of 3

Documentation

Unblu 6 (latest)

Unblu allows you to synchronize users and teams with an external directory service such as OpenLDAP via LDAP or using the Unblu Web API. Using this feature will affect how you manage users and teams within Unblu.

Introduction

The Agent Desk and Account Configuration interface provide various means to add, modify, and remove users and teams from Unblu. If you are synchronizing user and/or team details with an external directory service or some other "source of truth", your account’s users and/or teams are considered externally managed entities.

This article describes how you can control which changes to externally managed entities are possible within Unblu. It does not discuss how to configure Unblu to synchronize user data with a directory service. Please refer to the article User management synchronization tool for information on the topic.

External entitiy management configuration was introduced in Unblu 6.25.2.

Externally vs internally managed entities

Each user and each team has an attribute that specifies whether they are managed internally (that is, within Unblu) or externally. In the Account Configuration interface, the attribute appears as a toggle at the top of the entity’s General tab if you are in override mode and as simple text otherwise.

The team Call center in the picture below is managed internally:

An internally managed team in the Account Configuration interface
Figure 1. An internally managed team in the Account Configuration interface; note the toggle at the top of the General tab

If the team were managed externally, the toggle would look like in the picture below:

Toggle of an externally managed entity
Figure 2. The toggle of an externally managed entity

In JSON — when used with the Web API or the utransfer tool, for example --, the corresponding attribute is called externallyManaged.

  • If the attribute is false, the entity is internally managed.

  • If the attribute is true, the entity is externally managed.

The JSON code below contains the attributes of the same team, Call center, as the picture above. The team is internally managed, so its attribute externallyManaged is false:

Listing 1. JSON representation of an internally managed entity. The attribute externallyManaged is false
{
  "$_type": "TeamResult",
  "hasMoreItems": false,
  "nextOffset": null,
  "items": [
    {
      "$_type": "Team",
      "id": "IqW1UbAOQhuI3qzGt8Eg8A",
      "creationTimestamp": 1607695711635,
      "modificationTimestamp": 1607695711635,
      "version": 1,
      "accountId": "wZvcAnbBSpOps9oteH-Oxw",
      "avatar": null,
      "name": "Call center",
      "parentId": "JZh4ADRnEeasYZ5xEoyudw",
      "description": "Team for 'Call center'",
      "externallyManaged": false,
      "configuration": null,
      "metadata": null
    }
  ]
}

If you do not provide a value for externallyManaged, its value is set to false. The externallyManaged attribute is always true for entities created or updated via LDAP and `WEBUSER`s created with JWT.

Configuration

Superadmins can specify whether entities can be managed internally with the following configuration properties:

If a property above is true, it is possible to manage that entity (user or team, respectively) in Unblu. This affects user management both in the Account configuration interface and via the Web API.

  1. In the Account Configuration interface, you can:

    • Create new entities. The new entity’s attribute externallyManaged is automatically set to false.

    • Update and delete existing entities whose attribute externallyManaged is false.

      Conversely, this means that you cannot update or delete entities whose externallyManaged attribute is true.

  2. With the Web API, you can:

    • Create new entities. When you do so, the entity’s attribute externallyManaged may be true or false.

    • Update and delete existing entities irrespective of the value of their externallyManaged attribute.

If a property above is false, it is not possible to manage that entity (user or team) in Unblu. This means that:

  • You cannot, create new entities with the externallyManaged attribute set to false.

  • You cannot, update or delete existing entities whose externallyManaged attribute is false.

  • Using the Web API, you can create, update, and delete entities whose externallyManaged attribute is true.

Scope of external entity management

The configuration properties do not affect every aspect of user and team management:

  • It is always possible to edit teams' and users' configuration and text properties.

  • The minimum role required to create, update, and delete entities remains the same as before.

  • Reading entities is not affected in any way.

Updating entities via the Web API

You will not be able to update an entity’s configuration properties, text properties, or metadata if all of the following conditions are met:

  • The entity’s externallyManaged attribute is false.

  • It is not possible to manage the entity internally, i.e. the relevant configuration property internal<ENTITY>ManagementEnabled is false.

  • The authorization of the Web API call is carried out with a user who is not in override mode.

Overriding the external entity management configuration

There may be circumstances where you want the ability to make changes to entities in the Account Configuration interface even though the are externally managed. To this end, you can authorize specific roles to override the external entity management. The configuration properties are:

By default, all roles are allowed to override the external entity management settings; this is intended to ensure backwards compatibility. The example below shows what this looks like in the Global Server Configuration interface:

Default setting to override the external team management configuration
Figure 3. The default setting to override the external team management setting

If a user’s highest role is listed in an entity’s override setting, that user is said to be in override mode. Users in override mode can:

How overriding external entity management configuration works: an example

Normally, roles higher up in the role hierarchy can perform any actions that a role further down in the hierarchy can perform. The way overriding external entity management settings works runs counter to this general rule.

Consider the following configuration:

Listing 2. An example configuration where admins and supervisors can override the settings of externally managed teams
com.unblu.storage.management.internalTeamManagementEnabled=false
com.unblu.permission.roleAllowed.overrideTeamManagement=ADMIN,SUPERVISOR

With this configuration, admins and supervisors are in override mode:

  • Admins and supervisors are both able to update teams in the Account Configuration interface, regardless of the teams' externallyManaged attribute.

    The changes they can make include changing the entity’s externallyManaged attribute.

  • Admins may create with externallyManaged set to false.

    Since the supervisor role does not have the authority to create new teams, it cannot do so in override mode, either.

  • Admins may also delete teams regardless of the the teams' externallyManaged attribute.

For technical admins and superadmins, on the other hand, the restrictions of the configuration property com.unblu.storage.management.internalTeamManagementEnabled apply in full, even though their roles figure higher up in the Unblu role hierarchy.

Importing entities with `utransfer`and at server startup

Since utransfer uses the Web API to transfer entities between Unblu accounts, the same restrictions apply to entities when using utransfer as when using the Web API:

  • externallyManaged attributes may be set directly in the JSON transferred.

  • If no value is provided, the attribute is set to false.

We recommend using utransfer with a user in override mode to ensure that the update does not fail.

If the JSON used for importing entities at startup contains definitions for teams and/or users, we recommend that you grant the SUPER_ADMIN role the possibility to override external entity management for the entities in questions.