Roles and Permissions

This page explains the access concept of Nimbus. In the first part we explain how user rights are synched between Nimbus and MS Teams and where Nimbus acts with standalone concepts. The second part covers Roles available in Nimbus and their detailed permissions.

Introduction

Nimbus has a user roles and permissions system that grants permissions based on a Organization Units hierarchical structure. By using this concept, access to configuration entities of Nimbus can be granted on a very granular level. To understand this permission system we need to explain a few related concepts in the following.

Concept

Details

Diagram

User roles and sync between MS Teams

Nimbus syncs users from your tenant's user directory. Each user can then added in a Nimbus role, e.g. as Admin, Owner or Member/ Agent of a service. The role determines, what a user can do within Nimbus. You can find detailed permissions behind each role explained in the "Role Permission Matrix" table below.

Depending on what Nimbus Service types are being provisioned on your Tenant, the user synchronization and role assignments are handled slightly different. Nimbus distinguishes by the following User assignment types:

MS Teams-based: Directly tied to your "Teams" the users get automatically added to a Nimbus service
None: For IVR or first-level redirection services
Skill-based: Manual skill-assignment from users you add from within your tenant directory.

Examples of user assignment

MS Teams based: A Tenant or Partner Administrator has provisioned a new Service directly within Microsoft Teams.
Nimbus will now automatically sync the Teams Owners and Members as Nimbus Service users, with their respective "Service Owner / Member" role and permissions.

Skill-Based assignment: A Tenant or Partner Administrator has provisioned a new Service via the Service Administration backend. Typical use cases are Contact Center Services that favor a specific Distribution Order, selecting "Agents" with Skills and Responsibilities over a teams-based approach.
Nimbus service owners and agents are manually assigned via the Service Permissions tab of the respective services.

Services of "User assignment type: None"  can remain remain without users. Examples could be automated IVR or rerouting services that function autonomously after their initial setup.

More details on the assignment type and role naming also explained in the "Role Permission Matrix" table below.

Access to data entities within an Organization Unit scope

As established previously, Users on your Tenant get roles assigned in order to perform various tasks within Nimbus. Now it's important to determine where users can act in their role. This is where the Organization Unit concept comes into place:

OU structures and RBAC permissions

To understand Organization Units, it is important to know their relationship with Roles and Permissions:

Each configurable element in Nimbus is called a data entity.

Organization Units provide a structure to Nimbus's data entities, e.g. by mirroring a company's organization levels and departments.

Organization Units determine where a configurable data entity is placed.
Each data entity must belong to exactly one Organization Unit. This includes all Nimbus users, as their OUs determines from which "point of view" they can act in their role.

RBAC - Role Based Access Control restricts and grants access within any Organization Unit, e.g. by assigning functions to users according to their role in the organization.

RBAC determines which actions (Create, Read, Update, Delete) are possible on configurable entities.
User roles define sets of action permissions granted within an OU.

Role Permission Matrix

Table: Nimbus role based access concept (RBAC)

Nimbus Role	Access to Reporting (BI) OData Interface	Permissions Scope (within the assigned Organization Unit)	Notes
Partner Administrator		Access to: Tenant Administration, Services and User Administration. Manages Resources to be available to all services under the respective tenant(s).	Granted by Luware Support for selected Service Partners.
Tenant Administrator TENANT ADMIN		Access to: Services and User Administration. Manages Resources to be available to all services under the respective tenant. Full access to OData Interface for Power BI historical tracking (except User States tracking) → See User Supervisor role.	Granted by Luware Support or selected Service Partners. Details will be discussed during your Onboarding and first Nimbus Installation .
Organization Unit (OU) Administrator OU ADMIN		Access to data entities related to the organization unit that this user itself is assigned to. Access to: Services and User Administration made available under the respective Organization Units branch. Access Service Configuration, e.g. to manage Resources made available to all services under the respective Organization Units branch.	Manually delegated role by a Tenant Admin via User Administration > Roles. OU Admins can perform most administrative configuration tasks Details will be discussed during your Onboarding and first Nimbus Installation.
Team/Service Owner TEAM OWNER		Full access to data entities (services, users, configuration) within the assigned organization unit. Can manage all Service Settings for the respective services. Can use Configuration items used in the service. Shared items may be provided by Administrators, from a higher Organization Units level. Can perform all "User / Agent" duties (e.g. take calls, do after-call work) Can access to Historical Reporting Data directly from the database, via Power BI OData Interface, e.g. by using the Power BI Template.	Granted and named depending on Service type: Team Owners - For Auto-Synced to MS Teams Channel roles. Automatically granted rights to fully manage the respective Nimbus service. No manual assignment needed. Contact Center Nimbus Service Owner - a manually granted role Contact Center-exclusive role. Granted via Service Administration > "Permissions " Tab. An associated Microsoft Teams channel is not required. Regardless of name, both types "Team/Service Owners" have the same rights to fully configure their own services.
Service Supervisor SERVICE SUPERVISOR	See	Limited access to services and users within the assigned organization unit. Can "read" on most frontend Service views Can manage call metrics-related Service Settings (Opening Hours , SLA). Other options read only. Can manage Personal Dashboards with "Service" type widgets. Can supervise on assigned services within Personal Dashboards. Can change availability for users. Power BI Can access Power BI OData interface to view service sessions and related user sessions. No access to extended User States reporting metrics. No access to Call pickup controls in the frontend UI when applied as standalone role.	Manually granted by a Tenant Admin via User Administration > Roles. An optionally granted role to add to any existing user permission set. Contact Center Requires a Contact Center license on the user.
User Supervisor USER SUPERVISOR	See	Limited access to users within the assigned organization unit. Can manage Personal Dashboards with "User" type widgets. Power BI Can access Power BI OData interface to access extended User State reporting. This monitoring feature must be enabled within Tenant Settings. No access to Call pickup controls in the frontend UI when applied as standalone role. Service-Metrics in the corresponding frontend Reporting views. → Also refer to the Notes.	Manually granted by a Tenant Admin via User Administration > Roles. An optionally granted role to add to any existing user permission set. Contact Center Requires a Contact Center license on the user. KNOWN LIMITATION If a user has only Supervisor and not a Team Owner / Service Admin role, only the "UserStates" datasets in the report will be shown: UserStates, StateTypes, ResponsibilityProfile, OU, Users. Other tabs and queries in the BI Report may appear blank. → This is intended by design to prevent exposure of individual Service/User/Session data to the wrong audiences. To see a full dataset, the same user also needs a "Service/Team Owner" role assigned.
User (Team Member, Service Agent) TEAM MEMBERS		Focus on daily Usage of Nimbus. Can handle incoming calls and make Outbound Service Calls Can access live Reporting as a viewer. Can adjust personal User Settings (e.g. to configure language, permissions) Makes use of additional Nimbus Features such as Attendant Console or Assistant based on the user license. Note: Once added to Nimbus, any user can have multiple roles, e.g. Participate as Agent Team A, Service Owner for Team B, Supervisor for Team C. You can review these roles via User Administration > Roles tab and review the roles of a user.	This role is granted based on Service Type: Team Members - For Auto-Synced to MS Teams Channel roles. No manual assignment needed. Contact Center Service Agents - a manually granted role Contact Center-exclusive role. Granted via Service Administration > "Permissions " Tab. All Nimbus user accounts are synched from the Customer Tenant's user directory. Users log into Nimbus using O365 credentials, but only see Nimbus services and data when they become Team members or Service Agents respectively.