Role-based access control

Administrators can use the role-based security system to control user access to all of the resources in PortaBilling. Access control lies in configuring a role and assigning this role to a user. This ensures that the user can access only those resources they are authorized to see or use.

Default roles are supplied with PortaBilling – or administrators can create new roles to fit your company needs.

A role can be one of the following types:

• Account – to be assigned to accounts
• Customer – to be assigned to retail/reseller customers
• Distributor – to be assigned to distributors
• Representative – to be assigned to representatives
• Reseller – to be assigned to resellers
• Admin – to be assigned to users of the admin interface
• Hunt group supervisor – to be assigned to call center supervisors

Default roles are supplied with PortaBilling – or administrators can create new roles to fit the needs of the company.

Roles are presented on the web interface as a resource tree wherein root nodes reflect entities in PortaBilling (i.e. customer, account, product, etc.). Second-level nodes reflect entity parameter panels. For example, for a customer entity, it can be the Personal information panel, Invoices and taxation panel, etc.

For each node within the tree, the administrator assigns permissions to define whether an entity or its parameters are available for the user and which actions the user can perform on them. The role’s resource tree has a hierarchical structure, that is, lower-level nodes inherit permissions that have been assigned to higher-level nodes.

If the administrator needs to hide a certain item on an entity parameter panel (e.g., the BCC field on the Address info panel), they can switch to the Advanced mode. In this mode, the role’s resource tree displays a list of items for each entity parameter panel. The administrator then sets the required permission for the corresponding item.

The administrator uses roles to control access to the self-care page for customers/account owners. The administrator can log in on a customer self-care page on behalf of the customer using the built-in “Sign in as” link, for example, to help with the cloud PBX configuration. If the customer has a custom role assigned to them, the administrator can choose to either log in with the custom or the default role.

The admin can control which resellers have access to the roles of the “Customer,” “Account,” or “Reseller” type. Resellers on their portal can only see and use roles that they have been granted access to. Resellers who are not explicitly given permission will not be able to assign this role to their customers/accounts/sub-resellers.

The administrator can assign one of the following permissions in the role’s resource tree:

• Restrict – this means that users cannot access the specified resource.
• Read – this permits users to view the specified resource.
• Modify – this permits users to view, update, create and delete the specified resource.

When a user attempts to perform a specific action with a resource (for example, update customer information), PortaBilling checks whether the user has permission for this action. If permission is granted for this action, the user may proceed. Otherwise, the action is not permitted.