ACL rules and Call classes management - Admin Guide
This Guide explains and describes what permissions and limitations for PBX users and administrators can be set to limit access to certain PBX services and features.
WMS Version: 6.0X / 7.0X
Created: July 2018
Updated: December 2025
Permalink: https://wildix.atlassian.net/wiki/x/8xrOAQ
Introduction
ACL (Access Control List) is a number of permissions and limitations for PBX users and PBX administrators.
Via ACL for PBX users it is possible to forbid certain groups of users external calls to certain call classes, limit access to certain PBX services and UC features. The full list of ACL permissions: APPENDIX 2.
Via ACL for PBX administrators it is possible to limit access to certain WMS menus and forbid certain operations related to PBX management to groups of PBX admins. The full list of ACL admin permissions: APPENDIX 3.
Note: Normally, if you don't forbid any certain access via ACL, it means the access is allowed. For example, if you don't have any ACL restriction "Cannot" - "Intrusion", it means intrusion is allowed.
Exception: There are 3 ACLs that are not permitted by default: "Can " - "Modify presence", "Can" - "Delete calls" and "Can" - "See voicemail". At first, you have to set ACL permissions for using these services.
Admin and Default ACL groups and permissions
ACL groups can be managed and created in WMS -> Users -> Groups.
By default there are two ACL groups on PBX:
Admin (no limitations, assigned to “admin” user)
Default (see Default ACL settings; assigned to new users by default)
ACL groups can be assigned to users in WMS -> Users -> select user / users -> “Group”:
All PBX users with admin permissions can:
Edit permissions of ACL groups (click Edit permissions button to manage)
“admin” user in addition can:
Create and delete ACL groups
Set up inheritance
Manage admin permissions for PBX administrators (click Edit admin permissions button to manage)
Note: ACL groups are shared via WMS Network. Detailed information about WMS Network can be found here: WMS Network.
Inheritance
Set up Inheritance: Select an ACL group: “Inherits from” (select the group)
Important: Wildix ACL groups support only single level inheritance.
Example: group B inherits from A; group C can't inherit from B because B already inherits from another ACL group A.
Note: “Cannot” rule has priority over “Can”.
Example: group B inherits from A “Can” – “Intercom”, but inside group B we add “Cannot” – “Intercom”, as a result, use of Intercom is prohibited for this group of users.
View ACL permissions
Starting from WMS 6.03.20230424.1, it is possible to view permissions of all ACL groups in a table view, all in one place. Click on the Permissions viewer button at the bottom:
The “Cannot” rule is displayed as a red minus sign, “Can” - as a green plus sign.
A yellow plus/ minus sign means that there is a group with permissions different from the default ones. Hover the mouse over the yellow sign to see the details.
Admin permissions are not included in the table.
ACL for outgoing calls – Supported countries for call classes
To forbid/ allow calls, use ACL "Can call / Cannot call".
Wildix PBX supports call classes for following countries:
Austria
Belgium
Canada
France
Germany
Italy
Luxembourg
Netherlands
Spain
Switzerland
Portugal
Ukraine
United Kingdom
USA
Call class detection for processing external calls
PBX differentiates national from foreign calls based on International Prefix in Dialplan -> General settings.
Country code in trunk settings is used for number normalization (number is not normalized if country code is empty)
Available classes for processing of calls inside configured country:
National
Mobile
Emergency
Free
Premium1
Premium2 (Germany, Austria)
Available classes for processing of calls to/ from other countries (see Call classes explanation):
North America
Africa
Europe1
Europe2
South America
Oceania
Russia
Asia1
Asia2
International (contains all mentioned call classes)
Call class for unknown countries is 0 and call will not be blocked by ACL.
Recommendations to avoid calls to illegal destinations:
(as in Default ACL settings)
First add the rule “cannot call All”
Then add a number of “can call” rules
Setting up call classes in Dialplan
“Dial the trunk” and “Trunk group” Dialplan procedures allow you to define call classes and associate them to prefixes. Consult Dialplan applications Admin Guide for detailed information.
Example: assign calls to destination numbers which start with “03” to “Mobile” call class, remove the first digit (0) from the called number and route calls via the selected trunk (test5):
In case you do not set up call classes via Dialplan procedures, PBX evaluates the call prefix and assigns the call class to it, based on the logic described in the chapter Call classes explanation.
Call classes explanation
Internal – internal calls
Local - local calls
National – recognized based on the National Prefix in Dialplan General Settings
Mobile – recognized based on the Country Code in Dialplan General Settings
Emergency – recognized based on the Country Code in Dialplan General Settings
Free – recognized based on the Country Code in Dialplan General Settings
Premium1 – recognized based on the Country Code in Dialplan General Settings
Premium2 – recognized based on the Country Code in Dialplan General Settings
Premium3 – not defined
Premium4 – not defined
North America – calls to numbers starting with 001 or +1
Africa – calls to numbers starting with 002 or +2
Europe1 – calls to numbers starting with 003 or +3
Europe2 – calls to numbers starting with 004 or +4
South America – calls to numbers starting with 005 or +5
Oceania – calls to numbers starting with 006 or +6
Russia – calls to numbers starting with 007 or +7
Asia1 – calls to numbers starting with 008 or +8
Asia2 – calls to numbers starting with 009 or +9
International - calls to Europe1-2, North and South America, Africa, Oceania, Russia, Asia1-2 numbers
Prefixes per country for call class detection:
Notes
"Modify public phonebook” and “Set Phonebook”
Difference between ALCs “Can / cannot” – Modify public phonebook” and “Can set / cannot set” “Phonebook”:
Can / cannot Modify public phonebook: user in this group cannot modify any contact from public WMS phonebook
Can set / cannot set Phonebook: user in this group can access only phonebooks located in “Selected” section in WMS -> Users (select user) -> Edit preferences -> Phonebooks
Note: at least one phonebook must be present in “Available” section (it can even be an empty phonebook).
"See voicemail"
ACLs "Can/ cannot use" - "Voicemail" and "Can / cannot - "View" - "Group" have higher priority that ACL "Can / cannot" - "See voicemail" - "Group".
If "cannot use" - "Voicemail" limitation is set, a user is not able to configure or change "Voicemail" Function Key. This user can see the already configured key, but cannot change the label or assign it to another user.
If "cannot" - "View" - "Group" limitation is set, a user is not able to see users from a specified group when configuring "Voicemail" Function Key.
APPENDIX 1. Default ACL permissions
The list of default ACL permissions of Default (users) and Admin (users with admin permissions) ACL groups:
Group | Ability and access |
|---|---|
Users |
|
PBX admins |
|
APPENDIX 2. Full list of ACL permissions
Can/ Cannot | Call - Group | Allow/ forbid calling certain groups of users |
use Virtual scanner - Group | Allow/ forbid using Virtual scanner Feature Code. More information: Virtual scanner | |
Modify presence - Group | Allow/ forbid setting user status of colleagues in Legacy Collaboration. By default, if no ACL rule is added, users are not allowed to set user status of colleagues. More information: Set user status in Collaboration | |
see full number in CDR-View | Allow/ forbid seeing full numbers in CDR-View 2.0. In case the ACL permission “see full number in CDR-View” is not allowed, the last three digits in external numbers are hidden. | |
Intercom - Group | Allow/ forbid using Intercom Feature Code. More information: Intercom | |
Intrusion - Group | Allow/ forbid call intrusion via Legacy Collaboration / Feature Code. More information: Call intrusion (barging), Intrusion Feature Code | |
Call Pickup - Group | Allow/ forbid pickup of other user's calls via Legacy Collaboration / Feature Code. More information: Call pickup and Pickup Feature Code | |
Modify public phonebooks | Allow/ forbid modifying any contact from a public WMS phonebook in Legacy Collaboration. Details: Phonebook | |
View - Group | Allow/ forbid viewing users in Colleagues roster and Recents chat in Legacy Collaboration as well as Colleagues phonebook | |
View calls of users - Group | Allow/ forbid viewing who is calling via Legacy Collaboration and VoIP phones. Details: Colleagues status information | |
Delete calls | Allow/ forbid deleting calls from History (not supported on W-AIR Handsets). By default, if no ACL rule is added, users are not allowed to delete calls. More information: Calls / faxes history | |
Share status via Kite | Allow/ forbid sharing user's status via Kite (no user status is shown when contacting user by Kite link) | |
Share status message via Kite | Allow/ forbid sharing user's status message via Kite (no status message is shown when contacting user by Kite link) | |
Share geolocation via Kite | Allow/ forbid geolocation sharing via Kite. More information: Limit access to Kite service | |
View geolocation via Collaboration - Group | Allow/ forbid viewing geolocation of users in Legacy Collaboration, iOS/ Android apps. More information: Geolocation | |
Manage the callcenter | Allow/ forbid performing actions on call groups’ members: put a user on hold, add users to call groups via call groups plugin and Call group management Feature Code (if forbidden, a user can perform the actions only on himself (add himself to a call group, put himself on pause in a call group) More information: WebAPI basic features and Call group management Feature code | |
Be looked up via dial by name | Allow/ forbid user to be looked up via dial by name feature (including ASR). The feature can be called via "Dial by name/ Directory" Dialplan application or Directory Feature Code via Legacy Collaboration, VoIP phones/ Vision (EOL)/ SuperVision (EOL), W-AIR handsets, iOS/ Android apps. More information: Directory and Dial by name/ Directory | |
See extensions | Allow/ forbid downloading Legacy Collaboration Extensions. More information: Legacy Collaboration User Guide | |
See voicemail | Allow/ forbid using shared voicemail feature on WP480G/WP490G 2017, WorkForce, WelcomeConsole, WorkForce 5, ForcePro 5, WelcomeConsole 5, SuperVision 5. More information: Shared voicemail feature | |
Disable two factor authentication | Allow/ forbid disabling Two-factor authentication in Legacy Collaboration. Details: Two-factor authentication | |
Enable video call | Allow/ forbid user to start or enable video calls in Legacy Collaboration. Details: Video call | |
See call recordings | Allow/ forbid users to access call recordings. This ACL works for call recordings started via Legacy Collaboration, Feature code, and Dialplan and hides call recordings in Legacy Collaboration -> History. The ACL also allows/ forbids access to Real-time transcriptions in x-bees and Collaboration 7, and to x-bees Sales Intelligence. Limitations:
More information: Legacy Collaboration User Guide: Record a call, Dialplan applications - Admin Guide: Record a call, Feature Codes Guide, Sales Intelligence in x-bees, How to use real-time transcription of calls and conferences. | |
Create conferences | Allow/ forbid creating chat/ video conferences in Legacy Collaboration. More information: Multiuser chat conference and /wiki/spaces/DOC/pages/30280852 | |
See analytics | Allows to choose data of which groups should be visible in Analytics (CDR-View 2.0) reports in Legacy Collaboration, x-bees and Collaboration 7, as well as gives access to Real-time transcriptions in x-bees and Collaboration 7 and to x-bees Sales Intelligence. More information: How to use Cloud Analytics (CDR-View 2.0), x-bees Analytics, Sales Intelligence in x-bees, How to use real-time transcription of calls and conferences. Note: The support starts from WMS 6.03.20230630.3. | |
Can set/ Cannot set | Status (DND/Away) | Allow/ forbid setting DND/ Away status via Status Feature Code (can be dialed from any Wildix device) and VoIP phones (not supported in WP600AXX/ iOS/ Android apps). More information: Status (DND/Away) Feature Code and WP4X0 Call Features |
Call Forward Busy | Allow/ forbid setting call forwarding if user is busy (not supported on Vision (EOL)/ SuperVision (EOL)) using Feature Code. Consult Call features, WP4X0 Call features, Android Settings, iOS Settings or Feature Codes Guide | |
Call Forward No Answer | Allow/ forbid setting call forwarding if user doesn't answer (not supported on Vision (EOL)/ SuperVision (EOL)) using Feature Code. More information: Call features, WP4X0 Call features, Android Settings, iOS Settings or Feature Codes Guide | |
Call Forward All | Allow/ forbid setting forwarding of all calls (not supported on Vision (EOL)/ SuperVision (EOL)) using Feature Code. More information: Call features, WP4X0 Call features, Android Settings, iOS Settings or Feature Codes Guide | |
Call waiting | Allow/ forbid receiving more than one call at a time (not supported on Vision (EOL)/ SuperVision (EOL)) using Feature Code. More information: Call features, WP4X0 Call features, Android Settings, iOS Settings or Call waiting Feature Code | |
Mobility extension management | Allow/ forbid call forwarding to the mobile number (not supported on Vision (EOL)/ SuperVision (EOL)) using Feature Code. More information: Call features, WP4X0 Call features, Android Settings, iOS Settings or Mobility extension management | |
Call timeout | Allow/ forbid setting call timeout after which an incoming call will be terminated via Legacy Collaboration or Feature Code. More information: Call features and Call timeout | |
Telephone blocked | Allow/ forbid using Telephone blocked Feature Code. More information: Telephone blocked | |
Ring only active device | Allow/ forbid activating only the active device ring via Legacy Collaboration or Feature Code. More information: Personal settings and Ring only active device Feature Code | |
Mobility confirmation | Allow/ forbid a user to be notified on who the caller is when he receives a call on mobility extension number via Legacy Collaboration or Feature Code. More information: Call features and Mobility confirmation | |
Function keys | Allow/ forbid configuring Function keys in Legacy Collaboration -> Settings -> Function keys. The access to already configured Function keys is saved. More information: Function keys | |
Timetable | Allow/ forbid configuring Timetable Function key in Legacy Collaboration and changing its status via Feature Code (Timetables and switches are created in WMS). Details: Timetable Feature Code | |
3 state switch | Allow/ forbid configuring 3 state switch Function key in Legacy Collaboration and changing its status via Feature Code. Details: 3 State Switch Feature Code | |
Switch | Allow/ forbid configuring Switch Function key in Legacy Collaboration and changing its status via Feature Code. More information: Switch Feature Code | |
Phonebooks | Allow/ forbid access to selected phonebooks (if forbidden, a user can access only phonebooks located in “Selected” section in WMS - > Users (select user) -> Edit preferences -> Settings -> Phonebooks) | |
Personal Information | Allow/ forbid changing personal information in Legacy Collaboration and Android/ iOS app (not supported on VoIP phones/ Vision (EOL)/ SuperVision (EOL), W-AIR Handsets). Details: Personal information | |
Advanced status | Allow/ forbid access to advanced user status menu, including status message, until option, editing picture and setting location and Chat/ Presence menu, including custom statuses in Legacy Collaboration. More information: Status message and Chat/ Presence | |
Fax Server Settings | Allow/ forbid changing Fax Server Settings in Legacy Collaboration -> Settings -> Fax Server Settings. More information: Fax Server | |
Notify missed calls via email | Allow/ forbid receiving missed calls notifications via email in Legacy Collaboration -> Settings -> Features. More information: Call features | |
Notify missed calls via SMS | Allow/ forbid receiving missed calls notifications via SMS in Legacy Collaboration -> Settings -> Features. More information: Call features | |
Custom Ring | Allow/ forbid selecting the ringtone for VoIP phones and Legacy Collaboration in Legacy Collaboration -> Settings -> Features. More information: Call features | |
Predefined Advanced settings on Mobile | Allow/ forbid mobile users to change the Advanced settings in Collaboration app on mobile (currently, only Android is supported). More information: Custom config parameters List Note: The support starts from WMS 6.04.20230724.1. | |
All |
| |
Can use/ Cannot use | Collaboration | Allow/ forbid access to Legacy Collaboration (if forbidden, users have access only to the basic CTI interface, including calls, sending SMS/ fax, changing personal user status, without full access to Collaboration (no access to Colleagues, Function keys, Map view, Messaging menu) |
Attendant Console | Allow/ forbid access to Attendant Console in Legacy Collaboration. More information: Attendant Console | |
History | Allow/ forbid access to Calls/ faxes History (not supported on W-AIR Handsets). More information: Calls / faxes history | |
x-caracal | Allow/ forbid access to x-caracal. By default, access to x-caracal is forbidden. More information: x-caracal documentation Note: The support starts from WMS 6.03.20230630.3. | |