AWS Contact Center
Monitor real-time metrics using granular access controls in Amazon Connect
Introduction
Contact center supervisors, managers, compliance, workforce analysts, and others monitor the real-time performance of their contact center, including agent, queue, and routing profile performance, using the real-time metrics dashboard in the Amazon Connect console. Furthermore, as mentioned in the previous blog post, organizations today are challenged by an evolving privacy and regulatory landscape, which can vary by geography, industry, or business need. To comply with these privacy regulations, contact center administrators are often required to enforce least-access permissions to sensitive resources used within their contact centers, especially real-time metrics.
Contact Centers often require access controls to separate lines of business or organizations. A tag-based approach provides flexibility and scalability to support these dynamic access control needs of contact centers.
In this blog post, we describe how administrators of a fictitious company, Octank, restrict user access to real-time metrics of agents, queues, and routing profiles, including live monitoring and barge-in on agents. As Octank operates over time and makes certain business decisions, the requirements for granular access controls evolve. For each of the three stages, we demonstrate the flexibility of tag-based access controls to meet granular access control requirements.
Solution overview
The solution deployment at each stage includes the following steps:
- Configure agents, queues, and routing profiles with resource tags.
- Configure security profiles with access control tags to represent different contact center personas.
- Configure users for contact center personas, and associate them with security profiles.
The following diagram depicts tag-based access controls in Amazon Connect. Resources are tagged with resource tags. Security profiles are configured with access control tags. When users are assigned these security profiles, access to resources, data, and metrics for these users is now restricted based on the access control tags. The security profile with access control tag of “LOB: Credit” restricts the access to only those resources (Agent1) that are tagged with resource tag of “LOB: Credit”, and access control tag of “LOB: Banking” restricts the access to only those resources (Agent2) that are tagged with resource tag of “LOB: Banking”.
Prerequisites
For this walkthrough, it is assumed that you understand and have access to the following resources:
- Related previous blog post, Configure granular access controls using resource tags in Amazon Connect.
- An AWS account with administrator access for Amazon Connect.
- Amazon Connect instance that has been deployed.
- Amazon Connect user with Admin security profile permissions.
- Basic familiarity with Tagging AWS Resources.
Walkthrough
Scenarios and personas
- Octank is a fictitious financial services company with contact centers.
- User personas include agents, supervisors, contact center managers, and an administrator.
- Agents: Answer customers contacts and service customer requests.
- Supervisors: Monitor a group of agents and coach them as needed.
- Contact Center Manager: Oversee daily operations of contact centers and their employees.
- Contact Center Administrator: Administers the contact center setup and configuration.
- Security profiles management is a function of the Administrator only.
- Minimal sample users are included for each persona, and there is a one-one mapping between Routing profiles and queues.
- Least privilege access control: Each persona can only access real time reporting, live monitoring, and barge-in access for resources within their nearest boundary.
- Each stage can be implemented independently of each other.
Stage 1
Octank has two lines of business (LOBs) – Credit and Banking. Each LOB has its agents, supervisors, and a contact center manager. Octank must make sure that the people in Credit LOB can’t see real-time metrics for agents, queues, and routing profiles in Banking LOB, and vice versa. For example, a contact center manager in Credit LOB is only able to see the agents, queues, and routing profiles within Credit LOB in their real time reporting view. The overall contact center administrator has access across both LOBs.
Since the access control granularity is based on the LOB, we create resource tags and access control tags that represent the two LOBs – LOB: Credit and LOB: Banking.
Step 1: Configure queues, routing profiles, and agents with resource tags
| Queue Name | Resource Tag Key: Value pair |
| Credit | LOB: Credit |
| Banking | LOB: Banking |
| Routing Profile Name | Resource Tag Key: Value pair |
| Credit | LOB: Credit |
| Banking | LOB: Banking |
| Agent Login | First name | Last name | Security Profile | Routing Profile | Resource Tag Key: Value pair |
| MJackson | Mateo | Jackson | Agent(default) | Credit | LOB: Credit |
| RRoe | Richard | Roe | Agent(default) | Banking | LOB: Banking |
Step 2: Configure security profiles with access control tags
Contact center administrator uses the default Admin security profile.
| Administrator Login | First name | Last name | Security Profile | Routing Profile |
| NWolf | Nikki | Wolf | Admin(default) | Basic Routing Profile |
For contact center managers, we create two security profiles, ManagerCredit and ManagerBanking with access restricted to respective LOB using access control tags. For real time reports, each security profile needs permissions to view users, routing profiles, and queues, and permissions for real time metrics, monitoring, and contact barge-in.
| Security Profile Name | Permissions | Access Control Resources | Access Control Tag |
| ManagerCredit | Users, Routing Profiles, Queues – View Real-time metrics – All Real-time Contact Monitoring – All Real-time contact barge-in – All |
Users, Routing Profiles, Queues | LOB: Credit |
| ManagerBanking | Users, Routing Profiles, Queues – View Real-time metrics – All Real-time Contact Monitoring – All Real-time contact barge-in – All |
Users, Routing Profiles, Queues | LOB: Banking |
For supervisors, we create two security profiles, SupervisorCredit and SupervisorBanking with access restricted to respective LOB using access control tags. For real time reports, each security profile needs permissions to view users, routing profiles, and queues, and permissions for real time metrics, monitoring, and contact barge-in.
| Security Profile Name | Permissions | Access Control Resources | Access Control Tag |
| SupervisorCredit | Users, Routing Profiles, Queues – View Real-time metrics – All Real-time Contact Monitoring – All Real-time contact barge-in – All |
Users, Routing Profiles, Queues | LOB: Credit |
| SupervisorBanking | Users, Routing Profiles, Queues – View Real-time metrics – All Real-time Contact Monitoring – All Real-time contact barge-in – All |
Users, Routing Profiles, Queues | LOB: Banking |
We created a total of four security profiles to represent four different personas. The administrator used the default Admin security profile.
Step 3: Configure contact center management users and associate them with security profiles
We create two contact center manager users to test and validate the configuration. Each user is associated to the appropriate security profile created in the preceding step.
| Manager Login | First name | Last name | Security Profile | Routing Profile |
| MRivera | Martha | Rivera | ManagerCredit | Basic Routing Profile |
| ADesai | Arnav | Desai | ManagerBanking | Basic Routing Profile |
We then create two supervisor users to test and validate the configuration. Each user is associated to the appropriate security profile created in the preceding step.
| Supervisor Login | First name | Last name | Security Profile | Routing Profile |
| JStiles | John | Stiles | SupervisorCredit | Basic Routing Profile |
| LJuan | Li | Juan | SupervisorBanking | Basic Routing Profile |
Step 4: Testing and Verification
To verify granular access controls:
- Log in to Amazon Connect console in an incognito window using the administrative username NWolf.
- On the navigation menu, choose Analytics and optimization, Real-time metrics.
- Choose Queues to validate that you are able to see the real-time metrics for all the queues that were configured in the preceding steps.
- Navigate back to the Real-time metrics page. Choose Routing profiles to validate that you are able to see all the routing profiles that were configured in the preceding steps.
- Navigate back to the Real-time metrics page. Choose Agents to validate that you are able to see the real-time metrics for all the agents that were configured in the preceding steps.
- One at a time, login to Amazon Connect console in an incognito window using the two manager usernames and two supervisor usernames configured in the preceding steps for stage.
- For each username:
- Follow preceding validation steps 2 through 5 to validate that you are able to see only the queues, agents, and routing profiles within the LOB (Credit or Banking).
- Validate that you are able to monitor real-time contacts for all agents that are on live contacts.
- Validate that you are able to barge into the conversation for agents on live voice calls that you are monitoring.
- For each username:
Stage 2
As business grows, Octank decides to support customers in two languages – English and Spanish. Octank has presence in United States and Argentina. They make a business decision to support English customers using teams based in United States, and to support Spanish customers using teams based in Argentina. For each LOB, the teams in US and Argentina have their agents and supervisors. Contact center managers continue to manage teams within the LOB and across the countries. However, Octank requires that the teams in each country be able to view real time reports with agents, queues, and routing profiles only within that country. The LOB level restriction from stage 1 continues to apply.
Since the access control granularity is based on the LOB and the country, we create resource tags and access control tags that represent the two LOBs and the two countries – LOB: Credit, LOB: Banking, Country: UnitedStates, and Country: Argentina.
Step 1: Configure queues, routing profiles, and agents with resource tags
| Queue Name | Resource Tag Key: Value pair | Resource Tag Key: Value pair |
| CreditUS | LOB: Credit | Country: UnitedStates |
| CreditArgentina | LOB: Credit | Country: Argentina |
| BankingUS | LOB: Banking | Country: UnitedStates |
| BankingArgentina | LOB: Banking | Country: Argentina |
| Routing Profile Name | Resource Tag Key: Value pair | Resource Tag Key: Value pair |
| CreditUS | LOB: Credit | Country: UnitedStates |
| CreditArgentina | LOB: Credit | Country: Argentina |
| BankingUS | LOB: Banking | Country: UnitedStates |
| BankingArgentina | LOB: Banking | Country: Argentina |
| Agent Login | First name | Last name | Security Profile | Routing Profile | Resource Tag Key: Value pair | Resource Tag Key: Value pair |
| MJackson | Mateo | Jackson | Agent(default) | CreditUS | LOB: Credit | Country: UnitedStates |
| JSouza | Jorge | Souza | Agent(default) | CreditArgentina | LOB: Credit | Country: Argentina |
| RRoe | Richard | Roe | Agent(default) | BankingUS | LOB: Banking | Country: UnitedStates |
| MMajor | Mary | Major | Agent(default) | BankingArgentina | LOB: Banking | Country: Argentina |
Notice the use of two resource tags for each resource. This is to support the two-level granularity requirements for access control for LOBs and countries.
Step 2: Configure security profiles with access control tags.
Contact center administrator uses the default Admin security profile.
| Administrator Login | First name | Last name | Security Profile | Routing Profile |
| NWolf | Nikki | Wolf | Admin(default) | Basic Routing Profile |
For Contact center managers, we create two security profiles, ManagerCredit and ManagerBanking with access restricted to respective LOB using access control tags. For real time reports, each security profile needs permissions to view users, routing profiles, and queues, and permissions for real time metrics, monitoring, and contact barge-in.
| Security Profile Name | Permissions | Access Control Resources | Access Control Tag |
| ManagerCredit | Users, Routing Profiles, Queues – View Real-time metrics – All Real-time Contact Monitoring – All Real-time contact barge-in – All |
Users, Routing Profiles, Queues | LOB: Credit |
| ManagerBanking | Users, Routing Profiles, Queues – View Real-time metrics – All Real-time Contact Monitoring – All Real-time contact barge-in – All |
Users, Routing Profiles, Queues | LOB: Banking |
For supervisors, we create four security profiles, SupervisorCreditUS, SupervisorCreditArgentina, SupervisorBankingUS, and SupervisorBankingArgentina with access restricted to respective LOB. For real time reports, each security profile needs permissions to view users, routing profiles, and queues, and permissions for real time metrics, monitoring, and contact barge-in.
| Security Profile Name | Permissions | Access Control Resources | Access Control Tag Key: Value pairs |
| SupervisorCreditUS | Users, Routing Profiles, Queues – View Real-time metrics – All Real-time Contact Monitoring – All Real-time contact barge-in – All |
Users, Routing Profiles, Queues | LOB:Credit, Country:UnitedStates |
| SupervisorCreditArgentina | Users, Routing Profiles, Queues – View Real-time metrics – All Real-time Contact Monitoring – All Real-time contact barge-in – All |
Users, Routing Profiles, Queues | LOB:Credit, Country:Argentina |
| SupervisorBankingUS | Users, Routing Profiles, Queues – View Real-time metrics – All Real-time Contact Monitoring – All Real-time contact barge-in – All |
Users, Routing Profiles, Queues | LOB:Banking, Country:UnitedStates |
| SupervisorBankingArgentina | Users, Routing Profiles, Queues – View Real-time metrics – All Real-time Contact Monitoring – All Real-time contact barge-in – All |
Users, Routing Profiles, Queues | LOB:Banking, Country:Argentina |
For this stage, we created a total of six security profiles to represent six different personas. The administrator used the default Admin security profile.
Note that additional resource and access tags are required only when the granularity demands. In this case, Managers were able to use the same security profiles as prior stage because the access requirements did not change. Supervisors required additional granular access control within a country and hence the four supervisor security profiles use two access control tags.
Step 3: Configure contact center management users and associate them with security profile
We create two manager users to test and validate the configuration. Each user is associated to the appropriate security profile created in the preceding step.
| Manager Login | First name | Last name | Security Profile | Routing Profile |
| MRivera | Martha | Rivera | ManagerCredit | Basic Routing Profile |
| ADesai | Arnav | Desai | ManagerBanking | Basic Routing Profile |
We then create four supervisor users to test and validate the configuration. Each user is associated to the appropriate security profile created in the preceding step.
| Supervisor Login | First name | Last name | Security Profile | Routing Profile |
| JStiles | John | Stiles | SupervisorCreditUS | Basic Routing Profile |
| PCandella | Pat | Candella | SupervisorCreditArgentina | Basic Routing Profile |
| LJuan | Li | Juan | SupervisorBankingUS | Basic Routing Profile |
| TWhitlock | Terry | Whitlock | SupervisorBankingArgentina | Basic Routing Profile |
Step 4: Testing and Verification
To verify granular access controls:
- Log in to Amazon Connect console in an incognito window using the administrative username NWolf.
- On the navigation menu, choose Analytics and optimization, Real-time metrics.
- Choose Queues to validate that you are able to see the real-time metrics for all the queues that were configured in the preceding steps.
- Navigate back to the Real-time metrics page. Choose Routing profiles to validate that you are able to see all the routing profiles that were configured in the preceding steps.
- Navigate back to the Real-time metrics page. Choose Agents to validate that you are able to see the real-time metrics for all the agents that were configured in the preceding steps.
- One at a time, login to Amazon Connect console in an incognito window using the four manager usernames and two supervisor usernames configured in the preceding steps for stage.
- For each username:
- Follow preceding validation steps 2 through 5 to validate that you are able to see only the queues, agents, and routing profiles within the LOB (Credit or Banking).
- Validate that you are able to monitor real-time contacts for all agents that are on live contacts.
- Validate that you are able to barge into the conversation for agents on live voice calls that you are monitoring.
- For each username:
Alternate Stage 2 scenario: Instead of the country level granularity, Octank supervisors across the two LOBs require to see the agents only within their groups. The second resource tag can be modified to be based on the supervisor name (Group: JStiles). The agents, queues, and routing profiles can be assigned resource tags based on which group they belong to. For Octank, the number of supervisor security profiles will be equal to the number of supervisor groups. Each supervisor security profile will have two access tags (LOB and Group).
Stage 3
The banking LOB in Octank contracts with a business process outsourcer (BPO) based out of Philippines. This BPO has extensive expertise handling banking customers, and has committed to deliver higher service levels. Banking LOB will now use the BPO to handle Spanish Banking contacts. The BPO can only view real time reports with agents, queues, and routing profiles within the BPO. The internal teams cannot access BPO. Only the administrator and the Banking contact center manager can access the BPO metrics. The LOB level and country level restrictions continue to apply.
The access control granularity is based on the LOB, country, and whether the agent belongs to an internal Octank team or to a BPO. In this scenario, we show how we can use composite tag CenterType that encapsulates the country and whether the agent is internal or BPO. We create resource tags and access control tags that represent this information – LOB: Credit, LOB: Banking, CenterType: United States_Internal, CenterType: Argentina_Internal and CenterType: Philippines_BPO. While the number of possible values of the CenterType tag is 2X number of country locations, we need only three combinations to represent the stage 3 scenario.
Step 1: Configure queues, routing profiles, and agents with resource tags
| Queue Name | Resource Tag Key: Value pair | Resource Tag Key: Value pair |
| CreditUS | LOB: Credit | CenterType: UnitedStates_Internal |
| CreditArgentina | LOB: Credit | Country: Argentina_Internal |
| BankingUS | LOB: Banking | Country: UnitedStates_Internal |
| BankingBPO | LOB: Banking | CenterType: Philippines_BPO |
| Routing Profile Name | Resource Tag Key: Value pair | Resource Tag Key: Value pair |
| CreditUS | LOB: Credit | Country: UnitedStates_Internal |
| CreditArgentina | LOB: Credit | Country: Argentina_Internal |
| BankingUS | LOB: Banking | Country: UnitedStates_Internal |
| BankingBPO | LOB: Banking | CenterType: Philippines_BPO |
| Agent Login | First name | Last name | Security Profile | Routing Profile | Resource Tag Key: Value pair | Resource Tag Key: Value pair |
| MJackson | Mateo | Jackson | Agent(default) | CreditUS | LOB: Credit | Country: UnitedStates_Internal |
| JSouza | Jorge | Souza | Agent(default) | CreditArgentina | LOB: Credit | Country: Argentina_Internal |
| RRoe | Richard | Roe | Agent(default) | BankingUS | LOB: Banking | Country: UnitedStates_Internal |
| PSantos | Paulo | Santos | Agent(default) | BankingBPO | LOB: Banking | Country: Philippines_BPO |
Step 2: Configure security profiles with access control tags.
Contact center administrator uses the default Admin security profile.
| Administrator Login | First name | Last name | Security Profile | Routing Profile |
| NWolf | Nikki | Wolf | Admin(default) | Basic Routing Profile |
For Contact center managers, we create two security profiles, ManagerCredit and ManagerBanking with access restricted to respective LOB using access control tags. For real time reports, each security profile needs permissions to view users, routing profiles, and queues, and permissions for real time metrics, monitoring, and contact barge-in.
| Security Profile Name | Permissions | Access Control Resources | Access Control Tag |
| ManagerCredit | Users, Routing Profiles, Queues – View Real-time metrics – All Real-time Contact Monitoring – All Real-time contact barge-in – All |
Users, Routing Profiles, Queues | LOB: Credit |
| ManagerBanking | Users, Routing Profiles, Queues – View Real-time metrics – All Real-time Contact Monitoring – All Real-time contact barge-in – All |
Users, Routing Profiles, Queues | LOB: Banking |
For supervisors, we create three security profiles, SupervisorCreditUSInternal, SupervisorCreditArgentinaInternal, SupervisorBankingUSInternal, and SupervisorBankingPhilippinesBPO with access restricted to respective LOB and center type combination. For real time reports, each security profile needs permissions to view users, routing profiles, and queues, and permissions for real time metrics, monitoring, and contact barge-in.
| Security Profile Name | Permissions | Access Control Resources | Access Control Tag Key: Value pairs |
| SupervisorCreditUSInternal | Users, Routing Profiles, Queues – View Real-time metrics – All Real-time Contact Monitoring – All Real-time contact barge-in – All |
Users, Routing Profiles, Queues | LOB:Credit, CenterType:UnitedStates_Internal |
| SupervisorCreditArgentinaInternal | Users, Routing Profiles, Queues – View Real-time metrics – All Real-time Contact Monitoring – All Real-time contact barge-in – All |
Users, Routing Profiles, Queues | LOB:Credit, CenterType:Argentina_Internal |
| SupervisorBankingUSInternal | Users, Routing Profiles, Queues – View Real-time metrics – All Real-time Contact Monitoring – All Real-time contact barge-in – All |
Users, Routing Profiles, Queues | LOB: Banking, CenterType:UnitedStates_Internal |
| SupervisorBankingPhilippinesBPO | Users, Routing Profiles, Queues – View Real-time metrics – All Real-time Contact Monitoring – All Real-time contact barge-in – All |
Users, Routing Profiles, Queues | LOB:Banking, CenterType:Philippines_BPO |
For this stage, we created a total of six security profiles to represent six different personas. The administrator used the default Admin security profile.
Note that additional resource and access tags are required only when the granularity demands. In this case, Managers were able to use the same security profiles as prior stage because the access requirements did not change. Supervisors required additional granular access control within a country and the agents they were responsible for, and hence the four supervisor security profiles use two access control tags. One of the access control tags (CenterType) is a composite tag.
Step 3: Configure contact center management users and associate them with security profile
We create two manager users to test and validate the configuration. Each user is associated to the appropriate security profile created in the preceding step.
| Manager Login | First name | Last name | Security Profile | Routing Profile |
| MRivera | Martha | Rivera | ManagerCredit | Basic Routing Profile |
| ADesai | Arnav | Desai | ManagerBanking | Basic Routing Profile |
We then create four supervisor users to test and validate the configuration. Each user is associated to the appropriate security profile created in the preceding step.
| Supervisor Login | First name | Last name | Security Profile | Routing Profile |
| JStiles | John | Stiles | SupervisorCreditUSInternal | Basic Routing Profile |
| PCandella | Pat | Candella | SupervisorCreditArgentinaInternal | Basic Routing Profile |
| LJuan | Li | Juan | SupervisorBankingUSInternal | Basic Routing Profile |
| TWhitlock | Terry | Whitlock | SupervisorBankingPhilippinesBPO | Basic Routing Profile |
Step 4: Testing and Verification
To verify granular access controls:
- Log in to Amazon Connect console in an incognito window using the administrative username NWolf.
- On the navigation menu, choose Analytics and optimization, Real-time metrics.
- Choose Queues to validate that you are able to see the real-time metrics for all the queues that were configured in the preceding steps.
- Navigate back to the Real-time metrics page. Choose Routing profiles to validate that you are able to see all the routing profiles that were configured in the preceding steps.
- Navigate back to the Real-time metrics page. Choose Agents to validate that you are able to see the real-time metrics for all the agents that were configured in the preceding steps.
- One at a time, login to Amazon Connect console in an incognito window using the two manager usernames and two supervisor usernames configured in the preceding steps for stage.
- For each username:
- Follow preceding validation steps 2 through 5 to validate that you are able to see only the queues, agents, and routing profiles within the LOB (Credit or Banking).
- Validate that you are able to monitor real-time contacts for all agents that are on live contacts.
- Validate that you are able to barge into the conversation for agents on live voice calls that you are monitoring.
- For each username:
Clean up
- Once you logged in to your Amazon Connect administration console, delete users and security profiles that you created as part of this blog post.
- If you have set up an Amazon Connect instance as part of this, you can go to Amazon Connect console and delete your connect instance.
Conclusion
In this blog post, we explained how you can use Amazon Connect resource tags and access control tags to set up granular access to Amazon Connect resources within real-time metrics, live monitoring, and contact barge-in. You can now explore this concept to create multiple groups by team, role, or other criteria and express more complex access control conditions for various Amazon Connect resources when the requirements change during the life of your Amazon Connect instance.
 |
Prashant Desai is a Senior Consultant at AWS Professional Services. He is experienced in designing and migration of large contact centers to the cloud. Prashant is always looking for innovative ways to simplify customer experience. |
 |
Parind Poi is a Senior Practice Leader at AWS Professional Services. He leads a specialized practice with deep expertise in customer experience (CX) on AWS. Parind is passionate about helping customers modernize their customer engagement workloads on cloud. |
 |
Elaine is an AWS Senior Solutions Architect focused on Amazon Connect with over two decades of telephony and contact center expertise and an avid supporter of the Amazon Future Engineer Class Chats program working to inspire the next generation of cloud infrastructure builders. |
 |
Mike Simpson is a Senior Product Manager, Technical at Amazon Connect. He helps build Amazon Connect analytics solutions to improve the lives of Amazon Connect customers. |