Access control overview
Access control gives administrators the ability to create separate units, or divisions, in which to divide and categorize resources, or objects. Administrators can then selectively grant users access to the set of objects. This access includes permission to view, add, edit, and delete objects. Access control also tags data that Genesys Cloud considers a transaction to the divisions it encounters as it travels through the system.
Create divisions to separate business units within the organization
Organizational separation is helpful for organizations that have multiple business units, or business units in different physical location. Divisions ensure that these business units generally operate independently from other areas, but continue to reside under the primary organization. You can move certain objects into a division and then specify which users can view or manage the objects in that division. Managers, administrators, and other defined roles can only access objects in the divisions to which they are granted permission.
It is important to consider that divisions do not provide complete separation. For example, some objects are not eligible for inclusion in a division, and divisions share some resources such as Edges. If you need a separate business unit for regulatory requirements or sensitive data purposes, best practice recommends that you create separate organizations in Genesys Cloud.
For more information about divisions, see Divisions overview and Create a division.
Determine which users have access to resources and data
Access control considers certain organizational resources and data as objects in Genesys Cloud. The types of objects that apply to access control are configuration objects and transactional objects.
Configuration objects are specific resources within the organization. These resources include:
- Call routing objects
- Coaching appointments
- Contact lists
- Data tables
- Do not contact lists
- Flow milestones
- Flow outcomes
- Learning modules
- Management units
- Message routing objects
- Outbound campaigns
- Schedule groups
Administrators can separately assign individual objects to a division and then selectively grant user access to the objects in that division. A configuration object can only belong to one division. This access includes view, add, edit, and delete. For more information, see Access control configuration objects.
Transactional objects are objects that interact with or travel through the system.
Transactional objects include:
- Voice, callback, chat, email, and message conversations
- Presence history
- Audit data
While these objects are not the only transactional objects that exist in Genesys Cloud, they are the only ones protected by access control. A transactional object can encounter more than one division. For more information, see Access control transactional objects.
Distinguish users as objects vs. users with access
A user can be a configuration object within a division. However, an administrator can also grant a user permission to access a division. It is important to note that moving a user into a division does not give that user access to the data within the division. The user’s data, such as profile information, is part of the division, and users who have the appropriate division permission assigned can access that data.
For example, an administrator moves Danny Cho into the Raleigh division, but Danny Cho does not have permission to manage objects in the Raleigh division. He cannot access any configuration object within the Raleigh division; he cannot edit a queue, add a campaign, or delete a call flow.
However, any user with the add, edit, view, or delete permissions to access users in the Raleigh division can modify Danny Cho’s user data.
Provide access to divisions
You can grant an individual user access to a division, and you can grant access to all users configured within groups. A benefit of access control is the ability to grant appropriate users access to only the objects they intend to manage. For example, you can use access control to allow Supervisors to work only with the agents and queues that they manage. Flow authors can only add, edit, or delete the flows for which they are responsible.
By design, the Agent role has fewer restrictions with access control. For example, an agent can transfer to any queue or user in the system, regardless of the queue’s or user’s division. This behavior ensures that agents can successfully process interactions. Agent A in Division ABC can transfer a call to Agent X in Division XYZ without being granted permission to access Division XYZ.
To provide a user access to a division, an administrator must:
- Identify an existing role with the appropriate permissions; for example, a default role, or optionally create the role with the appropriate permissions. The administrator can grant this role to multiple users. For more information, see Add roles.
- Assign the role with the appropriate permissions to a user, unless the user already has the role. For more information, see Grant a role and a division to a user. This task assigns the role with the appropriate permission and the division to a user.
- Assign the division to the role, if you did not do so in Step 2. To perform this task, do any of the following:
- Add the division to selected individuals assigned to the role. For more information, see Assign roles in Assign roles, divisions, licenses, and add-ons.
- Assign the division to groups.
For more information about providing a user access to divisions and granting the ability to move objects, see Access control quick start guide.
In this example, the organization creates three divisions:
- Raleigh, NC: An admin places the Support East, Marketing East, and Sales East queues into this division.
- San Francisco, CA: An admin places the West queues into this division.
- Corporate: This division includes objects that perhaps don’t fit easily into other divisions. In this case, the main menu flow into which all customers enter. This flow is not specific to east or west. Depending on information they provide, the system transfers them to the proper division. Examples in the graphic: customer care, priority support.
Now that the administrator created divisions and assigned object to each division, the next steps are: Create a role, assign the role to the appropriate users, and then assign to those users the divisions for which they are responsible. In this example, the administrator:
- Creates a Supervisor role.
- Grants the Supervisor role the permissions required to create and manage call flows, management units, queues, and outbound campaigns.
- Assigns the Supervisor role to Diane, Jesse, and Sam.
- Gives Diane’s Supervisor role access to the Raleigh division. Diane can only work with the objects in the Raleigh division.
- Gives Jesse’s Supervisor role access to the San Francisco division. Jesse can only work with the objects in the San Francisco division.
- Gives Sam’s Supervisor role access to the Corporate, Raleigh, and San Francisco division. Sam can work with objects in all three divisions.
Workforce management unit:
Workforce management unit:
Workforce management unit:
Multiple users can have the same role; however, when you assign divisions to each user’s role, the user can only access objects in that division. All three users in our example have the same role, but not all users have the same divisions assigned to that role. Therefore, each user has the same permissions, but to different sets of objects per the division associated to their role.