Identity and Access Management

Expertflow CX Identity and Access Management

Introduction

Expertflow CX implements enterprise-grade identity and access management through KeyCloak-based IAM services. This documentation outlines the security architecture, deployment configurations, and operational procedures for managing user authentication and resource authorization within the CX platform.

The IAM system provides dual-layer security control: authentication validates user credentials and establishes identity, while authorization enforces resource-level access policies based on assigned roles and permissions.

System Architecture:

Identity Provider (Keycloak)

• Administrative interface for user management

• OIDC and SAML protocol support

• Token-based session management

Access Control Framework

• Role-based access control (RBAC), Group-based access control(GBAC) and aggregated access control implementation in policies.

• Hierarchical permission structure.

• Resource-level authorization enforcement.

• Scope-based authorization for REST end-points and CX resources.

Security Layer Integration

• API Gateway authentication and authorization middleware via APISIX.

• Application-level security enforcement.

• Cross-platform SSO capabilities e.g Finesse.

User Administration

Administrative Interface Access

Keycloak administrative features are accessible through the web console accessible via https://[server-fqdn]/auth. Administrative privileges within the CX environment are managed via either admin or agent permissionsvia either admin or agent permissions, which provides granular control over user permissions and system access.

Permission Management Framework

The system implements a multi-tier permission structure accommodating both broad operational roles and specific functional requirements:

Primary Role Classifications:

• Admin: Full system configuration and management capabilities. The business admin who does business administration such as adding and modifying channels, locale settings, bot configurations, etc. 

• Supervisor: CX Teams oversight, reporting access, and operational monitoring of assigned agents.

• Agent: Customer interaction management, conversation management and user profile management. (Further fine grained permissions assignment based on given group i.e senior or normal agent)

• Routing Manager: Manages routing policies, MRDs, Queues, steps within Queues, etc.

• Quality Manager: Evaluation, scheduling and assignment of conversations for performance evaluation of Agents.

• Evaluator: Evaluation of conversations for performance inspection of Agents.

Granular Access Control: Group-based permissions enable fine-tuned access control for specific features, departmental resources, or business unit requirements. This approach supports complex organizational structures while maintaining security policy consistency.

Reference materials:

• CX Administrative permission for Unified Admin: permission document.

• CX Administrative permissions for Agent Management (Unified Agent): permission document.

• For further details of Keycloak user management and setup, refer to keycloak official docs: https://www.keycloak.org/docs/latest/server_admin/#assembly-managing-users_server_administration_guide

User Lifecycle Operations

Administrative tasks encompass user provisioning, role assignment modifications, group membership management, and account status monitoring. The system supports both manual administration and automated user lifecycle workflows. Refer to the following section for user-management settings given below

• Account creation and initial role assignment

• Permission modification and role transitions

• Group membership administration

• Account deactivation and cleanup processes

Application Integration

Deployment Architecture Options

Expertflow CX supports multiple deployment configurations to accommodate varying infrastructure requirements and existing system integrations.

Standalone Implementation

Independent deployment provides complete control over the CX environment with dedicated IAM services. Post-deployment configuration requires client setup within the Keycloak instance to establish proper authentication flows.

Keycloak implements authentication through OpenID Connect protocols and OAuth mechanisms, enabling user authentication via access tokens. Authorization implementation requires additional configuration of resource servers (clients) within the Keycloak realm, along with associated resources for managing authorization policies. The system employs RBAC, AAC, GBAC to secure API endpoints.

Detailed implementation steps are provided in the Keycloak Client Resource Management Setup.

Cisco Finesse Integration

Integration with Cisco Unified Contact Center environments (UCCX/UCCE) maintains existing workflow continuity while adding CX capabilities. Two integration approaches are supported:

Single Sign-On Integration via Finesse Token

• Uses finesse access token to login user to CX

Single Sign-On Integration via credentials

• Supports password reset and sync via finesse.

• Maintains Finesse compatibility without access token requirements

Using either one of the above authentication methods you can set up your Finesse environment with Expertflow CX. Supports one-way syncing, any change in data in finesse will reflect in keycloak (Cisco user, role or its team update).

Application Security Enhancement Features

Enhanced security protocols include mandatory or optional multi-factor authentication across all user-facing applications, including AgentDesk and Unified Admin interfaces.

Two-Factor Authentication Channels

There are 3 two-factor authentication channels implemented in the Keycloak Adapter, which will be available to the end user for authenticating with two-factor authentication. These channels are:

1. Authenticator (Mobile) Apps - Google Authenticator & Microsoft Authenticator

2. SMS

3. RSA SecurID

Prerequisites

For SMS Channel:

• Before configuring two-factor authentication, you must have a Twilio account.

For RSA SecurID Channel:

• All users must be registered for 2FA with RSA SecurID. The customer themselves will handle the 2FA/OTP registration process, while the Keycloak Connector will only manage the OTP validation mechanism.

Implementation guides:

• MFA configuration guide: [Two-Factor Authentication Setup Guide]

• End-user guide: [MFA User Guide]

API Authentication and Authorization

Expertflow CX uses Apache APISIX as an API Gateway of the solution. The API Gateway gets user permissions from the IAM (KeyCloak) for authentication and authorization. CX Ingress Controller forwards incoming traffic to the API Gateway and it integrates with IAM via OpenID Connect (OIDC) plugin (openid-connect) for authentication and the authz-keycloak plugin for authorization, to intercept these requests.

Security Process

The API Gateway is set up to handle both authentication and authorization to securely access resources:

Authentication: The API Gateway checks the access token in the request header to validate the user's identity. This process involves communicating with IAM to verify the token. If the token is invalid, the request is rejected with a 401 status code (unauthenticated).

Authorization: After authentication, the API Gateway ensures the user has permission to access the requested resource. The API gateway uses token introspection to retrieve the list of authorized resources for the user (the owner of the access token) by communicating with IAM. If the user is not authorized to access a resource, the request is rejected with a 403 response.

Role-Based Access Control

Authorization in Expertflow CX is implemented using Role-Based Access Control (RBAC). When a request is made to access a resource, the API gateway checks for the authorized roles and scopes. Regarding roles, Expertflow CX has various roles, such as agent, supervisor, quality manager, etc. Each role has its own set of permissions and access levels for specific resources. These permissions and access levels are configurable and can be adjusted based on the use case. See API Authorization - Configuration/Customization Guide.

You can refer to this section to get a better overview regarding the functionality of APISIX plug-ins used for Authentication and Authoirzation of APIs and its configuration, also the workflow of APISIX as application gateway.