OK, so there are a few things here.
Firstly, I'm sorry to have to tell you that you can't (currently, and probably never will be able to) create a role that says "take away permission X". So, if you want some users to have Permission X and some not, then it's two Roles. It's not as bad as it first seems. Say you need granularity for any combination of Permission X, Y & Z, then you don't need to create 7 roles (to cover all combinations of 1, 2 or 3 permissions) but rather 3 (one for each permission) and assign multiple Roles to the user.
Next, regarding Divisions, when you associate a Role with a user, you do so with respect to a Division (which doesn't have to be the Division the user is a member of.) So, If you want a user to only have permission X for some objects, you put those objects in a division and assign appropriately. As you have noted, however, not all entities are (currently) division-aware, but there are multiple ideas over on the ideas site requesting various objects be made division-aware.
FWIW, I am not a huge fan of the way Genesys have chosen to implement this. I agree Roles are the way to go, but there are times when you may want to assign a permission directly. My bigger issue, however, is that Divisions alone are not granular enough. I cannot assign permissions to a single object without putting that object into its own division. In some complex situations, you end up with competing divisional requirements, which could only be solved by putting EVERY object in its own division - which isn't practical (or possible, given the limitations on the number of divisions.) I would like to see the ability to assign permissions over objects directly, as well as via Divisions. (In the case of Users, by Group / Queue membership too.) I would also like to see the individual permissions become much more granular. For example, I can give someone permission to edit users, but not control what can be edited. What if I only want to allow password resets? Or editing of Name and Address? Or...?
Sorry to take over your question with a minor rant, but I think it's clear that the system is more flexible than it initially appears, but not as flexible as it could (should?) be.
------------------------------
Paul Simpson
------------------------------
Original Message:
Sent: 11-15-2023 11:00
From: Tim Strong Bear
Subject: Agent's View
Thx Paul, no, I did mean take away. It is a client, with 5 programs. client can see all review recording all, 3 of the programs under the client are only to see their program/calls, queues etc. Along with this new request for agents not to see queue or other agents. Putting conditions on recording is easy enough, but what about the needed Roles, permissions just to get to Interactions, which they can see all Interactions, even if can only play recordings for their business unit. Which makes me ask Genesys, Why did you create this without Divisions? Is there some con or drawback to Divisions? I don't want out of the box Roles, and then 3 or 4 frigg'n Custom Roles of the same Role, such as Supervisor Role, with conditions, or permissions removed right? Two fold issue i guess I'm talking about. I do not know how to make it so agents can't see the queue or other agents. And I also need to make programs only see their program, which looks like Divisions is the way to go there, and the way it should have went into production.
------------------------------
Tim Strong Bear
Senture, LLC
Original Message:
Sent: 11-15-2023 10:30
From: Paul Simpson
Subject: Agent's View
Just remember that permissions are additive. You can't create a Role to take away permissions, what you do is create a duplicate role that is missing the permission(s) in question and then replace the role in question on the user.
I'm sure that's what you meant in your final sentence, but for the benefit of anyone else who stumbles across this thread, I wanted to make sure it was clear!
------------------------------
Paul Simpson
Original Message:
Sent: 10-31-2023 10:46
From: Tim Strong Bear
Subject: Agent's View
If operations wanted agents to not be able to see queue, stats, other agents. I would have to copy and Custom User Role to take away the requested permissions right?
#SystemAdministration
------------------------------
Tim Strong Bear
Senture
------------------------------