Users

Access to the KalliopePBX GUI (as well as CTI services, LDAP phonebook, etc.) is granted to users. There are two kinds of users: built-in and custom users. Built-in users include administrative and service users, whose roles are usually predefined and not modifiable, whereas custom users are additional users that can be created and assigned to custom roles.

Each user has one or more associated access permissions among GUI, CTI, and API.

GUI: GUI access means that the user can log into the KalliopePBX web interface; GUI access also grants the user permission to access the integrated LDAP server.
CTI: CTI access allows the users to use Kalliope applications (CTI, Logger, Supervisor Panel) which connect to the PBX using the CTI socket and protocol.
API: API access allows the users to invoke the KalliopePBX REST APIs available at http[s]://<PBX IP>/rest/ (see REST API).

Built-in users

The first example of the built-in user is admin (whose default password is "admin"), used to access the GUI after the first firmware installation. This is the primary technical figure and is commonly used to perform the system configuration. Additional users may have the rights to perform configuration tasks, but they can be limited to specific GUI panels only, according to their granted Role.

The following table lists the built-in users along with their access permissions. (Note: (+) means that this access permission is assigned and cannot be revoked; (-) indicates that the consent can be granted or not.)

Username	Access permissions	Notes
admin	GUI (+) CTI (+) API (+)	This is the main technical user. They have full privileges on PBX configuration both for system (network, network services) and telephony (entities, services, etc.). They have full access to logs and records, but they have some limitations regarding aspects related to the privacy of the users. Firstly, they cannot see the external telephone numbers in the CDR in full, but are only able to view them with last three digits replaced by "xxx"; secondly, the "admin" user does not have access to Call Recording configuration and files, which is limited to "privacyadmin" user (and delegated users).
privacyadmin	GUI (-) API (-)	This user has full access to the external telephone numbers of the CDR, and is the only one who can configure call recording authorization. They can also access call recording records, download and listen to the recorded calls, as well as grant other users "privacy" permissions, which gives them access to full numbers in CDR and to the list of recorded calls and the corresponding files.
phonebook	GUI (-) API (-)	This user has read access to the KalliopePBX phonebook. It has to be explicitly enabled from the "System Settings" -> "Users Management" panel, assigning it a password and the required access permissions. N.B.: GUI permission also grants the right to access the integrated LDAP server, where the KalliopePBX phonebook is published (according to the settings in "Phonebook"->"LDAP Settings" panel). The "phonebook" user is mainly useful to have a single identity (configurable through provisioning) used by telephones to access the KalliopePBX phonebook using LDAP.
click2call	GUI (-) API (-)	This user is useful when using third party applications to send click-to-call commands (using the REST API /rest/phoneServices/c2c/{dest_exten}/{source_exten}) to KalliopePBX using a single user with limited privileges

Multi-tenant

During Multitenant license activation, the PBX and the tenant entities, bundled under a single administrative entity, are separated and a new built-in user pbxadmin is created (with default password "admin").

Management of the PBX as a system is granted to the new "pbxadmin" user, who has both GUI and CTI permissions, whereas the "admin" user retains control of the telephone service configuration for the tenant. Since multiple tenants can be created, each with its own "admin", it is necessary to extend the username to specify the relevant tenant domain. The predefined existing tenant domain is "default", so the predefined built-in users become admin@default, privacyadmin@default, etc.

For each new tenant created (e.g. with domain "sampledomain"), several new users are generated, namely admin@sampledomain, privacyadmin@sampledomain, phonebook@sampledomain, and so on.

The admin@default and admin@sampledomain users are completely independent and each one can only manage their own tenant.

N.B.: if a user does not specify the domain when logging in (e.g. uses "admin" instead of "admin@somedomain"), then it is assumed to belong to the default domain and authentication is performed accordingly.

Custom users

Additional users can be created. Currently, custom users must be associated with an Extension. Custom users can be created in the "Edit Extension" panel, defining a unique username (within the tenant) and assigning GUI, CTI and/or API access permissions. By default, all custom users are created with the standard "Tenant User" role, but a different one can be selected among those available. As detailed below, roles are managed in the "System Settings" -> "Roles Management" panel, where different access permissions (none/list/read/write) can be assigned for each panel of the GUI, allowing the admin to delegate some configuration tasks to selected users.

Users configuration

During the creation of an extension, the create local user box is selected and a new GUI user is automatically created with the credentials set during creation.

To edit and manage these users, you need to access the GUI users management in the System settings menu.

Through the users configuration page, you can:

edit the credentials (username and password) necessary to access the GUI and the clients;
assign a role and the relative read/write permissions;
enable/disable access to the GUI and the clients;
assign the following licenses: KalliopeCTI Pro, KalliopeCTI Phone, Kalliope Attendant Console CTI, Kalliope Attendant Console Phone.

Once created, custom users cannot be edited from the "Edit extension" panel, but they appear in the "System Settings" -> "Users Management" panel, along with the built-in ones.

User authentication

User authentication is performed with a password check, using one of the two available authentication methods.

The first method is "Local Authentication": the user password is handled by the PBX, and its hash is stored in the internal database for authentication. This is the only available authentication method for the "admin" user.

KalliopePBX can also authenticate users with external services; the supported external authentication services are Microsoft Active Directory and LDAP servers. External authentication services are defined on a per-tenant basis, so they need to handle usernames of the form "user@tenant_domain".

Roles

Each user is assigned a role, which determines their permissions in terms of access to the various panels. Since their permissions are fixed, built-in users have built-in roles (currently not assignable to custom users).

Custom users by default have the "Tenant User" (or simply "User") role, which is built-in and not modifiable. This role grants the user the right to access their own CDR and the local, shared, and personal phonebooks.

Additional roles ("Power User" roles) can be created and assigned to the custom users. Each role has a priority attribute (an integer value between 1 and 99; standard users have priority 0, whereas tenant admin has 100) which is used to resolve contention of the Configuration Lock when multiple users need to perform configuration operations on the PBX. Users can acquire the Configuration Lock even if it is currently held by another user, provided that their role priority is higher than the one of the user currently holding the lock. Note that the action of acquiring the lock currently held by another user drops all the pending changes made by the first user.

Roles configuration

To configure a role, you must first set a priority from 0 to 99. Users with higher priority can acquire the lock from power priority users, and unsaved changes will be lost.

Custom roles can be configured by selecting the level of access to each panel from those available:

"none": the user cannot access the panel and the link to the panel will not be displayed in the navigation menu (direct access to the panel URL is also blocked)
"list": the user has read access to the panel with the list of related entities (for example, the extension list) but cannot access the details of each item or perform actions on them
"read": the user can access both the list panel and those of the individual entries, but only in read mode
"write": the user has full read/write access to the related entities

The following table lists the configurable parameters for each role.

Parameter	Description	Value
-
Priority	Priority assigned to the role.	Numeric (from 0 to 99)
Description	Role identifier.	Alphanumeric
Permissions
Extension management	Enable users to manage extensions with the selected permissions.	None / List / Read / Write
Extension template management	Enable users to manage extension templates with the selected permissions.
Account management	Enable users to manage accounts with the selected permissions.
Account template management	Enable users to manage account templates with the selected permissions.
Queue management	Enable users to manage queues with the selected permissions.
Ring group management	Enable users to manage ring groups with the selected permissions.
Music on hold class management	Enable users to manage music on hold classes with the selected permissions.
VoIP domain management	Enable users to manage VoIP domains with the selected permissions.
Outbound line management	Enable users to manage outbound lines with the selected permissions.
Audio file management	Enable users to manage audio files with the selected permissions.
LCR rule management	Enable users to manage LCR rules with the selected permissions.
LCR class	Enable users to manage LCR classes with the selected permissions.
Checktime management	Enable users to manage time checks with the selected permissions.
Numbering plan management	Enable users to manage the numbering plan with the selected permissions.
Management of the custom selections in the numbering plan	Enable users to manage custom selections with the selected permissions.
Network configuration management	Enable users to manage network configuration with the selected permissions.
SIP setting management	Enable users to manage SIP settings with the selected permissions.
IVR menu management	Enable users to manage IVR menus with the selected permissions.
Audio conference room management	Enable users to manage audio conference rooms with the selected permissions.
Audio conference room operation management	Enable users to manage audio conference room operation with the selected permissions.
Role management	Enable users to manage roles with the selected permissions.
On-call service management	Enable users to manage on-call services with the selected permissions.
General setting management	Enable users to manage general settings with the selected permissions.
GUI user management	Enable users to manage GUI users with the selected permissions.
License management	Enable users to manage licenses with the selected permissions.
Audio setting management	Enable users to manage audio settings with the selected permissions.
Switch management	Enable users to manage switches with the selected permissions.
Provisioning template management	Enable users to manage provisioning templates with the selected permissions.
Provisioning device management	Enable users to manage provisioning devices with the selected permissions.
Diagnostic tool management	Enable users to manage diagnostic tools with the selected permissions.
Shared phonebook management	Enable users to manage shared phonebook with the selected permissions.
Call detail record viewing	Enable users to view the call detail record.
SSL setting management	Enable users to manage SSL settings with the selected permissions.
LDAP setting management	Enable users to manage LDAP settings with the selected permissions.

AdminGuide:BasicConcepts:Users and roles

Indice