Partition-based Access Controls
Learn about partition-based access controls.
Partition-based access (PBAC) is useful in environments where a single tenant has within it several independent organizations (business units). For example, if tenant ORG1 has subaccounts such as, BU1, BU2, and BU3 you might require partitioned access to one or more of these subaccounts. Also, administrators must be able to control access to these accounts.
When partition-based access is applied, you only have view access to a specific set of objects. Other types of access are provided by role-based access (RBAC) and Configuration Server permissions. PBAC enhances other types of access, but does not replace them.
Before you begin using PBAC, it's important to understand the terminology being used in this article:
- Partition—A logical, united set of CX Contact objects and External objects accessible to a specific group of CX Contact users. The set of objects includes all object types created by CX Contact or by some other process or application.
- Partition Member—A user with access rights to a particular partition. A user can be a member of zero, one, or several partitions. User access rights to a partition are of type Boolean (access is either allowed or denied).
- Active Partition—The partition that a user has explicitly nominated as current. All new objects are created by the user within this active partition. Only one active partition is associated with each user. Users can switch active partitions if they have access to multiple partitions.
- Partition Assignment—The process of nominating an object into a partition and the serialization of this nomination into Configuration Server.
- CX Contact objects—A set of configuration objects created by CX Contact and are considered outbound. For example, calling lists, campaign groups, treatments, scripts of type Outbound (such as, outbound list, outbound schedule), and so on.
- External objects—A set of configuration objects that are not created by CX Contact. For example, Agent Groups, DNs, Applications, IVR Profiles, and so on.
- Shared objects—A set of configuration objects that are visible and accessible in all partitions.
Administrators and others who have the appropriate RBAC permissions, can manage partitions in the CX Contact UI by creating, and deleting partitions.
When you create a new partition and name it, CX Contact automatically creates the <Partition name> Access Group. If an Access Group with the same name exists, CX Contact does not re-create it or generate errors.
You do not need to grant permissions to newly created Access Groups for objects with which they are associated. The only purpose for having a <Partition Name> Access Group is to enable user access to the partition.
After CX Contact creates the Access Group, use GAX or Agent Setup to select users who will be members of the group, enabling them to use the CX Contact partition.
When Partitioning is enabled for a Tenant, each user belongs to only one partition at any given time. The first time you log in you are automatically associated with the first partition that is enabled for you (including all partition Access Groups you are a member of).
When you delete partitions, they are removed from the Tenant settings. Any configuration objects belonging to deleted partitions are not modified in any way and continue to store partition-associated information. This enables you to recreate the partition (using the same name) and automatically retain the association with partition objects.
When PBAC is active, CX Contact assigns each object that it creates to a partition. It assigns objects to the active partition for the user who created them.
When new partitions are created, CX Contact automatically creates an empty Access Group for the partition. The Access Group is named <Partition name> (for example BU1 or BU2) and is used to add members to the partition. A person automatically becomes a member of the partition when they are assigned to the Access Group.
CX Contact considers configuration objects to be Shared and visible in any partition if they are not associated with a specific partition. Users can gain access to shared objects if they are a member of at least one partition or a member of the CX Contact All Partitions Access Group.
Globally applicable Compliance rules and Suppression Lists that are marked as Required are Shared and therefore are visible across and apply to all partitions.
Currently, CX Contact supports only the Agent Groups External object.
CX Contact can honor External object partition assignments, such as Agent Groups, if the Agent Group is configured as a member of a specific partition.
When Partitioning is enabled for a Tenant, the partition field is added to all CX Contact ES indexes and populated by CX Contact components. Also, actions performed on partitions (create, delete, and select active) are logged in the Audit ES index.
When members of an active partition (for example, Partition A) browse data for Outbound Analytics, they'll see only the data for Partition A, and the data for Shared objects. They cannot see data from other partitions in any of the Outbound Analytics dashboards.
When Partitioning is enabled for the Tenant and the Export Analytics Data job automation is executed for Partition A, the export contains data for Partition A, and the data for the Shared objects for any of the Outbound Analytics ES indexes.