Role Based Access Control and Organization Unit Structure

In general, the Role Based Access Control (RBAC) system allows for flexible administrator permissions via the assignment of OrganizationUnits (OU) and their underlying teams. 

  • A Tenant Management was implemented by adding a three-level OU Structure and Role Based Access with specific permissions.

  • We have further enhanced the self-service capabilities by introducing the user role of a “Tenant Administrator” and improving the user role of “Team Administrator”. 
    With this new role-based concept, you can administer users and teams in a secure and organized way.


Limitation- Tenant layer only available with manual user provisioning

In order to use the Tenancy feature you need to deactivate AD synchronization.

To disable AD sync: 

  1. Head to the CIC component in your Topology settings.
  2. Disable the AD Sync by setting value for "EnabledAdTeamSync" to "false

(lightbulb) Any existing tenant definitions will remain unaffected by this change.

Summary of Roles with RBAC


Role

Configuration Source

Description

AdministratorSystemActive Directory

System Administrators have full rights.

  • They can add and update tenants for all users and teams.
  • They have full access to all resources, users, mailboxes and opening hours. 
    They can activate teams and/or grant permissions to other administrators.
AdministratorSystemReadOnlyActive Directory

Read Only System Administrators can see all resources like a System Administrator but have no access to change anything in the system.

AdministratorTenantExtendedTeam Manager Configurator

Extended Tenant Administrators can....

  • Have the same rights as Tenant Administrators, plus the following: 
    • Access Team Management in the configuration, e.g. to
      • add, configure and and activate teams.
      • administrate settings existing teams
    • Perform these operations on multiple tenants 
AdministratorTenant

Team Manager Configurator

Tenant Administrators can…

  • Read and update Team settings for activated teams such as:
    • Change workflow assignment
    • Placeholders
    • Opening Hours Boxes
    • Presence Mapping & Forward Settings
    • Activate / Deactivate Team Members
    • Add / Remove Team Members
    • Nominate Team Administrators
    • Read and update voicemail targets
  • Manage (CRUD) users in the the system
  • Read and update user details and team membership settings
  • Manage (CRUD) workflow resources
  • Manage (CRUD) opening hour calendars
  • Manage (CRUD) standby duty hours
  • Read Reporting information
AdministratorTeam

Team Administrator Configuration in TM FE

Team Manager Configurator

Team Administrator can…

  • Read and update Team settings for activated teams such as:
    • Placeholders
    • Forward Settings
    • Activate / Deactivate Team Members
    • Read and update voicemail targets
  • Manage (CRUD) workflow resources
  • Read and Update opening hour calendars for their teams
  • Read and Update standby duty hours for their teams
  • Read Reporting information
TeamMember

Team Membership Configuration in TM FE in case of manual user provisioning

Active Directory in case of Active Directory synchronization

Team Member can ...

  • Log in to Frontend and see the Home Page
  • Manage their Team Choice settings if they are enabled by the Administrator