Identity Access Management
Before you get started, please make sure that your CPaaS organization has Identity Access Management (IAM) enabled. If IAM is not yet enabled for your organization, please contact your Account Manager to enable it. In case your organization is still using the legacy access management, please review the Enterprise Accounts documentation. If you would like your CPaaS organization, and your Business Customers to be migrated to Identity Access Management, please check out the IAM Migration Guide. |
Overview
Identity Access Management allows Communications Providers (CPs) and their Business Customers to create and manage users with specific roles and permissions to manage access to their CPaaS account’s resources.
Communications Providers can create users with different roles under their Primary Account. In addition, they can set up Sub Accounts for their Business Customers. Each Business Customer Sub Account can create users and set their roles independently.
To access assigned resources via the available CPaaS APIs, each user can create API Access Keys. Access keys are long-term credentials for an IAM user. Access keys consist of two parts: an access key ID and a secret access key.
Like a username and password, users must use both the access key ID and secret access key together to authenticate API requests. Manage access keys as securely as would be done for username and password.
When users create an access key pair, they need to save the access key ID and secret access key in a secure location. The secret access key is available only once, at the time of creation. If a secret access key is lost, it must be deleted and a new one should be created.
Users can create, modify and delete their access keys and have a maximum of two access keys at any given time. This allows users to rotate the active keys according to security best practices.

Accounts and User Roles
Primary Accounts & Sub Accounts
Primary Account Administrator (CP) users can create Sub Accounts for their Business Customers under the same CPaaS organization. They can also create and manage users on behalf of the Business Customer’s sub account and enable or disable their access to Platform and Turnkey Applications resources.
User Roles
A user role represents a set of permissions the user has to various Platform and Turnkey Applications resources.
A Communications Provider’s users can have any of the following roles:
-
Administrator
-
Developer
-
ProvisioningAgent
A Business Customer’s users can have any of the roles below:
-
Administrator
-
Developer
-
Turnkey Applications Administrator
-
Turnkey Applications Developer
Understanding the User Roles and Permissions for Communications Providers
The diagram below outlines the relationship between the Communications Provider’s CPaaS Primary Account and the users created under it.

The following table specifies the Communications Provider user permissions to the Platform and Turnkey Applications resources based on their role.
Capability Availability at that Account Hierarchy Level |
Administrator |
Developer |
ProvisioningAgent |
|
Account Settings |
Yes |
read only |
read only |
read only |
Tags |
Yes |
read/write |
no access |
no access |
API Credentials |
Yes |
read/write |
read/write |
read/write |
Audit API |
Yes |
read only |
no access |
no access |
Feature Access Control Management |
No |
no access |
no access |
no access |
User Management |
Yes |
read/write |
no access |
no access |
Role Access |
Yes |
- Communications Provider Administrator |
no access |
no access |
Whitelabeling Settings |
Yes |
read/write |
no access |
no access |
BYOC Settings |
Yes |
read/write |
read/write |
no access |
Manage Enterprise Accounts |
Yes |
read/write |
read/write |
read/write |
Turnkey Applications Enablement Management |
Yes |
read/write |
no access |
no access |
Manage Applications |
Yes |
read/write |
read/write |
read/write |
Manage Numbers |
Yes |
read/write |
read/write |
read/write |
Manage SIP/WebRTC Clients |
Yes |
read/write |
read/write |
read/write |
Programmable SMS |
Yes |
read/write |
read/write |
no access |
Programmable Voice |
Yes |
read/write |
read/write |
no access |
Call Logs |
Yes |
read only |
read only |
read only |
SMS Logs |
Yes |
read only |
read only |
read only |
SMS Logs Content |
Yes |
read only |
read only |
no access |
Recordings |
Yes |
read/write |
read/write |
read only |
Recordings Content |
Yes |
read only |
read only |
no access |
Usage |
Yes |
read only |
read only |
read only |
Notifications |
Yes |
read only |
read only |
read only |
OutgoingCallerIDs |
Yes |
read/write |
read/write |
no access |
Visual Designer |
Yes |
read/write |
read/write |
no access |
Message Exchange |
||||
MX-Provisioning |
read/write |
read/write |
no access |
read/write |
MX-Usage Records |
read only |
read only |
no access |
read only |
MX-Search and Usage record all endpoints all levels |
no access |
no access |
no access |
no access |
MX Traffic Routing Provisioning |
no access |
no access |
no access |
no access |
Auto Attendant |
||||
AA-Provisioning |
read/write |
read/write |
no access |
read/write |
AA-System |
read/write |
read/write |
no access |
read/write |
AA-Usage Records |
read only |
read only |
no access |
read only |
AA-Enterprise And User |
read/write |
read/write |
no access |
read/write |
AA-Search and Usage Records |
no access |
no access |
no access |
no access |
Number Masking |
||||
NM-Provisioning |
read/write |
read/write |
no access |
read/write |
NM-Usage Records |
read only |
read only |
no access |
read only |
NM-Enterprise And User |
read/write |
read/write |
no access |
read/write |
Task Router |
||||
TR-Provisioning |
read/write |
read/write |
no access |
read/write |
TR-Usage Records |
read only |
read only |
no access |
read only |
TR-Enterprise And User |
read/write |
read/write |
no access |
read/write |
TR-Search and Usage Records |
no access |
no access |
no access |
no access |
Message Exchange for Cisco Webex |
||||
WEBEX-Provisioning |
read/write |
read/write |
no access |
read/write |
WEBEX-Usage Records |
read only |
read only |
no access |
read only |
WEBEX-Enterprise And User |
read/write |
read/write |
no access |
read/write |
Webex Traffic Routing Provisioning |
no access |
no access |
no access |
no access |
Smart 2FA |
||||
2FA-Traffic |
read/write |
read/write |
no access |
no access |
2FA-Limit Provisioning |
read/write |
read/write |
no access |
read/write |
2FA-Usage Records |
read only |
read only |
no access |
read only |
Campaign Manager |
||||
Campaign Manager-Provisioning |
read/write |
read/write |
no access |
read/write |
Campaigns |
no access |
no access |
no access |
no access |
Usage Records |
read only |
read only |
no access |
read only |
Understanding the User Roles and Permissions for Business Customers
The diagram below outlines the relationship between the Business Customer’s CPaaS Sub Account and the users created under it.
Be aware that only users with an Only users with an |

Business Customers’ Turnkey Applications Access Control
Communications Providers can manage access to Turnkey Applications for their Business Customers through a Management profile that can be associated with their Sub Accounts under their CPaaS organization.
As depicted in the following diagram, Communications Providers can set up Profiles featuring access to different combinations of Turnkey Applications. The Profiles can then be assigned to specified Business Customers.
You can find out more information on how to set this up at the Profiles API documentation.

As of today, Communications Providers can enable or disable access for their Business Customers to each one of the Turnkey Applications through the Profiles API . In the future the Identity Access Management API and web UI will allow CPs to choose from a broader set of permissions targeting the various platform functionalities. |
The following table specifies the Business Customer user permissions to the Platform and Turnkey Applications resources based on their role.
Capability Availability at that Account Hierarchy Level |
Administrator |
Developer |
Turnkey Applications Administrator |
Turnkey Applications Developer |
|
Account Settings |
Yes |
read only |
read only |
no access |
no access |
API Credentials |
Yes |
read/write |
read/write |
no access |
no access |
Audit API |
No |
no access |
no access |
no access |
no access |
Feature Access Control Management |
No |
no access |
no access |
no access |
no access |
User Management |
Yes |
read/write |
no access |
read/write |
no access |
Role Access |
Yes |
- Business Customer Administrator |
no access |
- Business Customer Turnkey Applications Administrator |
no access |
Whitelabeling Settings |
No |
no access |
no access |
no access |
no access |
BYOC Settings |
No |
no access |
no access |
no access |
no access |
Manage Enterprise Accounts |
No |
no access |
no access |
no access |
no access |
Communications Partner Organization/Account Management |
No |
no access |
no access |
no access |
no access |
Turnkey Applications Enablement Management |
No |
no access |
no access |
no access |
no access |
Manage Applications |
Yes |
read/write |
read/write |
no access |
no access |
Manage Numbers |
Yes |
read/write |
read/write |
no access |
no access |
Manage SIP/WebRTC Clients |
Yes |
read/write |
read/write |
no access |
no access |
Programmable SMS |
Yes |
read/write |
read/write |
no access |
no access |
Programmable Voice |
Yes |
read/write |
read/write |
no access |
no access |
Call Logs |
Yes |
read only |
read only |
no access |
no access |
SMS Logs |
Yes |
read only |
read only |
no access |
no access |
SMS Logs Content |
Yes |
read only |
read only |
no access |
no access |
Recordings |
Yes |
read/write |
read/write |
no access |
no access |
Recordings Content |
Yes |
read only |
read only |
no access |
no access |
Usage |
Yes |
read only |
read only |
no access |
no access |
Notifications |
Yes |
read only |
read only |
no access |
no access |
OutgoingCallerIDs |
No |
no access |
no access |
no access |
no access |
Visual Designer |
Yes |
read/write |
read/write |
no access |
no access |
Auto Attendant |
|||||
AA-Provisioning |
read/write |
no access |
no access |
read/write |
read/write |
AA-System |
read only |
no access |
no access |
read only |
read only |
AA-Usage Records |
read only |
no access |
no access |
read only |
read only |
AA-Enterprise And User |
read only |
no access |
no access |
read only |
read only |
Number Masking |
|||||
NM-Provisioning |
read/write |
no access |
no access |
read/write |
no access |
NM-Usage records |
read only |
no access |
no access |
read only |
no access |
NM-Enterprise And User |
read only |
no access |
no access |
read only |
no access |
Task Router |
|||||
TR-Provisioning |
read/write |
no access |
no access |
read/write |
no access |
TR-Usage Records |
read only |
no access |
no access |
read only |
no access |
TR-Enterprise And User |
no access |
no access |
no access |
no access |
no access |
Smart 2FA |
|||||
2FA-Traffic |
read/write |
no access |
no access |
read/write |
no access |
2FA-Limit Provisioning |
read/write |
no access |
no access |
read/write |
no access |
2FA-Usage Records |
read only |
no access |
no access |
read only |
no access |
Campaign Manager |
|||||
Campaign Manager-Provisioning |
no access |
no access |
no access |
no access |
no access |
Campaigns |
read/write |
no access |
no access |
read/write |
no access |
Usage Records |
read only |
no access |
no access |
read only |
no access |