Role Based Access - RBAC

The WebConfigurator Role Based Access Control (RBAC) allows you assign permissions to users that have been added to Stratus Agent. It is worth noting that Stratus Agent uses the term "Agents" as a subgroup of users, however it is the role assigned in RBAC that enables a user to perform more tasks within Stratus Agent front- and backend.

Stratus Agent distinguishes by the following roles:

A System Administrator has full system-level privileges, not only on Stratus Agent but also on the underlying servers (also called "instances").
This role is reserved for Luware or Luware-trained personnel to configure basic system components of the Stratus Agent server topology.
This user always has all permissions outside of the RBAC system to prevent accidental locking out.
An Administrator mainly acts within the backend Configuration UI. Admins manage Organizational structures and all other Stratus Agent relevant data entities such as as Workflows, Resources and templates. Admins also define visibility of those entities to other users via Role Based Access.
A Supervisor manages basic settings in the for services. As team manager the supervisor also has access to reporting features according to his permissions and may configure Frontend Widgets and Groups to form individualized dashboards for his teams.
An Agent works mostly on the Web FrontEnd. Additionally the Agent Assistantcan be installed on Agent client PCs to handle calls and tasks with more functionality. Agents mostly have very basic viewing permissions on dashboards.

The aforementioned roles are just a common ground to start from. If you hand out full permissions even an "Agent" can access every aspect of Stratus Agent.

Notes to remember

By default new users added via Webconfigurator do not have assigned roles and permissions. Only the System Administrator may access the system to change the configuration at this point.
RBAC permissions are given to individual agents when editing their Agent Roles . It is possible to define one Agent as a template and use his permission set for future users.
RBAC permissions are tied to the Organization Units (OU) structure as framework for inheritance
- A "System" level OU is defined in Stratus Agent as a default, which cannot be superseded by any OU. System privileges will always inherit down to any Sub-OU, even if added later. This will ensure that a System level administrator is never locked out of (any parts of) the system.
- In consequence, saving data entity (e.g. a workflow or trait) defined within on "System" level OU will make it accessible to any child OU.
- On RBAC permission level, all child OU inherit all the permissions contained in an upper (parent) OU.
- The table below lists available roles & permissions independent of OU structures. You can basically define any organizational structure first and then grant these rights as you see fit.

Role and OU mixtures are possible. The roles mentioned in this table can be mixed and matched to have Stratus Agent users perform multiple functions depending on which OU they are in.

Further API-based roles and rights are described on the Stratus Agent API pages.

Administrator Roles

In context of this manual the term "Administrator" ADMINISTRATOR will be used, generally referring to to any admin role mentioned below with according permissions. A "System Administrator" will always have all privileges mentioned below.

Administrator Permissions table. C = Create, R = Read, U = Update, D = Delete

Role	Privileges
System	Has full privileges (any of the rights below) This role is reserved to Luware to prevent accidental lockout. Can log in to both front and backend Defines and configures server topology, user directories and system components Authorizes further users and assigns roles to them in RBAC
Organization Units	Can manage Organization Units (CRUD)
Distribution	Can manage Distribution Policies and Traits (CRUD)
User	Can manage users (CRUD) Performs all Agent Management related tasks in Backend (WebConfigurator) Manages user dependent entities such as: Trait and edit common user settings (First Name, Last Name, Email, SIP URI), Assign Agent/Supervisor Roles
UserReadOnly	As User Administrator but only read access on user details and parts of the settings.
Service	Can manage Configuring Services (CRUD) Manages all service-dependent entities such as: Messages and Standby Duty Notifications Can change Service details to add the previously defined entities
Service Extended	CANNOT manage Configuring Services, but: Can read a subset of service dependent entities Name, Organization Unit, Common Settings (SIP URI, Display Name, Telephone URI, TelSipURI) Can manage a subset of service dependent entities (CRUD) such as: Placeholders, Workflows, Completion Codes
Agent	Can read and update Agent Traits and Duty Profiles for his assigned agents Can read and update Agent Assistant Configurations for his assigned agents Can read several Agent specific user field such as: Common Settings (First Name, Last Name, Email, SIP URI), Organization Unit
Agent Extended	Similar to Agent Administrator but with some limitations such as: CANNOT read Skype for Business relevant settings like Line Uri, Private Line Uri, LYNC POOL REGISTRAR CANNOT read and update settings like Busy on Busy in a call enabled, Can login to Recording manager
AgentReadOnly	Same as Agent Administrator but only with read access on agent traits, profiles and configuration settings
Workflow	Manage (CRUD) Workflows including all dependent entities and resources
Topology	Manage (CRUD) Configure Architecture Component details, Manage Tenants, API tokens, trusted applications
Web	Managing Walls in the Web FrontEnd Read access on all Frontend Widgets and Groups within his Organization Unit
DataPrivacy	Execute related actions in the backend (customer data anonymization). This role is reserved to Luware to prevent accidental data destruction through anonymization. If you want to learn more about this feature, get in contact with Luware support or your Stratus Agent personal administrator.
Roles	This user can freely assign roles and elevate users, up to highest level! Assignthis role sparingly and only to people you know

Supervisor Roles

In context of this manual the term "Supervisor" SUPERVISOR will be used, generally referring to to any role mentioned below with according permissions.

Supervisor Permissions

Area	Role	Privileges
Web FrontEnd	Agent	Can read Frontend Walls Can change Agent traits in the Frontend Can read and update Agent presence states and reset RONA state Can switch Agent Duty Profiles
	Service	Can read Frontend Walls Can read Service states Can Initiate CallBack Tasks and set Emergency Case
	Supervision	Can read Frontend Walls Can initiate Agent Session Supervision and Agent Permanent Supervision
Web Reporting Portal	Agent	Currently unused.
	Customer	Access to the Customer Journey Page
	Service	Access to the Reporting Overview Page and Service Overview Page
(Historic) Reporting (Excel / Power BI SSRS database exports)	Agent	Access to Agent-Related SSRS Reports as well as related facts and dimensions → See: Historic Reporting
	Customer	Access to Customer the corresponding Service-Related SSRS Reports as well as related facts and dimensions → See: Historic Reporting
	Service	Access to all Service-Related facts and dimensions, KPI → See:Historic Reporting

Agent Roles

In context of this manual the term "Agent" AGENT will be used, generally referring to to any role mentioned below with according permissions.

Agent Permissions

Area	Role	Privileges
Web Frontend	Agent	Can Read Frontend Walls Access to Agent-related Widgets
	Service	Can Read Frontend Walls Access to Service-related Widgets