Genesys Cloud - Main

 View Only
Discussion Thread View
  • 1.  Genesys Cloud for Azure - assing roles to users

    Posted 01-19-2022 06:18
    Hello,

    I'd like to synchronize users from AD to GCCX and add roles according to groups created in AD. 
    In fields mapping I can see that it is should be possible but it does not tell me how exactly I can achieve it.

    I'd like lo leave most of configuration on customer side (AD).

    Is that possible?

    Thanks!
    #Integrations

    ------------------------------
    Wojciech Dzikowski
    CGI ISMC Polska Sp. z o.o.
    ------------------------------


  • 2.  RE: Genesys Cloud for Azure - assing roles to users

    Posted 01-20-2022 01:07
    Good one for Support.  I would open a case with them as you are correct - no explanation.  If I had to take an uneducated guess, you would use:

    Full URN: urn:ietf:params:scim:schemas:
    extension:genesys:purecloud:2.0:
    User:roles.[].value

    ------------------------------
    Robert Wakefield-Carl
    Avtex Solutions, LLC
    Contact Center Innovation Architect
    robertwc@avtex.com
    https://www.Avtex.com
    https://RobertWC.Blogspot.com
    ------------------------------



  • 3.  RE: Genesys Cloud for Azure - assing roles to users

    GENESYS
    Posted 01-21-2022 09:19

    The challenge is actually on the Azure AD side of things.  There aren't many great tools for manipulating payloads within Azure AD, so for certain fields (Roles being one of them), there's a very limited path forward.  The only setup Azure AD has that is compatible with the Roles array of objects is to use the appRoleAssignments, as described here: https://docs.microsoft.com/en-us/azure/active-directory/app-provisioning/customize-application-attributes and https://docs.microsoft.com/en-us/azure/active-directory/app-provisioning/functions-for-customizing-application-data.  Following this guide, you'll need to create an AppRole that matches the Genesys Cloud Role by name, then assign it to a user, and use one of the AppRoleAssignment functions as the source for the roles.[].value target in Genesys Cloud

    Azure also has a known bug in their payload for the (AppRoleAssignmentsComplex) where they are only setting a single role out of the group assigned to the user.  Azure AD is aware of this, and is supposed to be working on this from their end (as they control the payloads being sent to our API), but there has been no update in some time on the status of this bug.  



    ------------------------------
    Richard Schott
    Genesys - Employees
    ------------------------------



  • 4.  RE: Genesys Cloud for Azure - assing roles to users

    Posted 01-22-2022 04:00
    Edited by Wojciech Dzikowski 01-22-2022 04:00
    Thank you Richard,So I need to create an App role in Azure AD with same name as in GCCX (the key is the name, not role id), right?
    The confusing thing in documentation is {user roles API}
    Is there a possibility to set static role for each user, not depending on role in AD? For example USER role for all. 
    Alternatively, if I'd like to set USER role for all users in AD group 'CallCenter' and SUPERVISOR role for users in AD group CC_Supervisors, how can Ito point it to Genesys?
    Anyway, regardless on conditions, how to specific role for a user?

    Regards,
    ------------------------------
    Wojciech Dzikowski
    CGI ISMC Polska Sp. z o.o.
    ------------------------------



  • 5.  RE: Genesys Cloud for Azure - assing roles to users

    GENESYS
    Posted 01-21-2022 09:22

    Also, if you're just looking to assign roles by Group Membership, you can set this up in Genesys Cloud by assigning a Role to the Group: https://help.mypurecloud.com/articles/assign-roles-to-a-group/

    You can then use the security groups in Azure AD to assign users to a Group in Genesys Cloud, which will then cause the user to inherit the Role from their membership in the Group.  If/when you remove the user from the Security Group in Azure AD, the user will then be removed from the Group in Genesys Cloud by way of the Automated Provisioning process; once the use is removed from the Group in Genesys Cloud, they will no longer inherit the role (note that most Genesys Cloud apps will require a user to log out and log back in to pick up the changes in permissions).



    ------------------------------
    Richard Schott
    Genesys - Employees
    ------------------------------



  • 6.  RE: Genesys Cloud for Azure - assing roles to users

    Posted 01-22-2022 04:10
    Thanks Richard,

    Does it has to be a Security group or I can user Microsoft 365 group as well? Does membership type has any meaning to this?

    Regards,

    ------------------------------
    Wojciech Dzikowski
    CGI ISMC Polska Sp. z o.o.
    ------------------------------



  • 7.  RE: Genesys Cloud for Azure - assing roles to users

    GENESYS
    Posted 01-22-2022 17:24

    That's really more of a function of Azure's user provisioning system.  The only groups I've ever seen included for provisioning were security groups, but their documentation is a little sparse on the topic.  What I have seen other customers do is establish security groups in Azure AD that have inclusion rules that are driven by membership in other collections within Azure (email groups is the most common I've encountered).  

    Please keep in mind that the Azure Ad group needs to match the name of the Genesys Cloud group you're looking to include users in for the sync to perform properly.  Normally, group updates are done within Genesys Cloud by ID, not name; because Azure AD is not referencing the group by ID, the only other element remaining to match on is the name.  



    ------------------------------
    Richard Schott
    Genesys - Employees
    ------------------------------



Need Help finding something?

Check out the Genesys Knowledge Network - your all-in-one access point for Genesys resources