Partition-based Access Controls

From Genesys Documentation
Jump to: navigation, search
This topic is part of the manual Outbound (CX Contact) CX Contact Help for version Current of Outbound (CX Contact).

Learn about partition-based access controls.

Partition-based access (PBAC) is useful in environments where a single tenant has within it several independent organizations (business units). For example, if tenant ORG1 has sub accounts such as, BU1, BU2, BU3 certain users might require partitioned access to one or more of these sub-accounts. Also, administrators must be able to control access to these accounts.

When partition-based access is applied, user have only view access to a specific set of objects. Other types of access are provided by role-based access (RBAC) and Configuration Server permissions. PBAC enhances other types of access, but does not replace them.

Terminology

Before you begin using PBAC, it's important to understand the terminology being used in this article:

  • Partition—A logical, united set of CX Contact objects and External objects accessible to a specific set of CX Contact users. The set of objects includes all object types that can be created by CX Contact or by some other process or application.
  • Partition Member—A user with access rights to a particular partition. A user can be a member of zero, one, or several partitions. User access rights to a partition are of type boolean (access is either allowed or denied).
  • Active Partition—The partition that a user has explicitly nominated as current. All new objects are created by the user within this active partition. Only one active partition is associated with each user. Users can switch active partitions if they have access to multiple partitions.
  • Partition Assignment—The process of nominating an object into a partition and the serialization of this nomination into Configuration Server.
  • CX Contact objects—A set of configuration objects that are created by CX Contact and are considered outbound For example, calling lists, campaign groups, treatments, scripts of type Outbound (such as, outbound list, outbound schedule), etc.
  • External objects—A set of configuration objects that are not created by CX Contact. For example, Agent Groups, DNs, Applications, IVR Profiles, etc.
  • Shared objects—A set of configuration objects that are visible and accessible in all partitions.
Tip
When migrating existing configuration objects, those with no assigned partitions are considered Shared objects and are visible in all partitions until they are manually assigned to a specific partition.

Manage partitions

Administrators and others who have the appropriate RBAC permissions, can manage partitions in the CX Contact UI by creating, and deleting partitions.

To manage partitions in the UI, go to Settings and click the Partitions tab.Partitions_Settings-Enable.png

Important
Administrators can switch Partitioning support on or off in the CX Contact UI anytime if they have the appropriate RBAC privileges. However, they must first create at least one partition before switching Partitioning on.

New partitions

When you create a new partition and name it, CX Contact automatically creates the <Partition name> Access Group. If an Access Group with the same name already exists, CX Contact does not re-create it or generate errors.

You do not need to grant permissions to newly created Access Groups for objects with which they are associated. The only purpose for having a <Partition Name> Access Group is to enable user access to the partition.

Tip
Once a partition is created, you cannot modify it's name, because the Access Group created for that partition is mapped to the partition Name.

After CX Contact creates the Access Group, use GAX or Agent Setup to manually select users who will be members of the group, thereby enabling them to use the CX Contact partition.

Active partitions

When Partitioning is enabled for a Tenant, each user belongs to only one partition at any given time. The first time a user logs in he/she is associated with the first partition enabled for this user (including all of the partition Access Groups of which he/she is a member).

Tip
A user can not be associated with a deleted or non-existent partition.

Deleted partitions

When you delete partitions, they are removed from the Tenant settings. Any configuration objects belonging to deleted partitions are not modified in any way and continue to store partition-associated information. This enables you to recreate the partition (using same name) and automatically retain the association with partition objects.

Assignments

When PBAC is active, CX Contact assigns each object that it creates to a partition. It assigns objects to the active partition for the user who created them.

Partition members

When new partitions are created, CX Contact automatically creates an empty Access Group for the partition. The Access Group is named <Partition name> (for example BU1 or BU2) and is used to add members to the partition. A person automatically becomes a member of the partition when they are assigned to the Access Group.

Tip
Use GAX or Agent Setup to assign users to Access Groups. This task is not done in CX Contact.
If you delete a partition, CX Contact does not automatically delete the Access Group. This means that you can recreate the partition and regain access to the configuration objects assigned to the partition, because the objects are not deleted when the partition is deleted.
Important
If a specific Business Rule exists that requires you to delete all objects in a partition, as well as the partition itself, use the CX Contact UI or the API to do so before deleting the partition. Neither the CX Contact UI or the API support deleting objects in a partition that's been deleted. If required, you must delete these objects externally.

Shared objects

CX Contact considers configuration objects to be Shared and visible in any partition if they are not associated with a specific partition. Users can gain access to shared objects if they are a member of at least one partition or a member of the CX Contact All Partitions Access Group.

Tip
Assigning users to the special, precreated CXContact All Partitions Access Group makes all CX Contact partitions available to them.

External objects

Currently, CX Contact supports only the Agent Groups External object.

Agent Groups

CX Contact can honor External object partition assignments, such as Agent Groups, if the Agent Group is configured as a member of a specific partition.

Tip
Currently, only the Agent Groups External object can be optionally partitioned. All other External objects, such as DNs, Applications, IVR Profiles, etc. are treated as Shared.

Outbound analytics

When Partitioning is enabled for a Tenant, the partition field is added to all CX Contact ES indexes and populated by CX Contact components. Also, actions performed on partitions (create, delete, select active) are logged in the Audit ES index.

When members of an active partition (for example, Partition A) browse data for Outbound Analytics, they'll see only the data for Partition A, plus the data for Shared objects. They cannot see data belonging to other partitions in any of the Outbound Analytics dashboards.

When Partitioning is enabled for the Tenant and the Export Analytics Data job automation is executed for Partition A, the export contains data for Partition A, plus data for the Shared objects for any of the Outbound Analytics ES indexes.

Retrieved from "https://all.docs.genesys.com/PEC-OU/Current/CXContact/PBAC (2022-07-02 19:37:58)"