Author Topic: Security system of Call Accounting Mate  (Read 13648 times)

sergey

  • Moderator
  • Sr. Member
  • *****
  • Offline Offline
  • Posts: 48
    • View Profile
Security system of Call Accounting Mate
« on: September 07, 2005, 06:23:48 AM »
Call Accounting Mate has own security subsystem allowing it to authenticate and authorize users. Every user that needs access to system data is required to log into the system prior to using online views, reports, change settings etc. To be able to log in a user needs to have security account, which is defined by login name, password and security role. To manage security accounts  'Configuration/Security Accounts' page is used.

There are 2 security roles in CAM: 'Users' and 'Administrators'. Every account  in the system belongs to either of these 2 roles. Accounts belonging to the 'Administrators' role are permitted to do any activity in the system and also, obviously, these accounts are allowed to view any calls data with no restrictions. Security accounts belonging to the 'Users' role are allowed to access only some of online views and reports and has no access to the system settings and configuration parameters. Also accounts belonging to the 'Users' role are restricted to view only some of calls data. By default these security accounts has no permissions to view any data in the system. This means that by default all reports and views will be empty when logged in as account from 'Users' role. In case it is necessary to allow an  account from 'Users' role to generate reports or use online views administrator of the system should setup permissions to view data for such account.

Data view permissions are extension based, which means that administrator can allow security account  to view calls data for a certain extension or several extensions.

Extension numbers with human readable names assigned to them are referred as users in Call Accounting Mate. Such users records are grouped in departments, thus department is group of extensions with their names. To manage user and department records Settings/Departments/Users page is used.

To manage data view permissions administrator should add or remove a security account to or from access list of a department or an user using the access list editor(exact procedure is described below). When a security account is present in the access list of a department or an user record this means that this account is allowed to view calls of this department or user. If a security account is not in the access list this means that it can't access those calls. There is no deny records in the access lists: if an account is in list it is allowed to view data, if not – not.

Naturally, user records inherit their permissions defined at department level, which means if, for example, department D1 consists of users U1, U2 and U3 and account A1 is permitted to view data of department D1 then A1 is permitted to view data of U1, U2 and U3. To give administrator more flexibility it is possible to manage data view permissions at users level. For example, in the sample above administrator can add account A2 to the U1 access list, which leads to the following picture:
Department/User   Access List   Meaning   
D1A1A1 is permitted to view data of department D1
U1A1, A2A1 and A2 is permitted to view data of user U1
U2A1A1 is permitted to view data of user U2
U3A1A1 is permitted to view data of user U3
Here U1, U2 and U3 inherit A1 from their parent department D1 and the U1 has additionally A2 explicitly permitted to view data of the U1.

Note that you can't deny access to the users data for an account, which granted access at department level. For example, it is not possible to deny access to U3 for A1, because A1 is permitted to view data of department D1, which U3 belongs to. To solve this you'll need to remove A1 from D1 access list and add it to access lists of U1 and U2.

Setup user permissions at department level
- log into the system using account, belonging to 'Administrators' security role
- open Settings/Departments/Users page
- mark a certain department in the departments list (please note that you should mark only one department to edit permissions)
- press Security button on page's bottom toolbar to invoke permissions (access list) editor for the marked department
- the editor shows name of the department being edited and 2 lists: available security accounts and accounts granted to view the department's calls data
- use '>' and '<' buttons to move accounts between lists, granting or denying access to the department calls data
- moving an account to 'Granted' list from 'Available' list grants this account permission to view department's data
- moving an account from 'Granted' list to 'Available' list denies this account permission to view department's data
- finally press Ok button in the editor to save the changes made in lists
- use Cancel button to cancel all the changes made

Setup user permissions at user(extension) level
- log into the system using account, belonging to 'Administrators' security role
- open Settings/Departments/Users page
- expand department in the departments list, for which users you want to edit view data permissions
- mark a certain user in the users list (please note that you should mark only one user to edit permissions)
- press Security button on expanded pane's bottom toolbar to invoke permissions (access list) editor for the marked user
- the editor shows name of the user being edited and 3 lists: available security accounts, accounts inherited from the parent department access list and granted to view the user's calls data and accounts explicitly granted to view the user's calls data; the 2 latter lists are located under label Inherited & Granted in the permissions editor: top list shows inherited accounts and the bottom one shows accounts explicitly added to the user's access list
- use '>' and '<' buttons to move accounts between lists, granting or denying access to the user calls data
- moving an account to 'Inherited & Granted' list from 'Available' list grants this account permission to view user's data
- moving an account from 'Inherited & Granted' list to 'Available' list denies this account permission to view user's data
- please note that all accounts in lists under 'Inherited & Granted' label are allowed to view calls data of the extension being edited
- please note that at this level you can't edit the inherited accounts and thus you can't disable an account granted at department level to view data of the user, belonging to this department
- finally press Ok button in the editor to save the changes made in lists
- use Cancel button to cancel all the changes made

Note: The above permissions is also used to manage access to calls classifier function, i.e. an account allowed to view data is also able to classify them and add  comments for them.
« Last Edit: September 07, 2005, 06:27:34 AM by sergey »

juris22

  • Newbie
  • *
  • Offline Offline
  • Posts: 1
    • View Profile
    • Email
Re: Security system of Call Accounting Mate
« Reply #1 on: September 01, 2009, 11:58:37 PM »
The technologies of computer security are based on logic. As security is not necessarily the primary goal of most computer applications, designing a program with security in mind often imposes restrictions on that program's behavior.


_________________
Home security systems