Roles Based Access Control - Data Scope Definition & Permissions Glossary
With Roles Based Access Control (RBAC), you can now create and edit roles within the Agent Connect platform to support varied workflows and functions that may not have fit into the default Agent Connect Roles in the past. While we have retained the default Roles you’re used to (Team Member, Team Leader, and Admin), the permissions for these roles and their Data Scope settings across the application are now configurable. In addition, you’ll be able to create new Custom Roles, as needed. When creating Custom Roles, both Data Scope selections and Permissions which determine what a user can see and do within the application, can be customized to suit your needs best.
Below, we’ll cover how each Data Scope selection works to control data visibility within Agent Connect and how Permissions will be utilized to determine what users in any Default or Custom Role can see & do in the application. Together, Data Scope selections & Permissions allow you to achieve powerful, granular control while maintaining the streamlined, self-service user management capabilities you’re accustomed to today.
Data Scope
Data Scope can be set at the Default, Product Area, and in some cases, Feature levels, to ensure that you can design highly flexible Roles. Let’s learn more about each of these levels!
Default Data Scope is the primary Data Scope selection for each Role and it will determine the broadest possible data set a Role may have access to. There are 5 Default Data Scope options for you to select from, which can expand or limit the data users can see & interact with in the application. If you reduce the Default Data Scope it will override most Product Area Scope selections, so you should treat Default Data Scope as the Maximum Data Scope a user in each role can see & interact with, unless stated otherwise for specific scope selections that will allow an increase in data visibility where applicable.
Product Area Data Scope limits the scope for particular product areas of the application (Feedback, QA, Performance & Coaching, Company Settings & Admin Tools, and Social). There are 5 different data scope options for you to select from. These options limit the data users can see & interact with in the application.
Company: Company Data Scope allows visibility to all employee data across the application.
Please Note: We highly recommend leaving the Default Data Scope set to Company for most Roles, and simply updating Data Scope for each Product Area to the appropriate selection. This will allow for customization of varied Data Scopes at the Product Area-level – for example, If the Default Data Scope is reduced to Own Team, then selecting Own Group as the Data Scope for a specific Product Area will be overridden by the Default Data Scope, and in this case, users in the Role you’re creating will not be able to see the data you intended. Leaving the Default Data Scope at Company will have no effect for most Roles, as the Product Area Data Scope selections will handle limiting the data users in the Role will see. Reducing the Default Data Scope makes the most sense for organizations that need strict data authorization walls between business units and is an advanced setting rarely necessary outside of this use case.
Self: Self Data Scope limits data visibility to only data associated with a user’s own profile. This includes data like Metrics, Survey Responses, QA Reviews, and Coaching Sessions. You would use the Self Data Scope if you wanted a user in this Role to see only data about themselves.
Self is the data scope historically used for the Team Member role.
Own Team: Own Team Data Scope limits the visibility to only data associated with users who belong to the same Team/report to the same Team Leader.
Own Team can be used to ensure that Team Leaders or a new Manager/Supervisor role that you create can only see data about employees who directly report to them. You may also use Own Team to broaden Team Member (or a new custom Agent-level Role’s) visibility to see data about the other employees who belong to the same team they do, if desired.
Own Group: Own Group Data Scope limits the data seen across the application to data belonging to Groups the user is a member of.
Own Group is the Data Scope historically used for our Reporting Group Permissions functionality to separate & isolate data belonging to BPO Vendors, as an example. Setting Data Scope to Own Group would ensure that users in a BPO-based Employee Group can only see data associated with users belonging to the same Group(s) they are in. You may also choose to use Own Group to segment user data between Departments (ie. Support and Sales teams both using Agent Connect).
Specific Groups: Specific Groups Data Scope limits visibility to only data associated with Groups that the role has been specifically granted access to. If you select the Specific Groups Data Scope, you will be required to specify which Specific Groups users in this Role should have access to.
e.g. If there are 5 Groups in your account, but only 2 are selected when configuring the Specific Groups Data Scope then users in this Role would only see data belonging to the 2 Groups specified. The other 3 groups would not be visible to users in this Role.
When Specific Groups are selected as a Data Scope selection for a Role, users in this Role will see data for the specified Groups, even if they are not members of the Group(s).
Users will always be able to see data associated with themselves, even when you've set their Role’s Data Scope to Specific Groups they do not belong to.
Product Areas
Available permissions across the application are grouped into specific Product Areas. There are 5 Product Areas that each have their own set of available permissions to configure and a primary Data Scope selection that can be customized.
Feedback: The Feedback Product Area contains permissions focused on areas of the product primarily related to surveys/customer feedback. This includes The Stream, Trends Dashboards & Reports, and Feedback Responses Exports, for example.
The Data Scope selected for this product area will also apply everywhere that Feedback data is shown in the application, even on pages that are not specifically Feedback-focused (i.e. on the Performance Dashboard)
QA: The QA Product Area contains permissions focused on areas of the product related to QA, including but not limited to; the QA Dashboard, QA Reviews, Calibrations, QA Assignments, and Audits.
The Data Scope selected for this product area will also apply everywhere that QA data is shown in the application, even on pages that are not specifically QA-focused (i.e. on the Performance Dashboard)
Coaching & Performance Management: The Coaching & Performance Management Product Area contains permissions focused on areas of the product related to Agent, Team, and Company Performance Management workflows. This includes features like Coaching/1:1s and the Performance Dashboard.
Company Settings & Admin Tools: The Company Settings & Admin Tools Product Area contains permissions focused on configuring users, groups, roles, and various company settings located primarily within the Settings area of the application (ie. Survey Builder, Marketing, Areas of Excellence/Rewards & Areas of Intelligence, QA Settings, 1:1 Settings, and Metric Configuration).
Please note that you must have at least one user in a Role that has permission to manage Roles & Permissions at all times.
Social: The Social Product Area contains permissions focused on features that require a less restricted Data Scope selection to function properly, including Leaderboards and QA Messaging.
Please Note: The Social Product Area permissions function independently of the Default Data Scope set for the Role, as the features within this Product Area require a broader scope to work as intended.
The Social Product Area Data Scope cannot be set to Self (Leaderboards & Messaging just aren’t fun all by yourself)
Permissions
Each Product Area has a number of Permissions available to configure when customizing your Roles.
See below for a description of the function of each Permission:
Product Area | Permission Name | Description |
Feedback | Archive Feedback on Stream | Roles with this permission can archive feedback on the Stream utilizing the Remove Feedback button underneath each Survey Response card. This is historically an Admin-only feature. |
Feedback | Export Feedback Data | Roles with this permission can access the Export Responses tile from Settings and export survey request & responses data. |
Feedback | Send Surveys | When Agent Connect receives survey requests associated with this user, surveys should be sent to customers. When not selected, survey requests Agent Connect receives for employees in this Role will be ignored – this can help to ensure surveys are not mistakenly sent for Supervisors or Admins, for example. Please Note: Disabling this should be utilized with caution as if it is accidentally disabled/left off for a user in any Role, the survey requests created while it was disabled will be ignored and these ignored requests cannot be retrieved. |
Feedback | View Company Program | Roles with this permission can access the Company Program from the Trends navbar menu. |
Feedback | View Company Trends | Roles with this permission can access the Company Trends Dashboard from the Trends navbar menu. |
Feedback | View Customer Information on Stream | Roles with this permission enabled can see Customer PII on Stream, this includes Customer Name, Customer Email, and Link to Original Ticket, if present. |
Feedback | View Service Recovery Dashboard | Roles with this permission can access the Service Recovery Dashboard from the Trends navbar menu. |
Feedback | View Stream | Roles with this permission can access the Stream. |
Feedback | View Team Member Trends | Roles with this permission can access Team Member Trends from the Trends navbar menu. |
Feedback | View Team Trends | Roles with this permission can access Team Trends from the Trends navbar menu. |
QA | Export Calibrations data | Roles with this permission can export Calibration data from the Calibrations - All Sessions tab. |
QA | Export QA Data | Roles with this permission can export QA data from QA Reporting (QA > Dashboard > Completed Reviews > Export). |
QA | Manage Calibrations | Roles with this permission can access, create, edit, and archive QA Calibration Sessions, in addition to seeing the All Sessions Calibrations tab. Please note that this permission is required to access Calibration Exports. This permission has its own Data Scope selection. The Data Scope selected here will override other Scope selections to ensure that users with the ability to Create Calibration Sessions can invite Participants from across the organization, if desired. |
QA | Manage QA Assignments | Roles with this permission can create, edit Participants for, and archive QA Assignments in addition to seeing the All Assignments section on the Assignments Overview page (QA > Assignments) |
QA | Manage QA Settings | Roles with this permission can access the QA tile from Settings and configure any company-wide QA Settings, including QA Scorecards, enabling features like Acknowledgments & Appeals, and various QA notifications. |
QA | QA Review | Roles with this permission can Initiate QA Reviews from the following places (if they have access to them, based on other permissions):
And they can be assigned as a reviewer in a QA Assignment.
Users with permission to Conduct QA Reviews may be selected as Participants in a Calibration Session. |
QA | View Audits | Roles with this Permission can view completed QA Audits but cannot conduct QA Audits themselves. |
QA | Perform Audits | Roles with this Permission can view and conduct QA Audits |
QA | View QA History | Roles with this Permission can view QA Review History on any Completed QA Review they can access based on their Data Scope selection. |
QA | View QA Dashboard | Roles with this permission can view the QA Dashboard, which includes all tabs/subpages on the QA Dashboard. |
QA | View Reviewers | Roles with this Permission can view the Reviewers Performance reporting page from the QA navbar menu. |
QA | Submit Appeals | Roles with this permission can Submit Appeals for QA Reviews if they have been granted appropriate scope to Appeal it.
This permission has Scope and the Scope selected will override the QA Product Area Scope for this Role, if necessary. |
QA | Resolve Appeals | Roles with this permission can Resolve Appeals for any QA Review with an Open Appeal if they have been granted appropriate scope to Resolve Appeals.
Note: This permission has Scope and the Scope selected will override the QA Product Area Scope for this role, if necessary. |
Coaching & Performance Management | Coach 1:1s | Roles with this permission can initiate Coaching Sessions/1:1s as a Coach. |
Coaching & Performance Management | Participate in 1:1s | Roles with this permission can be selected as the Coachee of a Coaching Session/1:1. When selected as the Coachee, the user can add Notes to the Agenda of the Session after it has been shared with them. |
Coaching & Performance Management | View 1:1s | Roles with this permission can access 1:1s from the navbar, and have the ability to view 1:1 sessions but not edit those sessions. These users should not be coachable and they cannot coach others. |
Coaching & Performance Management | Save for 1:1s | Roles with this permission can Save pieces of Feedback, QA Reviews, and Metric Snapshots to discuss in their Coaching Sessions/1:1s |
Coaching & Performance Management | Manage 1:1 Settings | Users with this permission can access the 1:1s tile from Settings and have the ability to edit company-level Settings like default visibility for 1:1s, Action Item Categories, and all other settings found on this page |
Coaching & Performance Management | View Performance | Roles with this permission can see & access the Performance Dashboard from the navbar. |
Company Settings & Admin Tools | Administer Passwords | Roles with this permission can access & initiate the Reset Password flow on User Profiles and can access the Reset Passwords page, accessible under Bulk Actions on the Manage Team page. |
Company Settings & Admin Tools | Approve Pending Profiles | Roles with this permission should have access to approve a profile in Pending status after profile changes have been made and access the Pending Profiles page under the Bulk Actions dropdown on the Manage Team page. |
Company Settings & Admin Tools | Manage Users | Roles with this permission have access to the Manage Team page and have access to create/edit/deactivate other users under the Actions column. Please note that you must have at least one user with access to Manage Users at all times. |
Company Settings & Admin Tools | View Users | Roles with this permission can access the Manage Team page to view the list of users, scoped to their permission, but do not have access to create/edit/deactivate other users or see the Roles & Groups tabs |
Company Settings & Admin Tools | Bulk Create/Update Users | Roles with this permission should have access to the Bulk Create/Update Users under the Bulk Actions dropdown on the Manage Team page. Users who can Bulk Create/Bulk Edit can do so for all users in the Company. |
Company Settings & Admin Tools | Contact Medallia Support | Roles with this permission can access the ‘Contact Us’ option to connect with Medallia’s Support Team via chat. |
Company Settings & Admin Tools | View & Manage Team Settings | Roles with this permission can access the Team Settings options on the Manage Team page. Team Settings include Profile Guideline Text and Profile Photo & Image settings. Please note team settings are applied globally across users. |
Company Settings & Admin Tools | Fulfill Rewards | Roles with this permission can access the Rewards Reports navigation and fulfill rewards agents have earned if Rewards are enabled. |
Company Settings & Admin Tools | Manage Company Settings | Roles with this permission have access to the Company Info tile in Settings where they can edit a number of company-wide configurations. |
Company Settings & Admin Tools | Manage Groups | Roles with this permission have access to the Groups UI on the Manage Team page where they are able to create new Groups, rename Groups, edit Groups membership, and duplicate/archive Groups. On the Users table, users with this permission should have access to use the Add to Group shortcut dropdown menu item |
Company Settings & Admin Tools | Manage Integrations | Users with this permission have access to the Integrations tile from Settings where they can find Test and Production API keys and download the company's Secret key, along with the ability to set Error Email Address and Test Email Address |
Company Settings & Admin Tools | Manage Metrics | Roles with this permission have the ability to see the Metric Configuration Settings tile and edit metric configurations for the company, including Metric Sets, Leaderboard configuration, and more. |
Company Settings & Admin Tools | Manage Roles & Permissions | Roles with this permission can access the Roles UI via the Manage Team page, which gives them access to create a new role via the UI and update permissions belonging to existing roles. Please note that you must have at least one user with access to Manage Roles & Permissions at all times. |
Company Settings & Admin Tools | Manage Surveys | Roles with this permission have access to the Survey Builder tile via Settings where they can make changes to their company's survey. This also includes access to see and edit Rewards/Areas of Excellence, Areas of Improvement, Marketing, and Service Recovery. |
Company Settings & Admin Tools | View Rewards Reports | Roles with this permission can access the Rewards Reports via navigation (based on whether they have Thresholds enabled they will see 1 report or 3), but users with ONLY this rewards permission do not explicitly have permission to fulfill rewards |
Social | QA Messaging | Roles with this permission can use “@” to mention someone in the chat module on the QA review page. Please note that the QA Messaging feature will be visible whether this permission is enabled or disabled. |
Social | View Leaderboard | Roles with this permission can access Leaderboard from navigation. |