This document describes version 6 of Unblu. If you’re using the latest major version of Unblu, go to the documentation of the latest version. The support period for version 6 ended on 29 August 2023. We no longer provide support or updates for this version. You should upgrade to the latest version of Unblu. |
Externally managed users and teams
Unblu allows you to synchronize users and teams with an external directory service such as OpenLDAP via LDAP or using the Unblu Web API. Using this feature will affect how you manage users and teams within Unblu.
Introduction
The Agent Desk and Account Configuration interface provide various means to add, modify, and remove users and teams from Unblu. If you are synchronizing user and/or team details with an external directory service or some other "source of truth", your account’s users and/or teams are considered externally managed entities.
This article describes how you can control which changes to externally managed entities are possible within Unblu. It does not discuss how to configure Unblu to synchronize user data with a directory service. Please refer to the article User management synchronization tool for information on the topic.
External entity management configuration was introduced in Unblu 6.25.2. |
Externally vs internally managed entities
Each user and each team has an attribute that specifies whether they are managed internally (that is, within Unblu) or externally. In the Account Configuration interface, the attribute appears as a toggle at the top of the entity’s General tab if you are in override mode and as simple text otherwise.
The team Call center in the picture below is managed internally:
If the team were managed externally, the toggle would look like in the following picture:
In JSON — when used with the Web API or the utransfer
tool, for example --, the corresponding attribute is called externallyManaged
.
-
If the attribute is
false
, the entity is internally managed. -
If the attribute is
true
, the entity is externally managed.
The JSON code below contains the attributes of the same team, Call center, as the picture above. The team is internally managed, so its attribute externallyManaged
is false
:
externallyManaged
is false
{
"$_type": "TeamResult",
"hasMoreItems": false,
"nextOffset": null,
"items": [
{
"$_type": "Team",
"id": "IqW1UbAOQhuI3qzGt8Eg8A",
"creationTimestamp": 1607695711635,
"modificationTimestamp": 1607695711635,
"version": 1,
"accountId": "wZvcAnbBSpOps9oteH-Oxw",
"avatar": null,
"name": "Call center",
"parentId": "JZh4ADRnEeasYZ5xEoyudw",
"description": "Team for 'Call center'",
"externallyManaged": false,
"configuration": null,
"metadata": null
}
]
}
Configuration
Superadmins can specify whether entities can be managed internally with the following configuration properties:
If a property above is true
, it is possible to manage that entity (user or team, respectively) in Unblu. This affects user management both in the Account Configuration interface and via the Web API.
-
In the Account Configuration interface, you can:
-
Create new entities. The new entity’s attribute
externallyManaged
is automatically set tofalse
. -
Update and delete existing entities whose attribute
externallyManaged
isfalse
.Conversely, this means that you cannot update or delete entities whose
externallyManaged
attribute istrue
.
-
-
With the Web API, you can:
-
Create new entities. When you do so, the entity’s attribute
externallyManaged
may betrue
orfalse
. -
Update and delete existing entities irrespective of the value of their
externallyManaged
attribute.
-
If a property above is false
, it is not possible to manage that entity (user or team) in Unblu. This means that:
-
You cannot create new entities with the
externallyManaged
attribute set tofalse
. -
You cannot update or delete existing entities whose
externallyManaged
attribute isfalse
. -
Using the Web API, you can create, update, and delete entities whose
externallyManaged
attribute istrue
.
Scope of external entity management
The configuration properties mentioned in the previous section do not affect every aspect of user and team management:
-
It is always possible to edit teams' and users' configuration and text properties.
-
The minimum role required to create, update, and delete entities remains the same as before.
-
Reading entities is not affected in any way.
Updating entities via the Web API
You will not be able to update an entity’s configuration properties, text properties, or metadata if all of the following conditions are met:
-
The entity’s
externallyManaged
attribute isfalse
. -
It is not possible to manage the entity internally, i.e. the relevant configuration property
internal<ENTITY>ManagementEnabled
isfalse
. -
The authorization of the Web API call is carried out with a user who is not in override mode (described in the section below).
Overriding the external entity management configuration
There may be circumstances where you want the ability to make changes to entities in the Account Configuration interface even though the entities are externally managed. To this end, you can authorize specific roles to override external entity management. The configuration properties to do so are:
By default, all roles are allowed to override the external entity management settings. This is intended to ensure backwards compatibility.
The example below shows what this looks like in the Global Server Configuration interface:
If a user’s highest role is listed in an entity’s override setting, that user is said to be in override mode. Users in override mode can:
-
Set the value of an entity’s
externallyManaged
attribute in the Account Configuration interface or Agent Desk. -
Change the value of an entity’s
externallyManaged
attribute in an update. -
Create new entities, and update or delete existing ones, even if the relevant configuration property that enables internal entity management — com.unblu.storage.management.internalTeamManagementEnabled and com.unblu.storage.management.internalUserManagementEnabled for teams and users, respectively — is
false
.
How overriding external entity management configuration works: an example
Normally, roles higher up in the role hierarchy can perform any actions that a role further down in the hierarchy can perform. The way overriding external entity management settings works runs counter to this general rule.
Consider the following configuration:
com.unblu.storage.management.internalTeamManagementEnabled=false
com.unblu.permission.roleAllowed.overrideTeamManagement=ADMIN,SUPERVISOR
With this configuration, admins and supervisors are in override mode:
-
Admins and supervisors are both able to update teams in the Account Configuration interface, regardless of the teams'
externallyManaged
attribute.The changes they can make include changing the entity’s
externallyManaged
attribute. -
Admins may create with
externallyManaged
set tofalse
.Since the supervisor role does not have the authority to create new teams, it cannot do so in override mode, either.
-
Admins may also delete teams regardless of the the teams'
externallyManaged
attribute.
For technical admins and superadmins, on the other hand, the restrictions of the configuration property com.unblu.storage.management.internalTeamManagementEnabled apply in full, even though their roles figure higher up in the Unblu role hierarchy.
Importing entities with utransfer
and at server startup
Since utransfer
uses the Web API to transfer entities between Unblu accounts, the same restrictions apply to entities when using utransfer
as when using the Web API:
-
externallyManaged
attributes may be set directly in the JSON transferred. -
If no value is provided, the attribute is set to
false
.
We recommend using utransfer
with a user in override mode to ensure that the update does not fail.
If the JSON used for importing entities at startup contains definitions for teams and/or users, we recommend that you grant the SUPER_ADMIN
role the possibility to override external entity management for the entities in questions.