Sign in
Sign up
    • REST API
      • Overview
      • API Endpoint
      • Authentication
      • Requests
      • Responses
      • Paging
      • Reason Codes Dictionary
    • Management APIs
      • Accounts
      • Identity Access Management Early Access
        • Identity Access Management Overview
        • Identity Access Management API
          • User Management
            • Create a User
            • Update a User
            • Retrieve a User
            • Delete a User
          • API Keys Management
            • Create an API Key
            • Update an API Key
            • Retrieve an API Key
            • Delete an API Key
      • Applications
      • Clients
        • Create a Client
        • Delete a Client
        • Change Client’s Password
        • Get a List of Available Clients
      • Incoming Phone Numbers
        • IncomingPhoneNumber Instance Resource
        • IncomingPhoneNumbers List Resource
        • Local IncomingPhoneNumber Factory Resource
        • Toll-Free IncomingPhoneNumber Factory Resource
        • Mobile IncomingPhoneNumber Factory Resource
        • Attach a phone number to an application
        • Delete a phone number
        • List of Phone Numbers
        • Incoming Phone Number Regex Support
      • Notifications
      • Usage Records
    • Voice
      • Calls
        • Call List Resource URI
        • Making a Call
        • Modifying Live Calls
        • Examples
        • List Filter
        • Paging Information
      • Conference Management
        • Supported Operations
        • Conference List Resource URI
      • Conference Participants Management
        • Participants List Resource URI
      • Gather DTMF
      • Gather Speech
      • Say
      • Play
      • Hold
      • Recordings
      • Refers
        • Resource Properties
        • Supported Operations
        • Paging Information
      • Resume
      • SIP Refer Support
    • SMS
      • Messages
        • Send SMS
        • Get SMS List
        • Get single SMS Information
        • SMS Attributes
      • Email
    • RCML
      • Overview
        • Interacting with Your Application
        • RCML Verbs
      • Dial
        • Client
        • Conference
        • Number
        • SIP
      • Email
      • Gather
      • Say
      • Play
      • SMS
      • Hold
      • Resume
      • Hangup
      • Pause
      • Redirect
      • Record
      • Reject
      • Refer
    • Visual Designer API
      • List Application Templates
      • :List a Specific Application Template
      • Create a Visual Designer Application
      • Get Application Details
      • Save Application Changes
      • Create Application Parameters
      • List Application Parameters
      • Delete Application Parameters
      • Upload Application Media Files
      • List Application Media Files
      • Play Application Media Files
      • Delete Application Media Files
      • Get Application Logs
      • Delete Application Logs
      • Get Application Settings
      • Modify Application Settings
      • Rename an Application
      • Delete an Application
      • Get Visual Designer Configuration
    • Turnkey Apps APIs
      • Smart 2FA
        • Sending One-Time Passwords
        • Verifying One-Time Passwords
        • Cancel One-Time Passwords
        • Session Detail Record (SDR)
        • Get list of One-Time Passwords
        • Get a Single One-Time Password
        • Usage Record One-Time Passwords
        • Common Response Error Code
        • Limit
          • Create Limit
          • Update Limit
          • Delete Limit
          • Get List of Limits
      • Call Queuing
      • Auto Attendant
        • Users
        • Announcement
        • Auto Attendant System
        • Menu
        • Schedule
        • Phone Number
        • Usage Records
        • Third Party Integration
      • Number Masking
        • Application
        • Mask Number Pool
        • Context
        • Participants
        • Interactions
        • Usage Records
      • Task Router
docs 1.0
  • docs
    • 1.0
  • docs
  • Identity Access Management

Identity Access Management

Table of Contents
  • Overview
  • Accounts and User Roles
    • Primary Accounts & Sub Accounts
    • User Roles
    • User Permissions
  • Understanding the User Roles and Permissions for Communications Providers
  • Understanding the User Roles and Permissions for Business Customers
  • Business Customers’ Turnkey Applications Access Control
  • API Definition

Before you get started, please make sure that your CPaaS organization has Identity Access Management (IAM) enabled. If IAM is not yet enabled for your organization, please contact your Account Manager to enable it. In case your organization is still using the legacy access management, please review the Enterprise Accounts documentation.

If you would like your CPaaS organization, and your Business Customers to be migrated to Identity Access Management, please check out the IAM Migration Guide.

Overview

Identity Access Management allows Communications Providers (CPs) and their Business Customers to create and manage users with specific roles and permissions to manage access to their CPaaS account’s resources.

Communications Providers can create users with different roles under their Primary Account. In addition, they can set up Sub Accounts for their Business Customers. Each Business Customer Sub Account can create users and set their roles independently.

To access assigned resources via the available CPaaS APIs, each user can create API Access Keys. Access keys are long-term credentials for an IAM user. Access keys consist of two parts: an access key ID and a secret access key.

Like a username and password, users must use both the access key ID and secret access key together to authenticate API requests. Manage access keys as securely as would be done for username and password.

When users create an access key pair, they need to save the access key ID and secret access key in a secure location. The secret access key is available only once, at the time of creation. If a secret access key is lost, it must be deleted and a new one should be created.

Users can create, modify and delete their access keys and have a maximum of two access keys at any given time. This allows users to rotate the active keys according to security best practices.

IAM Accounts Hierarchy

Accounts and User Roles

Primary Accounts & Sub Accounts

Primary Account Administrator (CP) users can create Sub Accounts for their Business Customers under the same CPaaS organization. They can also create and manage users on behalf of the Business Customer’s sub account and enable or disable their access to Platform and Turnkey Applications resources.

User Roles

A user role represents a set of permissions the user has to various Platform and Turnkey Applications resources.

A Communications Provider’s users can have any of the following roles:

  • Administrator

  • Developer

  • ProvisioningAgent

A Business Customer’s users can have any of the roles below:

  • Administrator

  • Developer

  • Turnkey Applications Administrator

  • Turnkey Applications Developer

User Permissions

The user permissions represent the level of user access to various Platform and Turnkey Applications resources.

Understanding the User Roles and Permissions for Communications Providers

The diagram below outlines the relationship between the Communications Provider’s CPaaS Primary Account and the users created under it.

IAM for CPs

The following table specifies the Communications Provider user permissions to the Platform and Turnkey Applications resources based on their role.

Capability Availability at that Account Hierarchy Level

Administrator

Developer

ProvisioningAgent

Platform Resources

Account Settings

Yes

read only

read only

read only

Tags

Yes

read/write

no access

no access

API Credentials

Yes

read/write

read/write

read/write

Audit API

Yes

read only

no access

no access

Feature Access Control Management

No

no access

no access

no access

User Management

Yes

read/write

no access

no access

Role Access

Yes

- Communications Provider Administrator
- Communications Provider Developer
- Communications Provider Provisioning Agent

no access

no access

Whitelabeling Settings

Yes

read/write

no access

no access

BYOC Settings

Yes

read/write

read/write

no access

Manage Enterprise Accounts

Yes

read/write

read/write

read/write

Turnkey Applications Enablement Management

Yes

read/write

no access

no access

Manage Applications

Yes

read/write

read/write

read/write

Manage Numbers

Yes

read/write

read/write

read/write

Manage SIP/WebRTC Clients

Yes

read/write

read/write

read/write

Programmable SMS

Yes

read/write

read/write

no access

Programmable Voice

Yes

read/write

read/write

no access

Call Logs

Yes

read only

read only

read only

SMS Logs

Yes

read only

read only

read only

SMS Logs Content

Yes

read only

read only

no access

Recordings

Yes

read/write

read/write

read only

Recordings Content

Yes

read only

read only

no access

Usage

Yes

read only

read only

read only

Notifications

Yes

read only

read only

read only

OutgoingCallerIDs

Yes

read/write

read/write

no access

Visual Designer

Yes

read/write

read/write

no access

Turnkey Applications

Message Exchange

MX-Provisioning

read/write

read/write

no access

read/write

MX-Usage Records

read only

read only

no access

read only

MX-Search and Usage record all endpoints all levels

no access

no access

no access

no access

MX Traffic Routing Provisioning

no access

no access

no access

no access

Auto Attendant

AA-Provisioning

read/write

read/write

no access

read/write

AA-System

read/write

read/write

no access

read/write

AA-Usage Records

read only

read only

no access

read only

AA-Enterprise And User

read/write

read/write

no access

read/write

AA-Search and Usage Records

no access

no access

no access

no access

Number Masking

NM-Provisioning

read/write

read/write

no access

read/write

NM-Usage Records

read only

read only

no access

read only

NM-Enterprise And User

read/write

read/write

no access

read/write

Task Router

TR-Provisioning

read/write

read/write

no access

read/write

TR-Usage Records

read only

read only

no access

read only

TR-Enterprise And User

read/write

read/write

no access

read/write

TR-Search and Usage Records

no access

no access

no access

no access

Message Exchange for Cisco Webex

WEBEX-Provisioning

read/write

read/write

no access

read/write

WEBEX-Usage Records

read only

read only

no access

read only

WEBEX-Enterprise And User

read/write

read/write

no access

read/write

Webex Traffic Routing Provisioning

no access

no access

no access

no access

Smart 2FA

2FA-Traffic
send/verify/cancel

read/write

read/write

no access

no access

2FA-Limit Provisioning
2FA-WorkFlow Provisioning

read/write

read/write

no access

read/write

2FA-Usage Records

read only

read only

no access

read only

Campaign Manager

Campaign Manager-Provisioning

read/write

read/write

no access

read/write

Campaigns

no access

no access

no access

no access

Usage Records

read only

read only

no access

read only

Understanding the User Roles and Permissions for Business Customers

The diagram below outlines the relationship between the Business Customer’s CPaaS Sub Account and the users created under it.

Be aware that only users with an Administrator role are allowed to create other users under the same sub account.

Only users with an Administrator role can have full access to the Platform and Turnkey Applications resources.

IAM for BCs

Business Customers’ Turnkey Applications Access Control

Communications Providers can manage access to Turnkey Applications for their Business Customers through a Management profile that can be associated with their Sub Accounts under their CPaaS organization.

As depicted in the following diagram, Communications Providers can set up Profiles featuring access to different combinations of Turnkey Applications. The Profiles can then be assigned to specified Business Customers.

You can find out more information on how to set this up at the Profiles API documentation.

Profiles API documentation.

Turnkey FAC

As of today, Communications Providers can enable or disable access for their Business Customers to each one of the Turnkey Applications through the Profiles API . In the future the Identity Access Management API and web UI will allow CPs to choose from a broader set of permissions targeting the various platform functionalities.

The following table specifies the Business Customer user permissions to the Platform and Turnkey Applications resources based on their role.

Capability Availability at that Account Hierarchy Level

Administrator

Developer

Turnkey Applications Administrator

Turnkey Applications Developer

Platform Resources

Account Settings

Yes

read only

read only

no access

no access

API Credentials

Yes

read/write

read/write

no access

no access

Audit API

No

no access

no access

no access

no access

Feature Access Control Management

No

no access

no access

no access

no access

User Management

Yes

read/write

no access

read/write

no access

Role Access

Yes

- Business Customer Administrator
- Business Customer Developer
- Business Customer Turnkey Applications Administrator
- Business Customer Turnkey Applications Developer

no access

- Business Customer Turnkey Applications Administrator
- Business Customer Turnkey Applications Developer

no access

Whitelabeling Settings

No

no access

no access

no access

no access

BYOC Settings

No

no access

no access

no access

no access

Manage Enterprise Accounts

No

no access

no access

no access

no access

Communications Partner Organization/Account Management

No

no access

no access

no access

no access

Turnkey Applications Enablement Management

No

no access

no access

no access

no access

Manage Applications

Yes

read/write

read/write

no access

no access

Manage Numbers

Yes

read/write

read/write

no access

no access

Manage SIP/WebRTC Clients

Yes

read/write

read/write

no access

no access

Programmable SMS

Yes

read/write

read/write

no access

no access

Programmable Voice

Yes

read/write

read/write

no access

no access

Call Logs

Yes

read only

read only

no access

no access

SMS Logs

Yes

read only

read only

no access

no access

SMS Logs Content

Yes

read only

read only

no access

no access

Recordings

Yes

read/write

read/write

no access

no access

Recordings Content

Yes

read only

read only

no access

no access

Usage

Yes

read only

read only

no access

no access

Notifications

Yes

read only

read only

no access

no access

OutgoingCallerIDs

No

no access

no access

no access

no access

Visual Designer

Yes

read/write

read/write

no access

no access

Turnkey Applications

Auto Attendant

AA-Provisioning

read/write

no access

no access

read/write

read/write

AA-System

read only

no access

no access

read only

read only

AA-Usage Records

read only

no access

no access

read only

read only

AA-Enterprise And User

read only

no access

no access

read only

read only

Number Masking

NM-Provisioning

read/write

no access

no access

read/write

no access

NM-Usage records

read only

no access

no access

read only

no access

NM-Enterprise And User

read only

no access

no access

read only

no access

Task Router

TR-Provisioning

read/write

no access

no access

read/write

no access

TR-Usage Records

read only

no access

no access

read only

no access

TR-Enterprise And User

no access

no access

no access

no access

no access

Smart 2FA

2FA-Traffic
send/verify/cancel

read/write

no access

no access

read/write

no access

2FA-Limit Provisioning
2FA-WorkFlow Provisioning

read/write

no access

no access

read/write

no access

2FA-Usage Records

read only

no access

no access

read only

no access

Campaign Manager

Campaign Manager-Provisioning

no access

no access

no access

no access

no access

Campaigns

read/write

no access

no access

read/write

no access

Usage Records

read only

no access

no access

read only

no access

API Definition

Getting Started with the Identity Access Management API

Contact Us

+1 (650) 263 6146

SALES

SUPPORT

GENERAL

Follow Us

Turnkey Applications

SMART 2FA

MESSAGE EXCHANGE

CISCO WEBEX

CALL QUEUE

Learn

BLOG

TERMS AND CONDITIONS

Additional Links

ABOUT

FAQ'S

PRIVACY POLICY

CONTACT