Security and User Permissions
Overview
This document highlights how Keycloak is integrated with Unified Admin and AgentDesk regarding user authorization. For user authorization, one needs to set up resources within the EF realm and assign scopes to the resources. In Keycloak, there are two ways to manage user authorization, i.e. Role-based access, Scope-based permissions. We use Role-based access to authorize user roles and permissions to access a resource.
See Keycloak Client Resource Management Setup to understand how to create roles, users, scopes, and resources on Keycloak.
See Keycloak Configuration to see how to configure Keycloak once the Expertflow software is installed.
User Authorization with AgentDesk
All necessary resources and scopes of AgentDesk are automatically added within Keycloak on importing the expertflow realm.
The following resources and scopes mapping are predefined within Keycloak when you import the expertflow realm. See Keycloak Configuration to learn more about it.
Resource - Scope Mapping
| Resource | Description | View Scope | Manage Scope |
|---|---|---|---|
| state-change | This includes changing the agent's global as well as MRD state. | Change global (Ready, Not ready) as well as MRD states | N/A |
| customer-list | Manage the customer list and all operations available on the List view. This includes creating customers, editing profiles, and linking customers to conversations. | list, view | create/edit customer, link/relink customer, list, |
| customer-conversation- view | See customer conversation and all operations related to managing a conversation | Current conversation activities (messages exchanged between the customer and the bot before arriving on the agent end), send messages, switch between active chats, all chat controls except those which are protected as a separate, independent resource (Leave chat, e.g.) | View history ( by clicking on "Load more") |
| leave-chat | This gives the ability to leave a chat room by clicking the close icon in the conversation | leave chat | N/A |
| customer-labels (reserve for future) | Manage customer labels | list, assign (pre-generated labels only) | Create, edit, delete, list, assign labels |
| customer-schema | Manage customer schema | list, view | Create, edit, delete, list |
| subscribed-list | This includes all operations related to Subscribed Chats lists (join, end, view chats list) | List, Subscribe/Unsubscribe, and Join chat | End chat (close chat from the Pull-based list) |
| team-announcements (reserve for future) | All operations related to managing team announcements | list, view | Create, edit, delete, list |
| supervisor-dashboard | Viewing dashboards | View (all operations) | N/A |
| Customer labels | All operations related to managing customer labels | list, view, and assign labels (includes dynamic creation of labels) | Create, Edit, and Delete Labels from the Label's list |
Role-Scope Mapping:
| Role | Description | Assigned Scope |
|---|---|---|
| Agent | This contact center agent is supposed to take customer chat requests and answer them. | View (State Change, Customer Labels, Subscribed Lists, Leave Chat, Customer List, Conversation View, Customer Labels), Manage (Customer List, Conversation View) |
| Supervisor | This is a contact center supervisor who manages agents and also takes chat requests. | View (State Change, Subscribed Lists, Leave Chat, Customer Schema, Customer List, Conversation view), Manage (Customer List, Customer Schema, Supervisor Dashboards, Subscribed Lists, Conversation View, Customer Labels) |
| Admin | This is a super user, a contact center admin whose main purpose of logging into the Agent Desk is to define the Customer Schema. | View and manage (all resources) except for the State Change |
User Authorization with Unified Admin
All necessary resources and scopes of Unified Admin are automatically added within Keycloak when you import the expertflow realm.
The following resources and scopes mapping are predefined within Keycloak on importing the expertflow realm. See Keycloak Configuration to learn more about it.
Resource - Scope Mapping
| Resource | Resource Description | View Scope | Manage Scope |
|---|---|---|---|
| routing-engine | This includes everything that comes under this group i.e. agents, queues, MRDs, and attributes. | View | Create, Edit, Delete |
| channel-manager | This includes everything that comes under this group i.e. channel types, channel providers, channel connectors, and channel settings. | View | Create, Edit, Delete |
| bot-settings | This includes bot settings. | View | Create, Edit, Delete |
| general-settings | This includes license and locale info. | View | Create, Edit |
| web-widget | This includes everything that comes under this group. | View | Create, Edit, Delete |
| forms | This includes everything that comes under this group i.e. forms list and form settings. | View | Create, Edit, Delete |
| pull-mode-list | This includes everything that comes under this group i.e. list view and list settings. | View | Create, Edit, Delete |
| reason-code | This includes everything that comes under this group. | View | Create, Edit, Delete |
Role-Scope Mapping:
| Role | Role Description | Scope |
|---|---|---|
| admin | This is the contact center administrator who is supposed to manage system-wide settings. | View, Manage (all*) |
*All means all resources mentioned in the table (Resource-Scope Mapping) above.