Role Configuration
Summary
A role is in its basic form a set of permissions assigned to a type of user. An Admin role would have all permissions enabled for example where as a 'Customer' role might only have permissions to add / update tickets and make payments on their account. Roles also define details for sets of accounts such as password security, custom profile questions etc. that you may want to setup / add at the role level.
This article describes how to create, add permissions and how to import predefined role sets for EngageIP.
Role Hierarchy Related to Branded Owners
When branded owners are in use, you may have admin users on the top level owner which are able to manage customer accounts in branded owners below the top level owner. If you wish to assign permissions to top level accounts which can manage branded owner accounts below, you first need a role with appropriate permissions on the top level owner. Also you MUST have the roles listed that the admin user can manage in 'Roles that can be added by this role'. If a role is not in that list, the admin user who has that role applied to their account will not be able to manage accounts with roles NOT defined in 'Roles that can be added by this role'.
In addition, on the branded owner, you need a role with the same name as a role on the top owner - the name needs to match exactly. Then on that role on the branded owner you need to again specify which roles that particular role can manage by adding roles such as 'customer' to the 'Roles that can be added by this role'.
An example would be that you have a role called 'CSR' on the top level owner, CSR is allowed to manage accounts which have a role of 'Customer' but are not allow to manage accounts that have a role of 'CSR'. This would prevent the CSR from elevating his own role or changing his own password etc. On the branded owners you would create a same named role called 'CSR' (on the branded owner, no permission specifically need to be set as the permissions from the top owner will be used) and under the 'Roles that can be added by this role', you would then add any roles that the CSR is allowed to manage, if the roles are identical from the top owner through to the branded owners, then you would just add the role of 'Customer' again to the branded level CSR role which would allow the employee with CSR role to manage anybody with a customer role on the top owner and the branded owner that you've setup.
Top Owner Role:
CSRÂ Role
Roles that can be added by this role:
Customer
Branded Owner
CSR Role
Roles that can be added by this role:
Customer
Â
Note:Â CREATED roles cannot edit the password on accounts that have the 'out of the box' admin role. If you login as an account with a role other than admin, and attempt to change password on tools page for an account with the role 'admin', the system will provide an error saying you are not authorized to do so. This is for security purposes so that general roles cannot update the ROOT role of admin and any users associated to it.
Role Configuration
Definitions:
Name - descriptive name of the role, for example 'Customer Support', 'CSR', 'Support Manager'
Contact Type - contact to be used for emailing when EngageIP sends emails from reports or when
billing
Ticket Assignable - this tells the system that accounts with this role can have tickets assigned
directly to them. i.e. Customers would not usually have this selected as you don't want to assign a
ticket to them (you can create a ticket on the customer, but assigning it to them would usually mean
they need to resolve the ticket)
Password Change - describes the number of days after which the password must be changed. This
is a good security measure
Password Length - describes the required minimum length of the password when adding accounts
with this role or when the user updates his or her password
Password with Numbers - allows forcing the use of letters and numbers rather then just letters
Default Account Creation Status - this defines the status of an account when its first created. Â i.e. if
you click 'Account' link to add the account, by default you may want the account to start as disabled.
This option allows you to define that
Password History length - this defines the number of historical passwords the system remembers
so that you do not use the same password over and over. This number describes how many periods
based on the value in 'Password Change'
Force Password Change After First Login - this will ensure that at first login, the account user
updates his or her password
Failed Login Limit - if when logging in, the user types the password incorrectly, this limits the number
of attempts. i.e. if they attempt incorrectly 5 times as shown in the image below, they would be locked
out for 1 hour before being able to login again
Lockout Duration - amount of time that an account will be prevented from logging in. In the case in
the image below, 1 hour is set
Steps to Create a New Role
Note: For suggested settings see the article Security Best Practices for EngageIP Billing.
Load the Setup page
Under the Accounts and Roles heading click Roles
Click the Add button
Enter a descriptive Name for the role that defines the position
Fill in the detail as needed based on the definitions provided above
Click Save
The last step is to setup permissions which is covered below
Setting Role Permissions
Load the Setup page
Under the Accounts and Roles heading click Roles
Click on the Name of the Role you wish to configure permissions for
Select the permissions required for the role. For more information, you can simply hover the mouse over the name of the permission for detail on where it applies and on which pages it can be found
Note: In order to perform any options such as Add, Delete or Edit the LIST option must be enabled. The List option refers to the table of entries for the permission from where you can perform the other options. For example, if you want to see the packages associated with an account, then you must check the LIST option under the User Package permission. If this is the only permission option enabled then the list of packages will be read only, otherwise if you have EDIT selected you will also be able to perform that action5. Once all the needed permissions are selected, click the Save button at either the top or bottom of the Role Permissions section
Enabling All Permissions for a Role
If you require a user such as an Admin to have full access to the system you may do so, follow the steps below to enable all role permissions for a role.
Load the Setup page
Under the Accounts and Roles heading click Roles
Click on the Name of the Role you wish to configure permissions for
Under the Role Permissions heading click the Select / Unselect All link to toggle all currently set permissions off
Click on the Select / Unselect All link again to toggle all permissions on
Click Save
Importing Predefined Roles
To import a predefined set of roles, download the attached XML import files in the Sample Roles section below. These will define one role each with a set of 'standard' permissions that might be used for said role.
The initial XML rows will look like this:
<RolePermissions>
<Role Role="Payment Center Rep" Owner="admin"/>
<RolePermissions Role="/Owner=Logisense Corporation/Role=Payment Center Rep" Name="BalanceOwnerReport/List"/>
The second row imports the Role itself based on the name (ensure that you do not already have a role with this name imported. If you do, you can remove this line from the XML)
Note:Â If the role exists in EngageIP, in order not to duplicate role permission data in the database, unselect all permissions from the existing role and click save, then import the new set of permissions.
The third row represents the actual permission name. Do not update the permission name here as it is explicit based on naming conventions within EngageIP. Once you have imported the permissions, you can then add / remove specific permissions on the role.
Import Process
Download the role file attached in the Sample Roles section below
Edit the XML files
copy one set of permissions at a time
do a search replace for the dynamic 'Logisense Corporation' owner and replace it with the Owner name you wish to import the roles under
update the Role names if needed in the XML file (these can be updated after importing as well)
save this as a new .xml file with the appropriate role name
import using the migrator tool residing on the webserver as documented here: Data Migration Utility
Sample Roles
Role_Office_Manager  | Role_Customer_Service_Rep |
---|---|
Role_Network_Operations | Role_Technical_Support_Manager |
Role_Technical_Support | Role_Agent |
Role_Payment_Center_Rep | Role_ReadOnly |
Â
Â
Â
Â