Contact Expert v7.4 for Skype for Business Server
Organizational Hierarchy And Access Control
Introduction
Contact Expert provides the means to set up an organizational hierarchy reflecting a typical customer's corporate structure in an effort to provide more tightly defined security schemes following real life situations. This allows the configuration of user accounts into various organizational units that – together with the Role Based Access Control feature – establish elaborate control on who has access to what and to what extent within the system. For example supervisors limited by hierarchy to a certain organizational level can be configured to be unable to report on agents registered in other organizational units in an entirely different branch of the hierarchy.
What is the Hierarchy
Contact Expert's Hierarchy concept means one or more organizational structure served by a single CE deployment providing various levels and number of organizational units with defined relationships between them.
Hierarchy versus Architecture
The architecture of a Contact Expert deployment means the individual components including the agent workstations and server computers. The architecture can be a single-server setup where the server components are deployed onto a single computer, or distributed where more than one server computer provide the server functionalities of the entire CE deployment.
Do not confuse architecture with the hierarchy. The former refers to the physical deployment while the latter is the sum of the organizational structure of a single or multiple organizations.
Role Based Access Control
Access control is the means to restrict access to system resources to authorized users with proper permissions only. Users (Administrators, Supervisors, etc.) of the portal are granted access and certain privileges to resources and information via access control.
Instead of assigning individual permissions to specific users, Roles are defined with predefined permission sets, therefore users need to be assigned to a specific role to obtain all permissions associated with the role. On top of the default roles, administrators have the ability to set up new roles hand-picking the permissions required.
To view the list of user roles created in the system, navigate to Organization & Access → Portal Users → User Roles in the CE portal.
Resources, Permissions and Roles
A resource is any kind of entity (configurable object) in Contact Expert accessible in CE portal – for example a Human Agent config, an outbound Campaign, an Email Gateway, a Contact Record, etc. A resource type is a class containing all the equal types of objects (resources) – e.g. Agents represent all the Human Agents, Virtual Agents, IVR Channels, etc. in the contact center organization, while Queues & Campaigns refers to all inbound/outbound queue/campaign objects, etc.
A permission is a formal assignment of one particular privilege to a single resource for portal users by authorized persons. In effect users will be able to view different pages and perform different actions on the portal.
A user can have more than one role assigned and therefore many different permissions provided. An effective permission set is the union of all privileges (permissions) assigned via all of the roles. Such privileges can be viewed by certain people.
To view the effective permission set of a user, navigate to Organization & Access → Portal Users → User Accounts → Edit → Effective Permissions.
When having sufficient privileges, you can access the role management options by navigating to Organization & Access → Portal Users → User Roles.
There are 4 types of permissions available for the role management over the portal, please see the following sections for a description of these.
The List Permission
Actually, there is a fifth, hidden permission that is granted to every single role automatically: the ability to list resources on any part of the portal that needs a reference to the given object.
For example, in case an administrator revokes all permissions to the Dial Rules resource for a user because that user will have no business deleting, changing, adding or even viewing the details of the dial rules, that user might still need the ability to select a dial rule for the campaign she does have permissions to control.
View
Provides the ability to view all properties of a resource. For example, if a user is granted the right to view campaigns, he or she is able to retrieve all campaign properties like ID, display name, campaign status, assigned dial rule, business tags, etc.
Create
Provides the ability to create new resources. For example, if a user is granted the right to create campaigns, he or she is able to add a new campaign including the entirety of its properties like ID, display name, campaign status, assigned dial rule, business tags, etc.
Note
The Create
permission does not implicitly provide the View
permission! If a user is granted the Create
right to a resource without also adding the View
permission, then the user will effectively have no access to the resource!
Edit
Provides the ability to modify an existing resource. For example, if a user is granted the right to edit campaigns, he or she is able to update an existing campaign's every property like display name, campaign status, assigned dial rule, business tags, etc.
Note
The Edit
permission does not implicitly provide the View
permission! If a user is granted the Edit
right to a resource without also having the View
permission, then the user will effectively have no access to the resource!
Delete
Provides the ability to remove irrelevant resources. For example, if a user is granted the delete campaign permission, he or she is able to remove an existing campaign from Contact Expert.
Note
The Delete
permission does not implicitly provide the View
permission! If a user is granted the Delete
right to a resource without also having the View
permission, then the user will effectively have no access to the resource!
Controlling Individual Access
Putting all of the above together, when a user wishes to access a resource – e.g. campaigns, agents, recording rules, other configuration – over the CE portal, the system will always combine the user's and the resource's organizational level within the hierarchy with the permissions provided by his/her roles and will evaluate whether access to any particular resource can be allowed or not based on the union of these two. When the hierarchy is not blocking access, then the permission set in the associated role will define the level of access.
Organizational Hierarchy
In CE the hierarchy is founded on the Teams of agents. Many teams can be created but each can only be assigned to a single Business Unit of which many can be created as well. Business Units are then organized into Tenants. There are many resources defined in CE, the core business related items like skills, agents, campaigns, etc. are separated on the business unit level to maintain a granular access. Some others like dial rules, agent policies, etc. are defined on tenant level, while items dealing with connecting to the surrounding infrastructure such as the telephony backend, email and data storage, etc. are established on the deployment level.
For detailed description of every resource and the available permissions that can be assigned to these please read Resource Types and Available Permissions.
Time Zones for Tenants
In case a CE deployment is serving multiple tenants with agents working in separate geological regions having different time zones, each of these tenants can have their local time zone value associated. This is achieved by having the date and time values of all data stored in the database converted to the UTC timezone. When presenting date on the portal, the agent application or any of the APIs, the system transforms values on the fly to the time zone designated for the relevant tenant.
Warning
Data in the CE database is stored in the UTC time zone! Any customization created for the system accessing the database directly will have to account for this.
Changing the time zone for an existing tenant
The CE portal does not prohibit the changing of the time zone setting for an existing tenant. But if there are already historical business and system data accumulated for this tenant, there will be a time "jump" when displaying business data in a report, the Agent Application, or via the APIs (e.g. creation times of objects). This is because the historical data was saved with the old time zone information that is now changed.
The system does not transform historical date and time values on data already stored in the database for the tenant as this would put an extreme load on the system for a potentially huge amount of time.
Tip
Please try not to change the time zone information for an existing tenant to avoid "time jumps" in the presented historical data.