ACL rules and Call classes management - Admin Guide

This Guide explains and describes what permissions and limitations for PBX users and administrators can be set to limit access to certain PBX services and features.

WMS Version: 5.0X / 6.0X

Updated: September 2024

Permalink: https://wildix.atlassian.net/wiki/x/8xrOAQ

Introduction

ACL (Access Control List) is a number of permissions and limitations for PBX users and PBX administrators.

Via ACL for PBX users it is possible to forbid certain groups of users external calls to certain call classes, limit access to certain PBX services and UC features. The full list of ACL permissions: APPENDIX 2.

Via ACL for PBX administrators it is possible to limit access to certain WMS menus and forbid certain operations related to PBX management to groups of PBX admins. The full list of ACL admin permissions: APPENDIX 3.

Note: Normally, if you don't forbid any certain access via ACL, it means the access is allowed. For example, if you don't have any ACL restriction "Cannot" - "Intrusion", it means intrusion is allowed.

Exception: There are 3 ACLs that are not permitted by default: "Can " - "Modify presence", "Can" - "Delete calls" and "Can" - "See voicemail". At first, you have to set ACL permissions for using these services.

Admin and Default ACL groups and permissions

ACL groups can be managed and created in WMS -Users -> Groups.

By default there are two ACL groups on PBX:

  • Admin (no limitations, assigned to “admin” user)
  • Default (see Default ACL settings; assigned to new users by default)

ACL groups can be assigned to users in WMS -> Users -> select user / users -> “Group”:


All PBX users with admin permissions can:

  • Edit permissions of ACL groups (click Edit permissions button to manage)

“admin” user in addition can:

  • Create and delete ACL groups
  • Set up inheritance
  • Manage admin permissions for PBX administrators (click Edit admin permissions button to manage)

Note: ACL groups are shared via WMS Network. Detailed information about WMS Network can be found here: WMS Network.


Inheritance

Set up Inheritance: Select an ACL group: “Inherits from” (select the group)


Important: Wildix ACL groups support only single level inheritance.


Example: group B inherits from A; group C can't inherit from B because B already inherits from another ACL group A.


Note: “Cannot” rule has priority over “Can”.

Example: group B inherits from A “Can” – “Intercom”, but inside group B we add “Cannot” – “Intercom”, as a result, use of Intercom is prohibited for this group of users.

View ACL permissions

Starting from WMS Beta 6.03.20230424.1, it is possible to view permissions of all ACL groups in a table view, all in one place. Click on the Permissions viewer button at the bottom:

  • The “Cannot” rule is displayed as a red minus sign, “Can” - as a green plus sign.
  • A yellow plus/ minus sign means that there is a group with permissions different from the default ones. Hover the mouse over the yellow sign to see the details.
  • Admin permissions are not included in the table.

ACL for outgoing calls – Supported countries for call classes

To forbid/ allow calls, use ACL "Can call / Cannot call".

Wildix PBX supports call classes for following countries:

  • Austria
  • Belgium
  • Canada
  • France
  • Germany
  • Italy
  • Luxembourg
  • Netherlands
  • Spain
  • Switzerland
  • Portugal
  • Ukraine
  • United Kingdom
  • USA

Call class detection for processing external calls

PBX differentiates national from foreign calls based on International Prefix in Dialplan -> General settings.

Country code in trunk settings is used for number normalization (number is not normalized if country code is empty)

Available classes for processing of calls inside configured country:

  • National
  • Mobile
  • Emergency
  • Free
  • Premium1
  • Premium2 (Germany, Austria)

Available classes for processing of calls to/ from other countries (see Call classes explanation):

  • North America
  • Africa
  • Europe1
  • Europe2
  • South America
  • Oceania
  • Russia
  • Asia1
  • Asia2
  • International (WMS 5.0X, contains all mentioned call classes)

Call class for unknown countries is 0 and call will not be blocked by ACL.

Recommendations to avoid calls to illegal destinations:

(as in Default ACL settings)

  • First add the rule “cannot call All”
  • Then add a number of “can call” rules

Setting up call classes in Dialplan

“Dial the trunk” and “Trunk group” Dialplan procedures allow you to define call classes and associate them to prefixes. Consult Dialplan applications Admin Guide for detailed information.

Example: assign calls to destination numbers which start with “03” to “Mobile” call class, remove the first digit (0) from the called number and route calls via the selected trunk (test5):



In case you do not set up call classes via Dialplan procedures, PBX evaluates the call prefix and assigns the call class to it, based on the logic described in the chapter Call classes explanation.

Call classes explanation

  • Internal – internal calls
  • Local - local calls 
  • National – recognized based on the National Prefix in Dialplan General Settings
  • Mobile – recognized based on the Country Code in Dialplan General Settings
  • Emergency – recognized based on the Country Code in Dialplan General Settings
  • Free – recognized based on the Country Code in Dialplan General Settings
  • Premium1 – recognized based on the Country Code in Dialplan General Settings
  • Premium2 – recognized based on the Country Code in Dialplan General Settings
  • Premium3 – not defined
  • Premium4 – not defined
  • North America – calls to numbers starting with 001 or +1
  • Africa – calls to numbers starting with 002 or +2
  • Europe1 – calls to numbers starting with 003 or +3
  • Europe2 – calls to numbers starting with 004 or +4
  • South America – calls to numbers starting with 005 or +5
  • Oceania – calls to numbers starting with 006 or +6
  • Russia – calls to numbers starting with 007 or +7
  • Asia1 – calls to numbers starting with 008 or +8
  • Asia2 – calls to numbers starting with 009 or +9
  • International - calls to Europe1-2, North and South America, Africa, Oceania, Russia, Asia1-2 numbers

Prefixes per country for call class detection:

Notes

"Modify public phonebook” and “Set Phonebook”

Difference between ALCs “Can / cannot” – Modify public phonebook” and “Can set / cannot set” “Phonebook”:

  • Can / cannot Modify public phonebook: user in this group cannot modify any contact from public WMS phonebook
  • Can set / cannot set Phonebook: user in this group can access only phonebooks located in “Selected” section in WMS -> Users (select user) -> Edit preferences -> Phonebooks

Note: at least one phonebook must be present in “Available” section (it can even be an empty phonebook).

"See voicemail"

ACLs "Can/ cannot use"  - "Voicemail" and "Can / cannot - "View" - "Group" have higher priority that ACL "Can / cannot" - "See voicemail" - "Group". 

If "cannot use" - "Voicemail" limitation is set, a user is not able to configure or change "Voicemail" Function Key. This user can see the already configured key, but cannot change the label or assign it to another user.

If  "cannot" - "View" - "Group" limitation is set, a user is not able to see users from a specified group when configuring "Voicemail" Function Key.

APPENDIX 1. Default ACL permissions 

The list of default ACL permissions of Default (users) and Admin (users with admin permissions) ACL groups:

GroupAbility and access
Users
  • cannot Intrusion Everybody
  • cannot Intercom Everybody
  • cannot Manage the callcenter
  • cannot use CDR-view
  • cannot see Voicemail Everybody
  • cannot use Shared Recording
  • cannot use Personal Recording
  • cannot call All
  • can call Local
  • can call National
  • can call Mobile
  • can call Emergency
  • can call Europe1
  • can call Europe2
  • cannot Modify Public Phonebook
  • cannot Delete calls
  • cannot Modify presence Everybody
  • cannot Create Conferences
PBX admins
  • cannot manage PBX All
  • can manage PBX <current_PBX>
  • cannot manage group Everybody
  • cannot Add and remove users
  • cannot access menu All
  • cannot access menu :: Diagnostics Hub (starting from WMS 6.07.20240906.1)
  • can access menu Users :: Phonebook
  • can access menu Dialplan :: Call Groups
  • can access menu Dialplan :: Timetables
  • can access menu Dialplan :: IVR
  • can access menu Settings :: Tools and utilities :: Backup system

APPENDIX 2. Full list of ACL permissions 

Can/ Cannot

Call - GroupAllow/ forbid calling certain groups of users
use Virtual scanner - Group

Allow/ forbid using Virtual scanner Feature Code. More information: Virtual scanner

Modify presence - Group

Allow/ forbid setting user status of colleagues in Collaboration. By default, if no ACL rule is added, users are not allowed to set user status of colleagues. More information: Set user status in Collaboration

see full number in CDR-View

Allow/ forbid seeing full numbers in CDR-View in Collaboration. You can decide how many digits to hide in Call and chat history menu of WMS

Intercom - Group

Allow/ forbid using Intercom Feature Code. More information: Intercom

Intrusion - Group

Allow/ forbid call intrusion via Collaboration / Feature Code. More information: Call intrusion (barging), Intrusion Feature Code

Call Pickup - GroupAllow/ forbid pickup of other user's calls via Collaboration / Feature Code. More information: Call pickup and Pickup Feature Code
Modify public phonebooks

Allow/ forbid modifying any contact from a public WMS phonebook in Collaboration. Details: Phonebook

View - Group

Allow/ forbid viewing users in Colleagues roster and Recents chat in Collaboration as well as Colleagues phonebook

View calls of users - Group

Allow/ forbid viewing who is calling via Collaboration and VoIP phones. Details: Colleagues status information

Delete calls

Allow/ forbid deleting calls from History (not supported on W-AIR Handsets). By default, if no ACL rule is added, users are not allowed to delete calls. More information: Calls / faxes history

Share status via Kite

Allow/ forbid sharing user's status via Kite (no user status is shown when contacting user by Kite link)

Share status message via Kite

Allow/ forbid sharing user's status message via Kite (no status message is shown when contacting user by Kite link)

Share geolocation via Kite

Allow/ forbid geolocation sharing via Kite. More information: Limit access to Kite service

View geolocation via Collaboration - Group

Allow/ forbid viewing geolocation of users in Collaboration, iOS/ Android apps. More information: Geolocation

Manage the callcenter

Allow/ forbid performing actions on call groups’ members: put a user on hold, add users to call groups via call groups plugin and Call group management Feature Code (if forbidden, a user can perform the actions only on himself (add himself to a call group, put himself on pause in a call group)

More information: WebAPI basic features and Call group management Feature code

Be looked up via dial by name

Allow/ forbid user to be looked up via dial by name feature (including ASR). The feature can be called via "Dial by name/ Directory" Dialplan application or Directory Feature Code via Collaboration, VoIP phones, WP600AXX/ Vision/ SuperVision, W-AIR handsets, iOS/ Android apps. More information: Directory and Dial by name/ Directory

See extensions

Allow/ forbid downloading Collaboration Extensions. More information: /wiki/spaces/DOC/pages/30285992

See voicemailAllow/ forbid using shared voicemail feature on WP480G/WP490G 2017, WorkForce, WelcomeConsole. More information: Shared voicemail feature
Disable two factor authentication Allow/ forbid disabling Two-factor authentication in Collaboration. Details: Two-factor authentication
Enable video call Allow/ forbid user to start or enable video calls in Collaboration. Details: Video call
See call recordings (starting from WMS 5.03)

Allow/ forbid users to access call recordings. This ACL works for call recordings started via Collaboration, Feature code, and Dialplan and hides call recordings both in Collaboration -> History and CDR-View. 

The ACL also allows/ forbids access to x-bees Sales Intelligence and Real-time transcriptions.

Limitations:

  • If call recordings are initiated via Dialplan application Record call and there is email/ user extension specified for sending the recordings, the specified user will still get them to their mailbox
  • Call recordings, which already existed in CDR-View, will not be hidden after applying the ACL “cannot - See call recordings”. As a workaround, you can rebase the local CDR-View database to restrict user access to old call records

More information: Collaboration User Guide: Record a call, Dialplan applications - Admin Guide: Record a call, Feature Codes GuideSales Intelligence in x-beesHow to use real-time transcription of x-bees calls and conferences.

Create conferences

Allow/ forbid creating chat/ video conferences in Collaboration. More information: Multiuser chat conference and /wiki/spaces/DOC/pages/30280852

See analytics

Allows to choose data of which groups should be visible in Analytics (CDR-View 2.0) reports in Collaboration and x-bees, as well as gives access to x-bees Sales Intelligence and Real-time transcriptions. More information: Cloud Analytics (CDR-View 2.0) in CollaborationCDR-View in x-beesx-bees AnalyticsSales Intelligence in x-beesHow to use real-time transcription of x-bees calls and conferences.

Note: The support starts from WMS 6.03.20230630.3.

Can set/ Cannot set

Status (DND/Away)

Allow/ forbid setting DND/ Away status via Status Feature Code (can be dialed from any Wildix device) and VoIP phones (not supported in Collaboration, WP600AXX/ Vision/ SuperVision, iOS/ Android apps). More information: Status (DND/Away) Feature Code and WP4X0 Call Features

Call Forward Busy

Allow/ forbid setting call forwarding if user is busy (not supported on WP600AXX/ Vision/ SuperVision)/ using Feature Code. Consult Call features, WP4X0 Call features, Android Settings, iOS Settings or Feature Codes Guide

Call Forward No Answer

Allow/ forbid setting call forwarding if user doesn't answer (not supported on WP600AXX/ Vision/ SuperVision)/ using Feature Code. More information: Call features, WP4X0 Call features, Android Settings, iOS Settings or Feature Codes Guide

Call Forward All

Allow/ forbid setting forwarding of all calls (not supported on WP600AXX/ Vision/ SuperVision)/ using Feature Code. More information: Call features, WP4X0 Call features, Android Settings, iOS Settings or Feature Codes Guide

Call waiting

Allow/ forbid receiving more than one call at a time (not supported on WP600AXX/ Vision/ SuperVision) / using Feature Code. More information: Call features, WP4X0 Call features, Android Settings, iOS Settings or Call waiting Feature Code

Mobility extension management

Allow/ forbid call forwarding to the mobile number (not supported on WP600AXX/ Vision/ SupeerVision)/ using Feature Code. More information: Call features, WP4X0 Call features, Android Settings, iOS Settings or Mobility extension management

Call timeout

Allow/ forbid setting call timeout after which an incoming call will be terminated via Collaboration or Feature Code. More information: Call features and Call timeout

Telephone blocked

Allow/ forbid using Telephone blocked Feature Code. More information: Telephone blocked

Ring only active device

Allow/ forbid activating only the active device ring via Collaboration or Feature Code. More information: Personal settings and Ring only active device Feature Code

Mobility confirmation

Allow/ forbid a user to be notified on who the caller is when he receives a call on mobility extension number via Collaboration or Feature Code. More information: Call features and Mobility confirmation

Function keys

Allow/ forbid configuring Function keys in Collaboration -> Settings -> Function keys. The access to already configured Function keys is saved. More information: Function keys

Timetable

Allow/ forbid configuring Timetable Function key in Collaboration and changing its status via Feature Code (Timetables and switches are created in WMS). Details: Timetable Feature Code

3 state switch

Allow/ forbid configuring 3 state switch Function key in Collaboration and changing its status via Feature Code. Details: 3 State Switch Feature Code

Switch

Allow/ forbid configuring Switch Function key in Collaboration and changing its status via Feature Code. More information: Switch Feature Code

Phonebooks

Allow/ forbid access to selected phonebooks (if forbidden, a user can access only phonebooks located in “Selected” section in WMS - > Users (select user) -> Edit preferences -> Settings -> Phonebooks)

Personal Information

Allow/ forbid changing personal information in Collaboration and Android/ iOS app (not supported on VoIP phones, WP600AXX / Vision/ SuperVision, W-AIR Handsets). Details: Personal information

Advanced status

Allow/ forbid access to advanced user status menu, including status message, until option, editing picture and setting location and Chat/ Presence menu, including custom statuses in Collaboration. More information: Status message and Chat/ Presence

Fax Server Settings

Allow/ forbid changing Fax Server Settings in Collaboration -> Settings -> Fax Server Settings. More information: Fax Server

Notify missed calls via email (WMS 5.0X)Allow/ forbid receiving missed calls notifications via email in Collaboration -> Settings -> Features. More information: Call features
Notify missed calls via SMS (WMS 5.0X)Allow/ forbid receiving missed calls notifications via SMS in Collaboration -> Settings -> Features. More information: Call features
Custom Ring (WMS 5.0X)Allow/ forbid selecting the ringtone for VoIP phones and Collaboration in Collaboration -> Settings -> Features. More information: Call features
Predefined Advanced settings on Mobile

Allow/ forbid mobile users to change the Advanced settings in Collaboration app on mobile (currently, only Android is supported). More information: Custom config parameters List

Note: The support starts from WMS 6.04.20230724.1.

All

Can use/ Cannot use

Collaboration

Allow/ forbid access to Collaboration (if forbidden, users have access only to the basic CTI interface, including calls, sending SMS/ fax, changing personal user status, without full access to Collaboration (no access to Colleagues, Function keys, Map view, Messaging menu)

Attendant Console

Allow/ forbid access to Attendant Console in Collaboration. More information: Attendant Console

History

Allow/ forbid access to Calls/ faxes History (not supported on W-AIR Handsets). More information: Calls / faxes history

x-caracal

Allow/ forbid access to x-caracal. By default, access to x-caracal is forbidden. More information: x-caracal documentation 

Note: The support starts from WMS 6.03.20230630.3.

Analytics

Allow/ forbid to use Analytics (CDR-View 2.0) in Collaboration. When allowed, the Analytics button is displayed in Collaboration. More information: Cloud Analytics (CDR-View 2.0) in Collaboration.

Note: The support starts from WMS 6.03.20230630.3.

CDR-View

Allow/ forbid access to CDR-View in Collaboration. Detailed information: CDR-View Guide

Speed dial

Allow/ forbid call phonebook short numbers using Speed dial Feature Code. More information: Speed dial Feature Code

Shared Recording

Allow/ forbid using Shared record Feature Code. More information: Shared record Feature Code

Personal RecordingAllow/ forbid access to personal recording in Collaboration and using Personal Recording Feature Code and Incall code *1 as well as Attendant Console. More information: Feature Codes Guide and Record a call
SMSAllow/ forbid sending SMS via Collaboration. More information: SMS
Fax

Allow/ forbid sending faxes via Collaboration. More information: Fax

Paging

Allow/ forbid using Paging Feature Code to send a broadcast to a group of users. More information: Paging

Pre answer servicesAllow/ forbid access to pre answer services (the voice prompt doesn't announce "press * for options"), including Voicemail, Intrusion, Intercom and Call completion, but the voice prompt announces user status: on the phone, busy, unavailable, no answer
Pre answer services & messages

Allow/ forbid access to pre answer services when user status is not announced at all. More information: Pre answer services

Phone settings menuAllow/ forbid access to VoIP phone settings. More information: Phone settings
Advanced phone settings menu Allow/ forbid access only to advanced phone settings "Network" and "Autoprovision" on VoIP phones. More information: Phone settings
Web phone

Allow/ forbid availability of web phone in Collaboration (if forbidden, web phone is not available in the list of devices in Collaboration and user cannot use Collaboration to place / receive calls via Web phone)

Voicemail

Allow/ forbid access to Voicemail and using Voicemail Feature Code. More information: Voicemails

Voicemail without pin code (WMS 5.0X)

Allow/ forbid PIN protection for Voicemail via XML (via the phone menu), Voicemail Feature Code, Voicemail access Dialplan application ("skip pin check (s)" option should not be activated). Details: Voicemail

Note: By default, the ACL is enabled for the USA and Canada. To disable this behavior, change it to “Can use voicemail without pin code”

Contact center

Allow/ forbid using Contact center feature in Collaboration -> Settings -> Contact center. More information: Contact center

Trunk to trunk transferAllow/ forbid making transfers of calls received/ placed via trunk, including blind and attended transfers, and also calls from Kite
Forward to trunk

Allow/ forbid forwarding (Call Forward Busy/ No Answer/ All) of all calls to trunk received from trunk/ user extension. More information: Call features

All

Can call/ Cannot call

InternalThe description of call classes can be found in Call classes explanation Chapter
Local
National
Mobile
Emergency
Free
Premium1
Premium2
Premium3
Premium4
North America
Africa
Europe1
Europe2
South America
Oceania
Russia
Asia1
Asia2
Numbers in allowed phonebooks
International (WMS 5.0X)
All

APPENDIX 3. List of ACL admin permissions 

AbilityAccess
Can/ Cannot manage PBXAllow/ forbid managing Server and Client PBXs
Can/ Cannot manage groupAllow/ forbid managing any specific group
Can/ Cannot access menu
  • Users::Users
  • Users::Groups
  • Users::PBXes
  • Users::Phonebooks
  • Trunks::Trunks
  • Trunks::Trunk Groups
  • Trunks::Pricelists
  • Devices
  • Dialplan::Dialplan rules
  • Dialplan::Call Groups
  • Dialplan::Paging Groups
  • Dialplan::Timetables
  • Dialplan::IVR
  • Dialplan::Feature codes
  • Dialplan::General Settings
  • Settings::PBX
  • Settings::System
  • Settings::Tools and utilities::Remote support
  • Settings::Tools and utilities::Backup system
  • Settings::Tools and utilities::Upgrade
  • Settings::Tools and utilities::Generate trace
  • Diagnostics Hub (available starting from WMS 6.07.20240906.1; enabled for root admin by default)

  • Top control::Generate call

  • Top control::Sounds
  • Top control::Debug
  • Top control::Reboot/Power Off
  • x-hoppers (available starting from WMS 6.07.20240906.1; enabled by default)

Can/ Cannot
  • Add and remove users
  • Change license type (available starting from WMS 6.02.20230306.1; by default, changing license type is allowed).