Overview

Identity Access Management allows Communications Providers (CPs) and their Business Customers to create and manage users with specific roles and permissions to manage access to their CPaaS account’s resources.

Communications Providers can create users with different roles under their Primary Account. In addition, they can set up Sub Accounts for their Business Customers. Each Business Customer Sub Account can create users and set their roles independently.

To access assigned resources via the available CPaaS APIs, each user can create API Access Keys. Access keys are long-term credentials for an IAM user. Access keys consist of two parts: an access key ID and a secret access key.

Like a username and password, users must use both the access key ID and secret access key together to authenticate API requests. Manage access keys as securely as would be done for username and password.

When users create an access key pair, they need to save the access key ID and secret access key in a secure location. The secret access key is available only once, at the time of creation. If a secret access key is lost, it must be deleted and a new one should be created.

Users can create, modify and delete their access keys and have a maximum of two access keys at any given time. This allows users to rotate the active keys according to security best practices.

Accounts and User Roles

Primary Accounts & Sub Accounts

Primary Account Administrator (CP) users can create Sub Accounts for their Business Customers under the same CPaaS organization. They can also create and manage users on behalf of the Business Customer’s sub account and enable or disable their access to Platform and Turnkey Applications resources.

User Roles

A user role represents a set of permissions the user has to various Platform and Turnkey Applications resources.

A Communications Provider’s users can have any of the following roles:

Administrator
Developer
ProvisioningAgent

A Business Customer’s users can have any of the roles below:

Administrator
Developer
Turnkey Applications Administrator
Turnkey Applications Developer

User Permissions

The user permissions represent the level of user access to various Platform and Turnkey Applications resources.

Understanding the User Roles and Permissions for Communications Providers

The diagram below outlines the relationship between the Communications Provider’s CPaaS Primary Account and the users created under it.

The following table specifies the Communications Provider user permissions to the Platform and Turnkey Applications resources based on their role.

Capability Availability at that Account Hierarchy Level

Administrator

Developer

ProvisioningAgent

Platform Resources

Account Settings

Yes

read only

Understanding the User Roles and Permissions for Business Customers

The diagram below outlines the relationship between the Business Customer’s CPaaS Sub Account and the users created under it.

Be aware that only users with an Administrator role are allowed to create other users under the same sub account.

Only users with an Administrator role can have full access to the Platform and Turnkey Applications resources.

Business Customers’ Turnkey Applications Access Control

Communications Providers can manage access to Turnkey Applications for their Business Customers through a Management profile that can be associated with their Sub Accounts under their CPaaS organization.

As depicted in the following diagram, Communications Providers can set up Profiles featuring access to different combinations of Turnkey Applications. The Profiles can then be assigned to specified Business Customers.

You can find out more information on how to set this up at the Profiles API documentation.

Profiles API documentation.

As of today, Communications Providers can enable or disable access for their Business Customers to each one of the Turnkey Applications through the Profiles API . In the future the Identity Access Management API and web UI will allow CPs to choose from a broader set of permissions targeting the various platform functionalities.

The following table specifies the Business Customer user permissions to the Platform and Turnkey Applications resources based on their role.

Capability Availability at that Account Hierarchy Level

Administrator

Developer

Turnkey Applications Administrator

Turnkey Applications Developer

Platform Resources

Account Settings

Yes

read only

no access

API Credentials

Yes

read/write

no access

Audit API

No

no access

Feature Access Control Management

No

no access

User Management

Yes

read/write

no access

read/write

no access

Role Access

Yes

- Business Customer Administrator
- Business Customer Developer
- Business Customer Turnkey Applications Administrator
- Business Customer Turnkey Applications Developer

no access

- Business Customer Turnkey Applications Administrator
- Business Customer Turnkey Applications Developer

no access

Whitelabeling Settings

No

no access

BYOC Settings

No

no access

Manage Enterprise Accounts

No

no access

Communications Partner Organization/Account Management

No

no access

Turnkey Applications Enablement Management

No

no access

Manage Applications

Yes

read/write

no access

Manage Numbers

Yes

read/write

no access

Manage SIP/WebRTC Clients

Yes

read/write

no access

Programmable SMS

Yes

read/write

no access

Programmable Voice

Yes

read/write

no access

Call Logs

Yes

read only

no access

SMS Logs

Yes

read only

no access

SMS Logs Content

Yes

read only

no access

Recordings

Yes

read/write

no access

Recordings Content

Yes

read only

no access

Usage

Yes

read only

no access

Notifications

Yes

read only

no access

OutgoingCallerIDs

No

no access

Visual Designer

Yes

read/write

no access

Turnkey Applications

Auto Attendant

AA-Provisioning

read/write

no access

read/write

AA-System

read only

no access

read only

AA-Usage Records

read only

no access

read only

AA-Enterprise And User

read only

no access

read only

Number Masking

NM-Provisioning

read/write

no access

read/write

no access

NM-Usage records

read only

no access

read only

no access

NM-Enterprise And User

read only

no access

read only

no access

Task Router

TR-Provisioning

read/write

no access

read/write

no access

TR-Usage Records

read only

no access

read only

no access

TR-Enterprise And User

no access

Smart 2FA

2FA-Traffic
send/verify/cancel

read/write

no access

read/write

no access

2FA-Limit Provisioning
2FA-WorkFlow Provisioning

read/write

no access

read/write

no access

2FA-Usage Records

read only

no access

read only

no access

Campaign Manager

Campaign Manager-Provisioning

no access

Campaigns

read/write

no access

read/write

no access

Usage Records

read only

no access

read only

no access

API Definition

Getting Started with the Identity Access Management API