design to prevent exposure of individual Service/User/Session data to the wrong audiences. To see a full dataset, the same user also needs a "Service/Team Owner" role assigned.

User

(Team Member, Service Agent)

TEAM MEMBERS

(minus)(plus)

(minus)


Note: Once added to Nimbus, any user can have multiple roles, e.g.

Participate as Agent Team A,
Service Owner for Team B,
Supervisor for Team C.

You can review these roles via User Administration > Roles tab and review the roles of a user.

This role is granted based on Service Type:

  • Team Members - For Auto-Synced to MS Teams Channel roles. No manual assignment needed.
  • Contact Center Service Agents - a manually granted role Contact Center-exclusive role. Granted via Service Administration > "Permissions " Tab.

(lightbulb) All Nimbus user accounts are synched from the Customer Tenant's user directory. Users log into Nimbus using O365 credentials, but only see Nimbus services and data when they become Team members or Service Agents respectively.