Access Control
Overview
Multi-tenancy is a VQ Conference Manager 3.x (VQCM 3.x) feature, primarily intended for service providers and larger enterprise deployments. It allows hosting of more than one Tenant or groups of users on the same system. Multi-tenancy is controlled by Access Control.
Access Control allows users to be grouped; users, calls, endpoints from one Tenant will be ring-fenced from other Tenants. Access Control also determines the UX Profile and Space Template types that are available to users of a Tenant.
VQ Conference Manager will always have one “Default Tenant” and may optionally have additional Tenants.
- “Default Tenant” cannot be deleted
- “Default Tenant” will, by default, not use the tenanting mechanisms on the Call Bridge
Access Control Services and Tags
VQ Conference Manager uses Access Control to control the data within the system that the different types of users within the system can access or “see”. This controls access/visibility to Space Templates, UX Profiles, MCU/Call Bridges, other users, etc.
Within the system, Access Control is comprised of two components; the Access Control Tag and the Access Control Service.
The Access Control Tags define the type of “thing” (system resource, user type, Space Template type etc.) and the Access Control Service contains a list of Access Control Tags that a user with an Access Control Service can access or “see”.
Each User in the system therefore has two key properties: their Access Control Tag and their Access Control Service.
Within VQ Conference Manager, there are a set of predefined Access Control Tags:
|
Access Control Tag |
Description |
|---|---|
|
System |
System Data - Default UX profiles, Default Dashboards and Templates. Things with the Access Control Tag "System" are read-only; they cannot be modified. |
|
Everyone |
Things within the system can be used by everyone; - Space Templates,, Dashboards, UX Profiless and Email Templates, Call Bridges. |
|
Administrator |
The Administrator Access Control Tag gives Administrators elevated permissions (for example write/delete permissions). |
When VQ Conference Manager creates new Tenants, it also automatically creates a new Tenant Access Control Tag (using the Tenant’s name) and a new Access Control Service for the Tenant. The Access Control Service for the new Tenant will include the following Tags: the new one for the Tenant, Everyone and System.
When new Users are created for the Tenant, they are created with an Access Control Tag and an Access Control Service from the Tenant.
The result of this is that users will be able to access the list of things defined in their Access Control Service (things specific to their Tenant, System things and Everyone things).
The thing to remember with Access Control is that what you can access depends on the Access Control Tags within the Access Control Service. The data returned by the system and displayed in the user interface is controlled by Access Control. On the same page, some users might see no data, others a small number of items and other users might see large numbers of entries.
As an administrator, when creating new types of (for example) SpaceTemplates, one of the settings that need to be provided is the Access Control Tag for the Space Template. Only users who have the Tag in their Access Control Service will have this type of coSpace Template available when they come to create new Space.
For the sake of the following examples, we have 3 Tenants: SmallCo, BigCo and OpenCo.
|
Operation |
Access Control Service |
Description |
|---|---|---|
|
Access Control Service and Tag automatically created when new Tenant SmallCo is created |
The SmallCo Access Control Service will contain: SmallCo, System and Everyone Tags. |
Users within SmallCo will be able to access other SmallCo things such as Endpoints and be members of Spaces within SmallCo as well as all System things and those accessible to Everyone. |
|
Administrator’s Access Control Service updated to include SmallCo (SmallCo, Everyone, System, Administrator). |
SmallCo Tag is automatically added to the Administrator Access Control Service so that Administrator can access data on the SmallCo Tenant. |
|
|
Access Control Service and Tag automatically created when new Tenant BigCo is created |
The BigCo Access Control Service will contain: BigCo, System, Everyone Tags. |
Users within BigCo will be able to access other BigCo things such as Endpoints and be members of Spaces within BigCo SmallCo as well as all System things and those accessible to Everyone. |
| Administrator’s Access Control Service updated to include BigCo (BigCo, SmallCo, Everyone, System, Administrator). | BigCo Tag is automatically added to the Administrator Access Control Service so that Administrator can access data on the BigCo Tenant. | |
| Access Control Service and Tag automatically created when new Tenant OpenCo is created | The OpenCo Access Control Service will contain: OpenCo, System, Everyone Tags. | Users within OpenCo will be able to access other OpenCo things such as Endpoints and be members of Spaces within OpenCo SmallCo as well as all System things and those accessible to Everyone. |
| Administrator’s Access Control Service updated to include OpenCo (OpenCo, BigCo, SmallCo, Everyone, System, Administrator). | OpenCo Tag is automatically added to the Administrator Access Control Service so that Administrator can access data on the OpenCo Tenant. |
In a multi-tenanted environment, it is often a requirement to allow different Operators to see different groups of users. This is achieved by creating new Access Control Tags and Access Control Services and adding to the Access Control Service the list of Tags that the operators should see (for example, the new Tag, Everybody, System, SmallCo, BigCo) and finally, assigning the new Access Control Tag and Access Control Service to the users who you want to make Operators see across multiple Tenants. One Operator may see Big Co entities, and another Operator may see Big Co and Small Co. Therefore, the entities a user can see can by asymmetrical.
Note: There is a difference between users who can only see their personal data and those that can see all data at their Access Control Service. The UX Profile, Overview section discusses whether users of the UX Profile see their own “Personal” data or all the data at their Access Control Service. It is intended that Users such as Operators will see all data at their Access Level (so, spanning all the users their Access Control Service covers) and that normal users would only see their own, personal, data (for example, their own calls).
Creating an Access Control
VQ Conference Manager automatically creates an Access Control Service and Tag as part of creating a Tenant.
- Navigate to the Tenants view
-
Select New Tenant
-
Complete the New Tenants Fields
The following table describes the mandatory fields, which are marked with an asterisk.
Field
Description
Name*
Tenant Name.
UX Profile*
Select from the drop down list. For example, "User".
Note: you can only import one UX Profile type for each Tenant for each LDAP import. Therefore, as the majority of the users imported from LDAP will be of the UX Profile type "User", in most instances, "User" should be selected.
Template*
Select from the drop down list. The Template defines the coSpaceTemplate which will be used when users are created for this Tenant during the LDAP import process.
User Locale*
Select from the drop down list. The User Locale defines how certain types of information is presented. For example, if you select "en-GB" dates will display in UK format (dd/mm/yy and 24 hour times). If you select "en-US" dates will display in US format (mm/dd/yyyy and AM/PM time).
Timezone*
Select from the drop down list.
Table 1: Mandatory fields for creating a new Tenant
- Select Done
Note: When you create a new Tenant, the Service, User and Endpoint Access Control fields do not display. VQ Conference Manager automatically creates these Access Control definitions with the same name as the Tenant you are creating and assigns them accordingly. Once created, if you go back and select the Tenant, these fields will display.
You can now see that the Service, User and Endpoint ACL Tags have been created for Big Co.
After you run the LDAP import, the users, in this example, for Big Co will see the users, endpoints, calls, Call Bridges etc. for BigCo only.
Creating Custom Access Controls
Each user on VQ Conference Manager is associated with a Tenant, and each Tenant has an Access Control. However, certain users, for example Operators, may work in a multi-tenanted environment, where they need to see activity for more than one Tenant. In this case, a new Access Control Tag and Service needs to be created manually.
Note: User types "Administrator" and "Super User" can perform this function.
In the example which follows, we will create a new Access Control Tag and Service called East Coast Operators, who will be able to see Big Co, Small Co and Open Co.
- From the System view select ACLs.
- Select New ACL
-
Create a new Access Control Name and give it the type Service – e.g. East Coast Operator>Service
- Select Done
- Select New ACL again
-
Create a new Access Control Name and give it the type Tag – e.g. East Coast Operator>Tag
- Select Done
- View the Access Control list again and select East Coast Service
-
Select Add and select the East Coast Operator Tag from the drop down list
- Select OK
-
Repeat Steps 8 and 9 for each of the Tags you wish to add to the East Coast Operator Service. In this example, Big Co, Small Co and Open Co
Note: Remember to also add the System and Everyone Tag to this Access Control. The System Tag enables the default UX Profiles, Dashboards and Templates to be available to the users and the Everybody Tag enables the actual Space Templates, Dashboards, UX Profiles and Email Templates to be available.
Navigate to System >ACL's and you can see all the Tags that have been added to the East Coast Service by selecting East Coast Service from the Access Control list.
Writeable Property
When creating an Access Control Service and Tag manually, you can choose whether the users within the Access Control Service can change properties at the system level or not, by making them Writeable. For example, if you wanted to allow East Coast Operators to be able to change the properties of Space Templates for all the Access Control Services they can see, you would check the Writeable check box.
Removing Tags from Services
When you create a custom Access Control, you can remove the Tags from the Service.
- Navigate to System>ACLs
- Select the Access Control Service you require
- Select Delete for the Tags you want to delete
Deleting Access Control Services and Tags
This is done in 1 of 2 ways, depending on whether the Access Control Service and Tag were system generated as part of creating a Tenant or created manually, as part of creating a custom Access Control.
Deleting system generated Access Control Services and Tags:
- Navigate to the Tenants view
-
Select the Tenant you require then select the Settings coApp
-
Click on Delete
-
Click OK to confirm you wish to delete the Tenant
This will delete the Tenant and the associated Access Control Service and Tag from VQ Conference Manager.
Deleting manually created ACL Services and Tags:
- Navigate to System >ACLs
- Select the ACL Service and Tag you require
- Click OK to confirm you wish to delete the Access Control Service/Tag you have selected