# User Role Permissions

A role is built from individual permissions, and each permission opens up one area of the phone system. Use this reference when you are creating or editing a role to see exactly what every permission controls before you grant it. The permissions are grouped below by the part of the system they affect.

:::tip
Grant a role only the permissions it actually needs. Extra permissions widen what a user can reach if their account is misused, so start narrow and add more later if the person's job requires it.
:::

## Extension and Trunk

These permissions decide which extensions a role can work with, and whether the role can also manage extension groups, client permissions, trunks, and other roles.

**Extension**

- **Manage Extensions**: sets the scope of extensions and departments that the role can view and manage:
  - **All Departments**: view and manage every department.
  - **All Extensions**: view and manage every extension. This scope suits a role such as Human Resource, so that staff changes can be reflected in extensions without delay.
  - **All the other extensions of the same Extension Groups**: manage, or send Cloud Voice App welcome emails to, every other extension in the same extension group, except the group that contains all extensions. This scope suits a supervisor who oversees their own team.
  - **All other extensions of the same department**: manage, or send welcome emails to, the other extensions in the same department, but not those in its sub-departments.
  - **Specific Extensions**: manage, or send welcome emails to, a chosen set of extensions. This scope suits a team lead who spans more than one department.
  - **Extension itself only**: manage, or send a welcome email to, only the user's own extension.
- **Manage Extension Operation Permission**: controls the extension-level settings the role can change:
  - **Cloud Voice App clients**: whether the role can view and manage the settings for each enabled client: Mobile, Pad (SDK), Desktop, and Web.

    :::note
    The Pad (SDK) client appears only when the Cloud Voice App SDK is enabled, under **Integration > Cloud Voice App SDK**.
    :::
  - **Assign User Role**: whether the role can set or change the user role assigned to extensions.
  - **Emergency Outbound Caller ID**: whether the role can configure the emergency outbound caller ID for extensions, at **Management Portal > Extension and Trunk > Extension > User > Outbound Caller ID (DOD, Direct Outward Dialing, the number shown to the person you call) > Emergency Outbound Caller ID**.

    :::danger
    The emergency outbound caller ID is the number sent when an extension dials emergency services (E911, the enhanced 911 service that routes the call to the nearest dispatcher and shows them a registered address). If it is set wrong, help can be sent to the wrong place. Give this permission only to staff who understand your E911 setup.
    :::

    :::note
    Whether extension users can edit their own emergency outbound caller ID from the Cloud Voice App is a separate setting, found at **Management Portal > Extension and Trunk > Client Permission > Preference Settings**.
    :::

**Extension Group**: manage extension groups.

**Client Permission**: manage which extensions and contacts each user is allowed to view or manage.

**Trunks**: manage trunks.

**Role**: manage user roles.

:::caution
Two permissions here can widen access on their own: **Assign User Role** lets a user change which role an extension has, and **Role** lets a user create and edit the roles themselves. Anyone with either one could raise their own or a colleague's level of access, so limit them to trusted administrators.
:::

## Contacts

Whether the role can manage:

- Company Contacts
- PhoneBooks
- LDAP Server (Lightweight Directory Access Protocol, a shared company directory the phone system can pull contacts from)

## Auto Provisioning

Whether the role can manage **Auto Provisioning**.

## Call Control

Whether the role can manage:

- Inbound Route
- Outbound Route
- AutoCLIP Route (a rule that sends a return call straight back to the extension that placed the original outbound call)
- Business Hours and Holidays
- Emergency Number

:::caution
**Emergency Number** sets which dialed digits the system treats as an emergency call (for example 911). If these are wrong, an emergency call may fail to go through, so let only trusted staff manage them.
:::

## Call Flow Designer

Whether the role can create and manage call flows.

## Call Features

Whether the role can manage:

- Voicemail
- Feature Code
- IVR (Interactive Voice Response, the automated menu that tells callers to "press 1 for sales")
- Ring Group
- Queue
- Conference
- Speed Dial
- Paging/Intercom
- Recording
- PIN List
- Call Disposition
- Blocked/Allowed Numbers

## AI

Whether the role can manage:

- AI Receptionist
- AI Toolbox (including AI Text-to-Speech and AI Transcription)

## Messaging

Whether the role can manage:

- Message Channel
- Message Queue
- Message Campaign

## PBX Settings

Whether the role can manage:

- Preferences
- Voice Prompt
- SIP Settings (Session Initiation Protocol, the signaling standard that sets up and ends VoIP calls)
- Jitter Buffer

## System

Whether the role can manage:

- Date and Time
- Email
- Storage
- Archive
- Event Notification
- Onsite Proxy

## Security

Whether the role can manage:

- Security Rules
- Security Settings

:::caution
Security Rules and Security Settings control the system's defenses, such as blocked-IP rules and login protections. A user who can change them could weaken protection against toll fraud (attackers running up charges through your trunks), so restrict this to trusted administrators.
:::

## Maintenance

Whether the role can manage:

- Upgrade
- Backup and Restore
- Reboot
- Reset
- Operation Logs
- Troubleshooting
- System Logs

:::danger
**Reset** erases the system configuration and cannot be undone, and **Reboot** ends every call in progress. Grant Maintenance permissions only to trusted administrators.
:::

## Integration

Whether the role can manage:

- Collaboration
- CRM
- Helpdesk
- Speech to Text
- AMI (Asterisk Manager Interface)
- API (Application Programming Interface)
- Database Grant
- Cloud Voice App SDK (Software Development Kit)
- Fax
- WebSocket Audio Streaming

:::caution
AMI, API, and Database Grant open programmatic (machine-to-machine) access to the system. Treat granting them like handing out administrator credentials, and enable them only for integrations you trust.
:::

## Hotel Management

Whether the role can manage:

- Hotel Settings
- Room Management
- Wake-up Service

## Reports and Recordings

These permissions set which extensions' call records and recordings the role can see and act on, and whether the role can reach call reports and external chat logs.

**CDR** (Call Detail Record, the log of a call's time, numbers, and duration)

- View scope, which extensions' CDR the role can see:
  - **All Extensions**: the CDR of every extension.
  - **All the other extensions of the same Extension Groups**: the CDR of every other extension in the same group, except the group that contains all extensions.
  - **All other extensions of the same department**: the CDR of the other extensions in the same department, but not those in its sub-departments.
  - **Specific Extensions**: the CDR of a chosen set of extensions.
- Actions, how the role can act on CDR: **Download**, **Delete**, and **Schedule Download**.

**Recording Files**

- View scope, which extensions' recordings the role can see:
  - **All Extensions**: the recordings of every extension.
  - **All the other extensions of the same Extension Groups**: the recordings of every other extension in the same group, except the group that contains all extensions.
  - **All other extensions of the same department**: the recordings of the other extensions in the same department, but not those in its sub-departments.
  - **Specific Extensions**: the recordings of a chosen set of extensions.
- Actions, how the role can act on recordings: **Play**, **Download**, and **Delete**.

:::caution
The **Delete** actions on CDR and recordings remove data permanently. Call recordings in particular may be needed for compliance or dispute resolution, so grant delete rights sparingly.
:::

**Call Reports**

- **My Reports Access Permissions**: which call reports the role can open: **All**, **Created by Myself**, or **Created by Myself and Specific Extension/Extension Group**.
- **Call Report Operation Permission**: how the role can act on call reports: **Download**, **Schedule Download**, and **Rate**.
- **Call Report Data Permission**: which call reports and data scope the role can view: **Queue Call Reports**, **Extension Call Reports**, and **Other Call Reports**.

**External Chat Logs**: whether the role can open external chat logs.

## Plan

Whether the role can buy a Cloud Voice plan or start its free trial.
