ACL rules and Call classes management Admin Guide
Jun 21, 2021 15:45
This Guide explains and describes what permissions and limitations for PBX users and administrators can be set to limit access to certain PBX services and features.
Updated: November 2020
ACL (Access Control List) is a number of permissions and limitations for PBX users and PBX administrators.
Via ACL for PBX users it is possible to forbid certain groups of users external calls to certain call classes, limit access to certain PBX services and UC features. The full list of ACL permissions: APPENDIX 2.
Via ACL for PBX administrators it is possible to limit access to certain WMS menus and forbid certain operations related to PBX management to groups of PBX admins. The full list of ACL admin permissions: APPENDIX 3.
Note: Normally, if you don't forbid any certain access via ACL, it means the access is allowed. For example, if you don't have any ACL restriction "Cannot" - "Intrusion", it means intrusion is allowed.
Exception: There are 3 ACLs that are not permitted by default: "Can " - "Modify presence", "Can" - "Delete calls" and "Can" - "See voicemail". At first, you have to set ACL permissions for using these services.
Admin and Default ACL groups and permissions
ACL groups can be managed and created in WMS -> Users -> Groups.
By default there are two ACL groups on PBX:
- Admin (no limitations, assigned to “admin” user)
- Default (see Default ACL settings; assigned to new users by default)
ACL groups can be assigned to users in WMS -> Users -> select user / users -> “Group”:
All PBX users with admin permissions can:
- Edit permissions of ACL groups (click Edit permissions button to manage)
“admin” user in addition can:
- Create and delete ACL groups
- Set up inheritance
- Manage admin permissions for PBX administrators (click Edit admin permissions button to manage)
Note: ACL groups are shared via WMS Network. Detailed information about WMS Network can be found here: WMS Network.
Set up Inheritance: Select an ACL group: “Inherits from” (select the group)
Important: Wildix ACL groups support only single level inheritance.
Example: group B inherits from A; group C can't inherit from B because B already inherits from another ACL group A.
Note: “Cannot” rule has priority over “Can”.
Example: group B inherits from A “Can” – “Intercom”, but inside group B we add “Cannot” – “Intercom”, as a result, use of Intercom is prohibited for this group of users.
ACL for outgoing calls – Supported countries for call classes
To forbid/ allow calls, use ACL "Can call / Cannot call".
Wildix PBX supports call classes for following countries:
- United Kingdom
Call class detection for processing external calls
PBX differentiates national from foreign calls based on International Prefix in Dialplan -> General settings.
Country code in trunk settings is used for number normalization (number is not normalized if country code is empty)
Available classes for processing of calls inside configured country:
- Premium2 (Germany, Austria)
Available classes for processing of calls to/ from other countries (see Call classes explanation):
- North America
- South America
- International (WMS 4.0X/ WMS 5.0X, contains all mentioned call classes)
Call class for unknown countries is 0 and call will not be blocked by ACL.
Recommendations to avoid calls to illegal destinations:
(as in Default ACL settings)
- First add the rule “cannot call All”
- Then add a number of “can call” rules
Setting up call classes in Dialplan
“Dial the trunk” and “Trunk group” Dialplan procedures allow you to define call classes and associate them to prefixes. Consult Dialplan applications Admin Guide for detailed information.
Example: assign calls to destination numbers which start with “03” to “Mobile” call class, remove the first digit (0) from the called number and route calls via the selected trunk (test5):
In case you do not set up call classes via Dialplan procedures, PBX evaluates the call prefix and assigns the call class to it, based on the logic described in the chapter Call classes explanation.
Call classes explanation
- Internal – internal calls
- Local - local calls
- National – recognized based on the National Prefix in Dialplan General Settings
- Mobile – recognized based on the Country Code in Dialplan General Settings
- Emergency – recognized based on the Country Code in Dialplan General Settings
- Free – recognized based on the Country Code in Dialplan General Settings
- Premium1 – recognized based on the Country Code in Dialplan General Settings
- Premium2 – recognized based on the Country Code in Dialplan General Settings
- Premium3 – not defined
- Premium4 – not defined
- North America – calls to numbers starting with 001 or +1
- Africa – calls to numbers starting with 002 or +2
- Europe1 – calls to numbers starting with 003 or +3
- Europe2 – calls to numbers starting with 004 or +4
- South America – calls to numbers starting with 005 or +5
- Oceania – calls to numbers starting with 006 or +6
- Russia – calls to numbers starting with 007 or +7
- Asia1 – calls to numbers starting with 008 or +8
- Asia2 – calls to numbers starting with 009 or +9
- International - calls to Europe1-2, North and South America, Africa, Oceania, Russia, Asia1-2 numbers
Prefixes per country for call class detection:
"Modify public phonebook” and “Set Phonebook”
Difference between ALCs “Can / cannot” – Modify public phonebook” and “Can set / cannot set” “Phonebook”:
- Can / cannot Modify public phonebook: user in this group cannot modify any contact from public WMS phonebook
- Can set / cannot set Phonebook: user in this group can access only phonebooks located in “Selected” section in WMS -> Users (select user) -> Edit preferences -> Phonebooks
Note: at least one phonebook must be present in “Available” section (it can even be an empty phonebook).
ACLs "Can/ cannot use" - "Voicemail" and "Can / cannot - "View" - "Group" have higher priority that ACL "Can / cannot" - "See voicemail" - "Group".
If "cannot use" - "Voicemail" limitation is set, a user is not able to configure or change "Voicemail" Function Key. This user can see the already configured key, but cannot change the label or assign it to another user.
If "cannot" - "View" - "Group" limitation is set, a user is not able to see users from a specified group when configuring "Voicemail" Function Key.
Current limitation: "Cannot - Share status via Kite" and "Can - Modify presence - Everybody"
Important: The limitation is not applicable for WMS 5.02 since it was fixed (reference ticket WMS-8890).
ACL "Cannot - Share status via Kite" breaks ACL "Can - Modify presence - Everybody". This means, if a user has ACL "Cannot - Share status via Kite", another user with ACL "Can - Modify presence - Everybody" is not able to change that user status.
APPENDIX 1. Default ACL permissions
The list of default ACL permissions of Default (users) and Admin (users with admin permissions) ACL groups:
|Group||Ability and access|
APPENDIX 2. Full list of ACL permissions
|Call - Group||Allow/ forbid calling certain groups of users|
|use Virtual scanner - Group|
Allow/ forbid using Virtual scanner Feature Code. More information: Virtual scanner
|Modify presence - Group|
Allow/ forbid setting user status of colleagues in Collaboration. By default, if no ACL rule is added, users are not allowed to set user status of colleagues. More information: Set user status in Collaboration
|see full number in CDR-View|
Allow/ forbid seeing full numbers in CDR-View in Collaboration. You can decide how many digits to hide in Call and chat history menu of WMS
|Intercom - Group|
Allow/ forbid using Intercom Feature Code. More information: Intercom
|Intrusion - Group|
|Call Pickup - Group||Allow/ forbid pickup of other user's calls via Collaboration / Feature Code. More information: Call pickup and Pickup Feature Code|
|Modify public phonebooks|
Allow/ forbid modifying any contact from a public WMS phonebook in Collaboration. Details: Phonebook
|View - Group|
Allow/ forbid viewing users in Colleagues roster and Recents chat in Collaboration as well as Colleagues phonebook
|View calls of users - Group|
Allow/ forbid viewing who is calling via Collaboration and VoIP phones. Details: Colleagues status information
Allow/ forbid deleting calls from History (not supported on W-AIR Handsets). By default, if no ACL rule is added, users are not allowed to delete calls. More information: Calls / faxes history
|Share status via Kite|
Allow/ forbid sharing user's status via Kite (no user status is shown when contacting user by Kite link)
|Share status message via Kite|
Allow/ forbid sharing user's status message via Kite (no status message is shown when contacting user by Kite link)
|Share geolocation via Kite|
Allow/ forbid geolocation sharing via Kite. More information: Limit access to Kite service
|View geolocation via Collaboration - Group|
Allow/ forbid viewing geolocation of users in Collaboration, iOS/ Android apps. More information: Geolocation
|Manage the callcenter|
Allow/ forbid performing actions on call groups’ members: put a user on hold, add users to call groups via call groups plugin and Call group management Feature Code (if forbidden, a user can perform the actions only on himself (add himself to a call group, put himself on pause in a call group)
|Be looked up via dial by name|
Allow/ forbid user to be looked up via dial by name feature (including ASR). The feature can be called via "Dial by name/ Directory" Dialplan application or Directory Feature Code via Collaboration, VoIP phones, WP600AXX/ Vision/ SuperVision, W-AIR handsets, iOS/ Android apps. More information: Directory and Dial by name/ Directory
Allow/ forbid downloading Collaboration Extensions. More information: Extensions
|See voicemail||Allow/ forbid using shared voicemail feature on WP480G/WP490G 2017, WorkForce, WelcomeConsole. More information: Shared voicemail feature|
|Disable two factor authentication (WMS 4.0X/ WMS 5.0X)||Allow/ forbid disabling Two-factor authentication in Collaboration. Details: Two-factor authentication|
|Enable video call (WMS 4.0X/ WMS 5.0X)||Allow/ forbid user to start or enable video calls in Collaboration. Details: Video call|
Can set/ Cannot set
Allow/ forbid setting DND/ Away status via Status Feature Code (can be dialed from any Wildix device) and VoIP phones (not supported in Collaboration, WP600AXX/ Vision/ SuperVision, iOS/ Android apps). More information: Status (DND/Away) Feature Code and WP4X0 Call Features
|Call Forward Busy|
Allow/ forbid setting call forwarding if user is busy (not supported on WP600AXX/ Vision/ SuperVision)/ using Feature Code. Consult Call features, WP4X0 Call features, Android Settings, iOS Settings or Feature Codes Guide
|Call Forward No Answer|
Allow/ forbid setting call forwarding if user doesn't answer (not supported on WP600AXX/ Vision/ SuperVision)/ using Feature Code. More information: Call features, WP4X0 Call features, Android Settings, iOS Settings or Feature Codes Guide
|Call Forward All|
Allow/ forbid setting forwarding of all calls (not supported on WP600AXX/ Vision/ SuperVision)/ using Feature Code. More information: Call features, WP4X0 Call features, Android Settings, iOS Settings or Feature Codes Guide
Allow/ forbid receiving more than one call at a time (not supported on WP600AXX/ Vision/ SuperVision) / using Feature Code. More information: Call features, WP4X0 Call features, Android Settings, iOS Settings or Call waiting Feature Code
|Mobility extension management|
Allow/ forbid call forwarding to the mobile number (not supported on WP600AXX/ Vision/ SupeerVision)/ using Feature Code. More information: Call features, WP4X0 Call features, Android Settings, iOS Settings or Mobility extension management
Allow/ forbid using Telephone blocked Feature Code. More information: Telephone blocked
|Ring only active device|
Allow/ forbid a user to be notified on who the caller is when he receives a call on mobility extension number via Collaboration or Feature Code. More information: Call features and Mobility confirmation
Allow/ forbid configuring Function keys in Collaboration -> Settings -> Function keys. The access to already configured Function keys is saved. More information: Function keys
Allow/ forbid configuring Timetable Function key in Collaboration and changing its status via Feature Code (Timetables and switches are created in WMS). Details: Timetable Feature Code
|3 state switch|
Allow/ forbid configuring 3 state switch Function key in Collaboration and changing its status via Feature Code. Details: 3 State Switch Feature Code
Allow/ forbid configuring Switch Function key in Collaboration and changing its status via Feature Code. More information: Switch Feature Code
Allow/ forbid access to selected phonebooks (if forbidden, a user can access only phonebooks located in “Selected” section in WMS - > Users (select user) -> Edit preferences -> Settings -> Phonebooks)
Allow/ forbid changing personal information in Collaboration and Android/ iOS app (not supported on VoIP phones, WP600AXX / Vision/ SuperVision, W-AIR Handsets). Details: Personal information
Allow/ forbid access to advanced user status menu, including status message, until option, editing picture and setting location and Chat/ Presence menu, including custom statuses in Collaboration. More information: Status message and Chat/ Presence
|Fax Server Settings|
Allow/ forbid changing Fax Server Settings in Collaboration -> Settings -> Fax Server Settings. More information: Fax Server
|Notify missed calls via email (WMS 4.0X/ WMS 5.0X)||Allow/ forbid receiving missed calls notifications via email in Collaboration -> Settings -> Features. More information: Call features|
|Notify missed calls via SMS (WMS 4.0X/ WMS 5.0X)||Allow/ forbid receiving missed calls notifications via SMS in Collaboration -> Settings -> Features. More information: Call features|
|Custom Ring (WMS 4.0X/ WMS 5.0X)||Allow/ forbid selecting the ringtone for VoIP phones and Collaboration in Collaboration -> Settings -> Features. More information: Call features|
Can use/ Cannot use
Allow/ forbid access to Collaboration (if forbidden, users have access only to the basic CTI interface, including calls, sending SMS/ fax, changing personal user status, without full access to Collaboration (no access to Colleagues, Function keys, Map view, Messaging menu)
Allow/ forbid access to Attendant Console in Collaboration. More information: Attendant Console
Allow/ forbid access to Calls/ faxes History (not supported on W-AIR Handsets). More information: Calls / faxes history
Allow/ forbid access to CDR-View in Collaboration. Detailed information: CDR-View Guide
Allow/ forbid call phonebook short numbers using Speed dial Feature Code. More information: Speed dial Feature Code
Allow/ forbid using Shared record Feature Code. More information: Shared record Feature Code
|Personal Recording||Allow/ forbid access to personal recording in Collaboration and using Personal Recording Feature Code and Incall code *1 as well as Attendant Console. More information: Feature Codes Guide and Record a call|
|SMS||Allow/ forbid sending SMS via Collaboration. More information: SMS|
Allow/ forbid sending faxes via Collaboration. More information: Fax
Allow/ forbid using Paging Feature Code to send a broadcast to a group of users. More information: Paging
|Pre answer services||Allow/ forbid access to pre answer services (the voice prompt doesn't announce "press * for options"), including Voicemail, Intrusion, Intercom and Call completion, but the voice prompt announces user status: on the phone, busy, unavailable, no answer|
|Pre answer services & messages|
Allow/ forbid access to pre answer services when user status is not announced at all. More information: Pre answer services
|Phone settings menu||Allow/ forbid access to VoIP phone settings. More information: Phone settings|
|Advanced phone settings menu (WMS 4.0X/ WMS 5.0X)||Allow/ forbid access only to advanced phone settings "Network" and "Autoprovision" on VoIP phones. More information: Phone settings|
Allow/ forbid availability of web phone in Collaboration (if forbidden, web phone is not available in the list of devices in Collaboration and user cannot use Collaboration to place / receive calls via Web phone)
Allow/ forbid access to Voicemail and using Voicemail Feature Code. More information: Voicemails
|Voicemail without pin code (WMS 4.0X/ WMS 5.0X)|
Allow/ forbid PIN protection for Voicemail via XML (via the phone menu), Voicemail Feature Code, Voicemail access Dialplan application ("skip pin check (s)" option should not be activated). Details: Voicemail
Note: By default, the ACL is enabled for the USA and Canada. To disable this behavior, change it to “Can use voicemail without pin code”
Allow/ forbid using Contact center feature in Collaboration -> Settings -> Contact center. More information: Contact center
|Trunk to trunk transfer (WMS 4.0X/ WMS 5.0X)||Allow/ forbid making transfers of calls received/ placed via trunk, including blind and attended transfers, and also calls from Kite|
|Forward to trunk (WMS 4.0X/ WMS 5.0X)|
Allow/ forbid forwarding (Call Forward Busy/ No Answer/ All) of all calls to trunk received from trunk/ user extension. More information: Call features
Can call/ Cannot call
|Internal||The description of call classes can be found in Call classes explanation Chapter|
|Numbers in allowed phonebooks|
|International (WMS 4.0X/ WMS 5.0X)|
APPENDIX 3. List of ACL admin permissions
|Can/ Cannot manage PBX||Allow/ forbid managing Server and Client PBXs|
|Can/ Cannot manage group||Allow/ forbid managing any specific group|
|Can/ Cannot access menu|
|Can/ Cannot||Add and remove users|