Security Group Configuration
Security Group Configuration
The term ‘user groups’ is used in this guide to describe OCNCC/OC3C ACS User permission levels (1 - 7), and SMF templates.
N2FE has a default mapping for each of the user groups as default but allows for the configuration of permission and access levels.
Configuration
To alter the default security configuration permissions changes will need to be made in the main N2FE configuration file: /etc/jarvis/n2fe.xml
All configured permissions can be found within the <login module="LoginSMF">
XML element.
Each permission is configured as a parameter of the login XML element.
<parameter
name="service_number_create_groups"
value="ACS_BOSS, ACS_BOSS_WRITE, AcsPermissionLevel6, AcsPermissionLevel7"
/>
To change which SMS permissions have access to what group configuration simply add or remove SMS permission levels from the value configuration parameter.
Any security configuration items that are set using the wild card character *
will allow all SMS permission levels access to the group.
The group configuration mappings and the resources they grant access to can be found described below.
Security Group Mappings
Group Name | Grants | Default security configuration |
---|---|---|
login_groups
|
Subscriber Admin
ACS_BOSS
ACS_BOSS_READ
ACS_BOSS_WRITE
ACS_READ
ACS_WRITE
AcsPermissionLevel1
AcsPermissionLevel2
AcsPermissionLevel3
AcsPermissionLevel4
AcsPermissionLevel5
AcsPermissionLevel6
AcsPermissionLevel7
|
|
Grants N2FE login access to the specified user groups. | ||
admin_read_groups
|
__AdminRead
|
ACS_BOSS_READ
AcsPermissionLevel6
AcsPermissionLevel7
|
Any user granted this group will be able to view data for all Customers, Service Numbers, Users and Flows. Applied to SMF users this will grant them full access globally. Applied to ACS users this will grant them full access for any data associated with their customer. | ||
admin_write_groups
|
__AdminWrite
__AdminRead
|
ACS_BOSS
ACS_BOSS_WRITE
AcsPermissionLevel6
AcsPermissionLevel7
|
Any user granted this group will be able to view and perform write actions for all Customers, Service Numbers, Users and Flows. Applied to SMF users this will grant them full access globally. Applied to ACS users this will grant them full access for any data associated with their customer. | ||
admin_delete_groups
|
__AdminDelete
__AdminRead
|
ACS_BOSS
ACS_BOSS_WRITE
AcsPermissionLevel6
AcsPermissionLevel7
|
Any user granted this group will be able to view and perform delete actions for all Customers, Service Numbers, Users and Flows. Applied to SMF users this will grant them full access globally. Applied to ACS users this will grant them full access for any data associated with their customer. | ||
customer_view_groups
|
__CustomerRead
|
*
|
Any user granted this group will be able to view data for a customer within the remit of their user type. | ||
customer_create_groups
|
__CustomerCreate
__CustomerRead
|
ACS_BOSS
ACS_BOSS_WRITE
AcsPermissionLevel5
AcsPermissionLevel6
AcsPermissionLevel7
|
Any user granted this group will be able to view and create new customers within the remit of their user type. | ||
customer_update_groups
|
__CustomerUpdate
__CustomerRead
|
ACS_BOSS
ACS_BOSS_WRITE
ACS_WRITE
|
Any user granted this group will be able to view and update a customers details within the remit of their user type. | ||
user_view_groups
|
__UserRead
|
ACS_BOSS
ACS_BOSS_WRITE
AcsPermissionLevel5
AcsPermissionLevel6
AcsPermissionLevel7
|
Any user granted this group will be able to view ACS users associated with customers within the remit of their user type. | ||
user_create_groups
|
__UserCreate
__UserRead
|
ACS_BOSS, ACS_BOSS_WRITE
AcsPermissionLevel5
AcsPermissionLevel6
AcsPermissionLevel7
|
Any user granted this group will be able to view and create ACS users associated with customers within the remit of their user type. | ||
user_update_groups
|
__UserUpdate
__UserRead
|
ACS_BOSS
ACS_BOSS_WRITE
ACS_WRITE
AcsPermissionLevel5
AcsPermissionLevel6
AcsPermissionLevel7
|
Any user granted this group will be able to view and update ACS users associated with customers within the remit of their user type. | ||
user_delete_groups
|
__UserDelete
__UserRead
|
ACS_BOSS
ACS_BOSS_WRITE
AcsPermissionLevel5
AcsPermissionLevel6
AcsPermissionLevel7
|
Any user granted this group will be able to view and delete ACS users associated with customers within the remit of their user type. | ||
service_number_view_groups
|
__ServiceNumberRead
|
*
|
Any user granted this group will be able view Service Numbers associated with customers within the remit of their user type. | ||
service_number_create_groups
|
__ServiceNumberCreate
__ServiceNumberRead
|
ACS_BOSS
ACS_BOSS_WRITE
AcsPermissionLevel6
AcsPermissionLevel7
|
Any user granted this group will be able to view and create Service Numbers associated with customers. | ||
service_number_delete_groups
|
__ServiceNumberDelete
__ServiceNumberRead
|
ACS_BOSS
ACS_BOSS_WRITE
ACS_WRITE
AcsPermissionLevel6
AcsPermissionLevel7
|
Any user granted this group will be able to view and delete Service Numbers associated with customers within the remit of their user type. | ||
service_number_view_profile_groups
|
__ServiceNumberProfileRead
|
ACS_BOSS
ACS_BOSS_WRITE
ACS_WRITE
AcsPermissionLevel6
AcsPermissionLevel7
|
Any user granted this group will be able to view the service number profile. Without this role the service number profile will be hidden from the user in the GUI regardless of which profiles fields are configured to be shown/hidden by other N2FE configuration. | ||
service_number_update_profile_groups
|
__ServiceNumberProfileRead
__ServiceNumberProfileUpdate
|
ACS_BOSS
ACS_BOSS_WRITE
ACS_WRITE
AcsPermissionLevel6
AcsPermissionLevel7
|
Any user granted this group will be able to update the profiles of service numbers that they can view. Without this group, users may be able to view the profile (if service_number_view_profile is available to them), but not edit the profile. | ||
service_number_view_schedule
|
__ServiceNumberScheduleRead
|
ACS_BOSS
ACS_BOSS_WRITE
ACS_WRITE
AcsPermissionLevel3
AcsPermissionLevel4
AcsPermissionLevel5
AcsPermissionLevel6
AcsPermissionLevel7
|
Any user granted this group will be able to view the current and historical service number schedule. Without this role the service number schedule will be hidden from the user in the GUI. | ||
service_number_update_schedule_groups
|
__ServiceNumberScheduleRead
__ServiceNumberScheduleUpdate
|
ACS_BOSS
ACS_BOSS_WRITE
ACS_WRITE
AcsPermissionLevel3
AcsPermissionLevel4
AcsPermissionLevel5
AcsPermissionLevel6
AcsPermissionLevel7
|
Any user granted this group will be able to update the schedules of service numbers that they can view. This includes creating a new schedule. Without this group, users may be able to view the schedule (if service_number_view_schedule is available to them), but not change any part of the schedule. | ||
flow_view_groups
|
__FlowRead
|
*
|
Any user granted this group will be able to view Flows associated with customers within the remit of their user type. | ||
flow_create_groups
|
__FlowCreate
__FlowRead
|
ACS_BOSS
ACS_BOSS_WRITE
AcsPermissionLevel5
AcsPermissionLevel6
AcsPermissionLevel7
|
Any user granted this group will be able to view and create Flows associated with customers within the remit of their user type. | ||
flow_update_groups
|
__FlowUpdate
__FlowRead
|
ACS_BOSS
ACS_BOSS_WRITE
ACS_WRITE
AcsPermissionLevel2
AcsPermissionLevel3
AcsPermissionLevel4
AcsPermissionLevel5
AcsPermissionLevel6
AcsPermissionLevel7
__SnUser
|
Any user granted this group will be able to view and update Flows associated with customers within the remit of their user type. | ||
flow_delete_groups
|
__FlowDelete
__FlowRead
|
ACS_BOSS
ACS_BOSS_WRITE
AcsPermissionLevel5
AcsPermissionLevel6
AcsPermissionLevel7
|
Any user granted this group will be able to view and delete Flows associated with customers within the remit of their user type. | ||
cdr_view_groups
|
__CdrRead
|
|
Any user granted this group will be provided access to view the Call Data Records for Service Numbers associated with customers within the remit of their user type. | ||
service_data_view_groups
|
__ServiceDataRead
|
*
|
Any user granted this group will be provided read only access to all remaining application endpoints. This will include information endpoints such as Timezones, Announcements, Geography Sets. | ||
mf_identifier_view_groups
|
__MFIdentifierRead
|
ACS_BOSS
|
Any user granted this group will be able to view but not update the MF identifier for flows they can access. | ||
mf_identifier_update_groups
|
__MFIdentifierRead
__MFIdentifierUpdate
|
ACS_BOSS
|
Any user granted this group will be able to view and update the MF identifier for all flows they can access. | ||
manage_alternative_activation_groups
|
__ManageAlternativeActivation
|
ACS_BOSS
ACS_BOSS_WRITE
ACS_WRITE
|
Any user granted this group will be able to activate or deactivate the alternative flows state in N2FE. Further, they will be able to
activate or deactivate the alternative termination number state in N2FE. They will also be able to manage the list of alternative termination
numbers. Note that without this group, users will still be made aware if either the alternative termination number or flow state is active, and any user with the ability to edit flows will be able to edit alternative flows - regardless of their access to this group. |