ACL rules and Call classes management - Admin Guide

This Guide explains and describes what permissions and limitations for PBX users and administrators can be set to limit access to certain PBX services and features.

WMS Version: 5.0X / 6.0X

Updated: July 2023

Permalink: https://wildix.atlassian.net/wiki/x/8xrOAQ

Introduction

ACL (Access Control List) is a number of permissions and limitations for PBX users and PBX administrators.

Via ACL for PBX users it is possible to forbid certain groups of users external calls to certain call classes, limit access to certain PBX services and UC features. The full list of ACL permissions: APPENDIX 2.

Via ACL for PBX administrators it is possible to limit access to certain WMS menus and forbid certain operations related to PBX management to groups of PBX admins. The full list of ACL admin permissions: APPENDIX 3.

Note: Normally, if you don't forbid any certain access via ACL, it means the access is allowed. For example, if you don't have any ACL restriction "Cannot" - "Intrusion", it means intrusion is allowed.

Exception: There are 3 ACLs that are not permitted by default: "Can " - "Modify presence", "Can" - "Delete calls" and "Can" - "See voicemail". At first, you have to set ACL permissions for using these services.

Admin and Default ACL groups and permissions

ACL groups can be managed and created in WMS -> Users -> Groups.

By default there are two ACL groups on PBX:

Admin (no limitations, assigned to “admin” user)
Default (see Default ACL settings; assigned to new users by default)

ACL groups can be assigned to users in WMS -> Users -> select user / users -> “Group”:

All PBX users with admin permissions can:

Edit permissions of ACL groups (click Edit permissions button to manage)

“admin” user in addition can:

Create and delete ACL groups
Set up inheritance
Manage admin permissions for PBX administrators (click Edit admin permissions button to manage)

Note: ACL groups are shared via WMS Network. Detailed information about WMS Network can be found here: WMS Network.

Inheritance

Set up Inheritance: Select an ACL group: “Inherits from” (select the group)

Important: Wildix ACL groups support only single level inheritance.

Example: group B inherits from A; group C can't inherit from B because B already inherits from another ACL group A.

Note: “Cannot” rule has priority over “Can”.

Example: group B inherits from A “Can” – “Intercom”, but inside group B we add “Cannot” – “Intercom”, as a result, use of Intercom is prohibited for this group of users.

View ACL permissions

Starting from WMS Beta 6.03.20230424.1, it is possible to view permissions of all ACL groups in a table view, all in one place. Click on the Permissions viewer button at the bottom:

The “Cannot” rule is displayed as a red minus sign, “Can” - as a green plus sign.
A yellow plus/ minus sign means that there is a group with permissions different from the default ones. Hover the mouse over the yellow sign to see the details.
Admin permissions are not included in the table.

ACL for outgoing calls – Supported countries for call classes

To forbid/ allow calls, use ACL "Can call / Cannot call".

Wildix PBX supports call classes for following countries:

Austria
Belgium
Canada
France
Germany
Italy
Luxembourg
Netherlands
Spain
Switzerland
Portugal
Ukraine
United Kingdom
USA

Call class detection for processing external calls

PBX differentiates national from foreign calls based on International Prefix in Dialplan -> General settings.

Country code in trunk settings is used for number normalization (number is not normalized if country code is empty)

Available classes for processing of calls inside configured country:

National
Mobile
Emergency
Free
Premium1
Premium2 (Germany, Austria)

Available classes for processing of calls to/ from other countries (see Call classes explanation):

North America
Africa
Europe1
Europe2
South America
Oceania
Russia
Asia1
Asia2
International (WMS 5.0X, contains all mentioned call classes)

Call class for unknown countries is 0 and call will not be blocked by ACL.

Recommendations to avoid calls to illegal destinations:

(as in Default ACL settings)

First add the rule “cannot call All”
Then add a number of “can call” rules

Setting up call classes in Dialplan

“Dial the trunk” and “Trunk group” Dialplan procedures allow you to define call classes and associate them to prefixes. Consult Dialplan applications Admin Guide for detailed information.

Example: assign calls to destination numbers which start with “03” to “Mobile” call class, remove the first digit (0) from the called number and route calls via the selected trunk (test5):

In case you do not set up call classes via Dialplan procedures, PBX evaluates the call prefix and assigns the call class to it, based on the logic described in the chapter Call classes explanation.

Call classes explanation

Internal – internal calls
Local - local calls
National – recognized based on the National Prefix in Dialplan General Settings
Mobile – recognized based on the Country Code in Dialplan General Settings
Emergency – recognized based on the Country Code in Dialplan General Settings
Free – recognized based on the Country Code in Dialplan General Settings
Premium1 – recognized based on the Country Code in Dialplan General Settings
Premium2 – recognized based on the Country Code in Dialplan General Settings
Premium3 – not defined
Premium4 – not defined
North America – calls to numbers starting with 001 or +1
Africa – calls to numbers starting with 002 or +2
Europe1 – calls to numbers starting with 003 or +3
Europe2 – calls to numbers starting with 004 or +4
South America – calls to numbers starting with 005 or +5
Oceania – calls to numbers starting with 006 or +6
Russia – calls to numbers starting with 007 or +7
Asia1 – calls to numbers starting with 008 or +8
Asia2 – calls to numbers starting with 009 or +9
International - calls to Europe1-2, North and South America, Africa, Oceania, Russia, Asia1-2 numbers

Prefixes per country for call class detection:

Notes

"Modify public phonebook” and “Set Phonebook”

Difference between ALCs “Can / cannot” – Modify public phonebook” and “Can set / cannot set” “Phonebook”:

Can / cannot Modify public phonebook: user in this group cannot modify any contact from public WMS phonebook
Can set / cannot set Phonebook: user in this group can access only phonebooks located in “Selected” section in WMS -> Users (select user) -> Edit preferences -> Phonebooks

Note: at least one phonebook must be present in “Available” section (it can even be an empty phonebook).

"See voicemail"

ACLs "Can/ cannot use" - "Voicemail" and "Can / cannot - "View" - "Group" have higher priority that ACL "Can / cannot" - "See voicemail" - "Group".

If "cannot use" - "Voicemail" limitation is set, a user is not able to configure or change "Voicemail" Function Key. This user can see the already configured key, but cannot change the label or assign it to another user.

If "cannot" - "View" - "Group" limitation is set, a user is not able to see users from a specified group when configuring "Voicemail" Function Key.

APPENDIX 1. Default ACL permissions

The list of default ACL permissions of Default (users) and Admin (users with admin permissions) ACL groups:

Group

Ability and access

Users

cannot Intrusion Everybody
cannot Intercom Everybody
cannot Manage the callcenter
cannot use CDR-view
cannot see Voicemail Everybody
cannot use Shared Recording
cannot use Personal Recording
cannot call All
can call Local
can call National
can call Mobile
can call Emergency
can call Europe1
can call Europe2
cannot Modify Public Phonebook
cannot Delete calls
cannot Modify presence Everybody
cannot Create Conferences

PBX admins

cannot manage PBX All
can manage PBX <current_PBX>
cannot manage group Everybody
cannot Add and remove users
cannot access menu All
can access menu Users :: Phonebook
can access menu Dialplan :: Call Groups
can access menu Dialplan :: Timetables
can access menu Dialplan :: IVR
can access menu Settings :: Tools and utilities :: Backup system

APPENDIX 2. Full list of ACL permissions

Can/ Cannot	Call - Group	Allow/ forbid calling certain groups of users
	use Virtual scanner - Group	Allow/ forbid using Virtual scanner Feature Code. More information: Virtual scanner
	Modify presence - Group	Allow/ forbid setting user status of colleagues in Collaboration. By default, if no ACL rule is added, users are not allowed to set user status of colleagues. More information: Set user status in Collaboration
	see full number in CDR-View	Allow/ forbid seeing full numbers in CDR-View in Collaboration. You can decide how many digits to hide in Call and chat history menu of WMS
	Intercom - Group	Allow/ forbid using Intercom Feature Code. More information: Intercom
	Intrusion - Group	Allow/ forbid call intrusion via Collaboration / Feature Code. More information: Call intrusion (barging), Intrusion Feature Code
	Call Pickup - Group	Allow/ forbid pickup of other user's calls via Collaboration / Feature Code. More information: Call pickup and Pickup Feature Code
	Modify public phonebooks	Allow/ forbid modifying any contact from a public WMS phonebook in Collaboration. Details: Phonebook
	View - Group	Allow/ forbid viewing users in Colleagues roster and Recents chat in Collaboration as well as Colleagues phonebook
	View calls of users - Group	Allow/ forbid viewing who is calling via Collaboration and VoIP phones. Details: Colleagues status information
	Delete calls	Allow/ forbid deleting calls from History (not supported on W-AIR Handsets). By default, if no ACL rule is added, users are not allowed to delete calls. More information: Calls / faxes history
	Share status via Kite	Allow/ forbid sharing user's status via Kite (no user status is shown when contacting user by Kite link)
	Share status message via Kite	Allow/ forbid sharing user's status message via Kite (no status message is shown when contacting user by Kite link)
	Share geolocation via Kite	Allow/ forbid geolocation sharing via Kite. More information: Limit access to Kite service
	View geolocation via Collaboration - Group	Allow/ forbid viewing geolocation of users in Collaboration, iOS/ Android apps. More information: Geolocation
	Manage the callcenter	Allow/ forbid performing actions on call groups’ members: put a user on hold, add users to call groups via call groups plugin and Call group management Feature Code (if forbidden, a user can perform the actions only on himself (add himself to a call group, put himself on pause in a call group) More information: WebAPI basic features and Call group management Feature code
	Be looked up via dial by name	Allow/ forbid user to be looked up via dial by name feature (including ASR). The feature can be called via "Dial by name/ Directory" Dialplan application or Directory Feature Code via Collaboration, VoIP phones, WP600AXX/ Vision/ SuperVision, W-AIR handsets, iOS/ Android apps. More information: Directory and Dial by name/ Directory
	See extensions	Allow/ forbid downloading Collaboration Extensions. More information: /wiki/spaces/DOC/pages/30285992
	See voicemail	Allow/ forbid using shared voicemail feature on WP480G/WP490G 2017, WorkForce, WelcomeConsole. More information: Shared voicemail feature
	Disable two factor authentication	Allow/ forbid disabling Two-factor authentication in Collaboration. Details: Two-factor authentication
	Enable video call	Allow/ forbid user to start or enable video calls in Collaboration. Details: Video call
	See call recordings (starting from WMS 5.03)	Allow/ forbid users to access call recordings. This ACL works for call recordings started via Collaboration, Feature code, and Dialplan and hides call recordings both in Collaboration -> History and CDR-View. Limitations: If call recordings are initiated via Dialplan application Record call and there is email/ user extension specified for sending the recordings, the specified user will still get them to their mailbox Call recordings, which already existed in CDR-View, will not be hidden after applying the ACL “cannot - See call recordings”. As a workaround, you can rebase the local CDR-View database to restrict user access to old call records More information: Collaboration User Guide: Record a call, Dialplan applications - Admin Guide: Record a call, Feature Codes Guide
	Create conferences	Allow/ forbid creating chat/ video conferences in Collaboration. More information: Multiuser chat conference and /wiki/spaces/DOC/pages/30280852
	See analytics	Allows to choose data of which groups should be visible in Analytics (CDR-View 2.0) reports in Collaboration. More information: /wiki/spaces/DOC/pages/156368899. Note: The support starts from WMS 6.03.20230630.3.
Can set/ Cannot set	Status (DND/Away)	Allow/ forbid setting DND/ Away status via Status Feature Code (can be dialed from any Wildix device) and VoIP phones (not supported in Collaboration, WP600AXX/ Vision/ SuperVision, iOS/ Android apps). More information: Status (DND/Away) Feature Code and WP4X0 Call Features
	Call Forward Busy	Allow/ forbid setting call forwarding if user is busy (not supported on WP600AXX/ Vision/ SuperVision)/ using Feature Code. Consult Call features, WP4X0 Call features, Android Settings, iOS Settings or Feature Codes Guide
	Call Forward No Answer	Allow/ forbid setting call forwarding if user doesn't answer (not supported on WP600AXX/ Vision/ SuperVision)/ using Feature Code. More information: Call features, WP4X0 Call features, Android Settings, iOS Settings or Feature Codes Guide
	Call Forward All	Allow/ forbid setting forwarding of all calls (not supported on WP600AXX/ Vision/ SuperVision)/ using Feature Code. More information: Call features, WP4X0 Call features, Android Settings, iOS Settings or Feature Codes Guide
	Call waiting	Allow/ forbid receiving more than one call at a time (not supported on WP600AXX/ Vision/ SuperVision) / using Feature Code. More information: Call features, WP4X0 Call features, Android Settings, iOS Settings or Call waiting Feature Code
	Mobility extension management	Allow/ forbid call forwarding to the mobile number (not supported on WP600AXX/ Vision/ SupeerVision)/ using Feature Code. More information: Call features, WP4X0 Call features, Android Settings, iOS Settings or Mobility extension management
	Call timeout	Allow/ forbid setting call timeout after which an incoming call will be terminated via Collaboration or Feature Code. More information: Call features and Call timeout
	Telephone blocked	Allow/ forbid using Telephone blocked Feature Code. More information: Telephone blocked
	Ring only active device	Allow/ forbid activating only the active device ring via Collaboration or Feature Code. More information: Personal settings and Ring only active device Feature Code
	Mobility confirmation	Allow/ forbid a user to be notified on who the caller is when he receives a call on mobility extension number via Collaboration or Feature Code. More information: Call features and Mobility confirmation
	Function keys	Allow/ forbid configuring Function keys in Collaboration -> Settings -> Function keys. The access to already configured Function keys is saved. More information: Function keys
	Timetable	Allow/ forbid configuring Timetable Function key in Collaboration and changing its status via Feature Code (Timetables and switches are created in WMS). Details: Timetable Feature Code
	3 state switch	Allow/ forbid configuring 3 state switch Function key in Collaboration and changing its status via Feature Code. Details: 3 State Switch Feature Code
	Switch	Allow/ forbid configuring Switch Function key in Collaboration and changing its status via Feature Code. More information: Switch Feature Code
	Phonebooks	Allow/ forbid access to selected phonebooks (if forbidden, a user can access only phonebooks located in “Selected” section in WMS - > Users (select user) -> Edit preferences -> Settings -> Phonebooks)
	Personal Information	Allow/ forbid changing personal information in Collaboration and Android/ iOS app (not supported on VoIP phones, WP600AXX / Vision/ SuperVision, W-AIR Handsets). Details: Personal information
	Advanced status	Allow/ forbid access to advanced user status menu, including status message, until option, editing picture and setting location and Chat/ Presence menu, including custom statuses in Collaboration. More information: Status message and Chat/ Presence
	Fax Server Settings	Allow/ forbid changing Fax Server Settings in Collaboration -> Settings -> Fax Server Settings. More information: Fax Server
	Notify missed calls via email (WMS 5.0X)	Allow/ forbid receiving missed calls notifications via email in Collaboration -> Settings -> Features. More information: Call features
	Notify missed calls via SMS (WMS 5.0X)	Allow/ forbid receiving missed calls notifications via SMS in Collaboration -> Settings -> Features. More information: Call features
	Custom Ring (WMS 5.0X)	Allow/ forbid selecting the ringtone for VoIP phones and Collaboration in Collaboration -> Settings -> Features. More information: Call features
	Predefined Advanced settings on Mobile	Allow/ forbid mobile users to change the Advanced settings in Collaboration app on mobile (currently, only Android is supported). More information: Custom config parameters List Note: The support starts from WMS 6.04.20230724.1.
	All
Can use/ Cannot use	Collaboration	Allow/ forbid access to Collaboration (if forbidden, users have access only to the basic CTI interface, including calls, sending SMS/ fax, changing personal user status, without full access to Collaboration (no access to Colleagues, Function keys, Map view, Messaging menu)
	Attendant Console	Allow/ forbid access to Attendant Console in Collaboration. More information: Attendant Console
	History	Allow/ forbid access to Calls/ faxes History (not supported on W-AIR Handsets). More information: Calls / faxes history
	x-caracal	Allow/ forbid access to x-caracal. By default, access to x-caracal is forbidden. More information: x-caracal documentation Note: The support starts from WMS 6.03.20230630.3.
	Analytics	Allow/ forbid to use Analytics (CDR-View 2.0) in Collaboration. When allowed, the Analytics button is displayed in Collaboration. More information: /wiki/spaces/DOC/pages/156368899. Note: The support starts from WMS 6.03.20230630.3.
	CDR-View	Allow/ forbid access to CDR-View in Collaboration. Detailed information: CDR-View Guide
	Speed dial	Allow/ forbid call phonebook short numbers using Speed dial Feature Code. More information: Speed dial Feature Code
	Shared Recording	Allow/ forbid using Shared record Feature Code. More information: Shared record Feature Code
	Personal Recording	Allow/ forbid access to personal recording in Collaboration and using Personal Recording Feature Code and Incall code *1 as well as Attendant Console. More information: Feature Codes Guide and Record a call
	SMS	Allow/ forbid sending SMS via Collaboration. More information: SMS
	Fax	Allow/ forbid sending faxes via Collaboration. More information: Fax
	Paging	Allow/ forbid using Paging Feature Code to send a broadcast to a group of users. More information: Paging
	Pre answer services	Allow/ forbid access to pre answer services (the voice prompt doesn't announce "press * for options"), including Voicemail, Intrusion, Intercom and Call completion, but the voice prompt announces user status: on the phone, busy, unavailable, no answer
	Pre answer services & messages	Allow/ forbid access to pre answer services when user status is not announced at all. More information: Pre answer services
	Phone settings menu	Allow/ forbid access to VoIP phone settings. More information: Phone settings
	Advanced phone settings menu	Allow/ forbid access only to advanced phone settings "Network" and "Autoprovision" on VoIP phones. More information: Phone settings
	Web phone	Allow/ forbid availability of web phone in Collaboration (if forbidden, web phone is not available in the list of devices in Collaboration and user cannot use Collaboration to place / receive calls via Web phone)
	Voicemail	Allow/ forbid access to Voicemail and using Voicemail Feature Code. More information: Voicemails
	Voicemail without pin code (WMS 5.0X)	Allow/ forbid PIN protection for Voicemail via XML (via the phone menu), Voicemail Feature Code, Voicemail access Dialplan application ("skip pin check (s)" option should not be activated). Details: Voicemail Note: By default, the ACL is enabled for the USA and Canada. To disable this behavior, change it to “Can use voicemail without pin code”
	Contact center	Allow/ forbid using Contact center feature in Collaboration -> Settings -> Contact center. More information: Contact center
	Trunk to trunk transfer	Allow/ forbid making transfers of calls received/ placed via trunk, including blind and attended transfers, and also calls from Kite
	Forward to trunk	Allow/ forbid forwarding (Call Forward Busy/ No Answer/ All) of all calls to trunk received from trunk/ user extension. More information: Call features
	All
Can call/ Cannot call	Internal	The description of call classes can be found in Call classes explanation Chapter
	Local
	National
	Mobile
	Emergency
	Free
	Premium1
	Premium2
	Premium3
	Premium4
	North America
	Africa
	Europe1
	Europe2
	South America
	Oceania
	Russia
	Asia1
	Asia2
	Numbers in allowed phonebooks
	International (WMS 5.0X)
	All

APPENDIX 3. List of ACL admin permissions

Ability	Access
Can/ Cannot manage PBX	Allow/ forbid managing Server and Client PBXs
Can/ Cannot manage group	Allow/ forbid managing any specific group
Can/ Cannot access menu	Users::Users Users::Groups Users::PBXes Users::Phonebooks Trunks::Trunks Trunks::Trunk Groups Trunks::Pricelists Devices Dialplan::Dialplan rules Dialplan::Call Groups Dialplan::Paging Groups Dialplan::Timetables Dialplan::IVR Dialplan::Feature codes Dialplan::General Settings Settings::PBX Settings::System Settings::Tools and utilities::Remote support Settings::Tools and utilities::Backup system Settings::Tools and utilities::Upgrade Settings::Tools and utilities::Generate trace Top control::Generate call Top control::Sounds Top control::Debug Top control::Reboot/Halt
Can/ Cannot	Add and remove users Change license type Note: The ACL rule Change license type is available starting from WMS 6.02.20230306.1. By default, changing license type is allowed.