Security Group Configuration

Security Group Configuration

The term ‘user groups’ is used in this guide to describe OCNCC/OC3C ACS User permission levels (1 - 7), and SMF templates.

N2FE has a default mapping for each of the user groups as default but allows for the configuration of permission and access levels.

Configuration

To alter the default security configuration permissions changes will need to be made in the main N2FE configuration file: /etc/jarvis/n2fe.xml

All configured permissions can be found within the <login module="LoginSMF"> XML element.

Each permission is configured as a parameter of the login XML element.

<parameter
    name="service_number_create_groups"
    value="ACS_BOSS, ACS_BOSS_WRITE, AcsPermissionLevel6, AcsPermissionLevel7"
/>

To change which SMS permissions have access to what group configuration simply add or remove SMS permission levels from the value configuration parameter.

Any security configuration items that are set using the wild card character * will allow all SMS permission levels access to the group.

The group configuration mappings and the resources they grant access to can be found described below.

Security Group Mappings

Group Name Grants Default security configuration
login_groups Subscriber Admin ACS_BOSS ACS_BOSS_READ ACS_BOSS_WRITE ACS_READ ACS_WRITE AcsPermissionLevel1 AcsPermissionLevel2 AcsPermissionLevel3 AcsPermissionLevel4 AcsPermissionLevel5 AcsPermissionLevel6 AcsPermissionLevel7
Grants N2FE login access to the specified user groups.
admin_read_groups __AdminRead ACS_BOSS_READ AcsPermissionLevel6 AcsPermissionLevel7
Any user granted this group will be able to view data for all Customers, Service Numbers, Users and Flows. Applied to SMF users this will grant them full access globally. Applied to ACS users this will grant them full access for any data associated with their customer.
admin_write_groups __AdminWrite __AdminRead ACS_BOSS ACS_BOSS_WRITE AcsPermissionLevel6 AcsPermissionLevel7
Any user granted this group will be able to view and perform write actions for all Customers, Service Numbers, Users and Flows. Applied to SMF users this will grant them full access globally. Applied to ACS users this will grant them full access for any data associated with their customer.
admin_delete_groups __AdminDelete __AdminRead ACS_BOSS ACS_BOSS_WRITE AcsPermissionLevel6 AcsPermissionLevel7
Any user granted this group will be able to view and perform delete actions for all Customers, Service Numbers, Users and Flows. Applied to SMF users this will grant them full access globally. Applied to ACS users this will grant them full access for any data associated with their customer.
customer_view_groups __CustomerRead *
Any user granted this group will be able to view data for a customer within the remit of their user type.
customer_create_groups __CustomerCreate __CustomerRead ACS_BOSS ACS_BOSS_WRITE AcsPermissionLevel5 AcsPermissionLevel6 AcsPermissionLevel7
Any user granted this group will be able to view and create new customers within the remit of their user type.
customer_update_groups __CustomerUpdate __CustomerRead ACS_BOSS ACS_BOSS_WRITE ACS_WRITE
Any user granted this group will be able to view and update a customers details within the remit of their user type.
user_view_groups __UserRead ACS_BOSS ACS_BOSS_WRITE AcsPermissionLevel5 AcsPermissionLevel6 AcsPermissionLevel7
Any user granted this group will be able to view ACS users associated with customers within the remit of their user type.
user_create_groups __UserCreate __UserRead ACS_BOSS, ACS_BOSS_WRITE AcsPermissionLevel5 AcsPermissionLevel6 AcsPermissionLevel7
Any user granted this group will be able to view and create ACS users associated with customers within the remit of their user type.
user_update_groups __UserUpdate __UserRead ACS_BOSS ACS_BOSS_WRITE ACS_WRITE AcsPermissionLevel5 AcsPermissionLevel6 AcsPermissionLevel7
Any user granted this group will be able to view and update ACS users associated with customers within the remit of their user type.
user_delete_groups __UserDelete __UserRead ACS_BOSS ACS_BOSS_WRITE AcsPermissionLevel5 AcsPermissionLevel6 AcsPermissionLevel7
Any user granted this group will be able to view and delete ACS users associated with customers within the remit of their user type.
service_number_view_groups __ServiceNumberRead *
Any user granted this group will be able view Service Numbers associated with customers within the remit of their user type.
service_number_create_groups __ServiceNumberCreate __ServiceNumberRead ACS_BOSS ACS_BOSS_WRITE AcsPermissionLevel6 AcsPermissionLevel7
Any user granted this group will be able to view and create Service Numbers associated with customers.
service_number_delete_groups __ServiceNumberDelete __ServiceNumberRead ACS_BOSS ACS_BOSS_WRITE ACS_WRITE AcsPermissionLevel6 AcsPermissionLevel7
Any user granted this group will be able to view and delete Service Numbers associated with customers within the remit of their user type.
service_number_view_profile_groups __ServiceNumberProfileRead ACS_BOSS ACS_BOSS_WRITE ACS_WRITE AcsPermissionLevel6 AcsPermissionLevel7
Any user granted this group will be able to view the service number profile. Without this role the service number profile will be hidden from the user in the GUI regardless of which profiles fields are configured to be shown/hidden by other N2FE configuration.
service_number_update_profile_groups __ServiceNumberProfileRead __ServiceNumberProfileUpdate ACS_BOSS ACS_BOSS_WRITE ACS_WRITE AcsPermissionLevel6 AcsPermissionLevel7
Any user granted this group will be able to update the profiles of service numbers that they can view. Without this group, users may be able to view the profile (if service_number_view_profile is available to them), but not edit the profile.
service_number_view_schedule __ServiceNumberScheduleRead ACS_BOSS ACS_BOSS_WRITE ACS_WRITE AcsPermissionLevel3 AcsPermissionLevel4 AcsPermissionLevel5 AcsPermissionLevel6 AcsPermissionLevel7
Any user granted this group will be able to view the current and historical service number schedule. Without this role the service number schedule will be hidden from the user in the GUI.
service_number_update_schedule_groups __ServiceNumberScheduleRead __ServiceNumberScheduleUpdate ACS_BOSS ACS_BOSS_WRITE ACS_WRITE AcsPermissionLevel3 AcsPermissionLevel4 AcsPermissionLevel5 AcsPermissionLevel6 AcsPermissionLevel7
Any user granted this group will be able to update the schedules of service numbers that they can view. This includes creating a new schedule. Without this group, users may be able to view the schedule (if service_number_view_schedule is available to them), but not change any part of the schedule.
flow_view_groups __FlowRead *
Any user granted this group will be able to view Flows associated with customers within the remit of their user type.
flow_create_groups __FlowCreate __FlowRead ACS_BOSS ACS_BOSS_WRITE AcsPermissionLevel5 AcsPermissionLevel6 AcsPermissionLevel7
Any user granted this group will be able to view and create Flows associated with customers within the remit of their user type.
flow_update_groups __FlowUpdate __FlowRead ACS_BOSS ACS_BOSS_WRITE ACS_WRITE AcsPermissionLevel2 AcsPermissionLevel3 AcsPermissionLevel4 AcsPermissionLevel5 AcsPermissionLevel6 AcsPermissionLevel7 __SnUser
Any user granted this group will be able to view and update Flows associated with customers within the remit of their user type.
flow_delete_groups __FlowDelete __FlowRead ACS_BOSS ACS_BOSS_WRITE AcsPermissionLevel5 AcsPermissionLevel6 AcsPermissionLevel7
Any user granted this group will be able to view and delete Flows associated with customers within the remit of their user type.
cdr_view_groups __CdrRead
Any user granted this group will be provided access to view the Call Data Records for Service Numbers associated with customers within the remit of their user type.
service_data_view_groups __ServiceDataRead *
Any user granted this group will be provided read only access to all remaining application endpoints. This will include information endpoints such as Timezones, Announcements, Geography Sets.
mf_identifier_view_groups __MFIdentifierRead ACS_BOSS
Any user granted this group will be able to view but not update the MF identifier for flows they can access.
mf_identifier_update_groups __MFIdentifierRead __MFIdentifierUpdate ACS_BOSS
Any user granted this group will be able to view and update the MF identifier for all flows they can access.
manage_alternative_activation_groups __ManageAlternativeActivation ACS_BOSS ACS_BOSS_WRITE ACS_WRITE
Any user granted this group will be able to activate or deactivate the alternative flows state in N2FE. Further, they will be able to activate or deactivate the alternative termination number state in N2FE. They will also be able to manage the list of alternative termination numbers.
Note that without this group, users will still be made aware if either the alternative termination number or flow state is active, and any user with the ability to edit flows will be able to edit alternative flows - regardless of their access to this group.