AWS Security ChangesHomeSearch

AWS connect documentation change

Service: connect · 2026-01-19 · Documentation low

File: connect/latest/adminguide/dashboard-access-control.md

Summary

Restructured and updated documentation for hierarchy-based access control in Amazon Connect dashboards and reports. Changes include reorganizing sections, updating instructions for enabling access control, assigning permissions, and expanding limitations section.

Security assessment

The changes focus on improving documentation for existing security features (hierarchy-based access control). There is no evidence of a security vulnerability being fixed; updates are clarifications and process improvements. Security relevance comes from documenting access control mechanisms.

Diff

diff --git a/connect/latest/adminguide/dashboard-access-control.md b/connect/latest/adminguide/dashboard-access-control.md
index d840afcc3..e4caed097 100644
--- a//connect/latest/adminguide/dashboard-access-control.md
+++ b//connect/latest/adminguide/dashboard-access-control.md
@@ -5 +5 @@
-Important things to knowEnable hierarchy-based access controlStep 2: Assign security profiles permissionsLimitations
+How to enable hierarchy-based access controlAssign security profiles permissionsLimitations
@@ -9 +9 @@ Important things to knowEnable hierarchy-based access controlStep 2: Assign secu
-You can leverage agent hierarchies to control which supervisors and managers have access to view data about specific agents. For example, you can [set up hierarchy groups and levels](./agent-hierarchy.html) for a team, and then you can specify that only supervisors assigned to a hierarchy group within that team are able to see routing profiles, queues, and performance metrics for agents who are assigned to that same hierarchy group. This is called _hierarchy-based access control_.
+You can leverage agent hierarchies to control who has access to view specific agents and their performance related metrics in dashboards and reports.
@@ -11 +11 @@ You can leverage agent hierarchies to control which supervisors and managers hav
-You can use hierarchy-based access control together with tag-based access control. This is useful to do when you have multiple lines of business and hierarchies within each line of business. For example, you have a corporation with three lines of business: Clothing, Loans, and Banking. You can use tags to segregate your resources—agents, queues, routing profiles—to each line of business. With each line of business, you can have hierarchical levels such as Level1 (country), Level2 (state), Level3 (site). You can then use hierarchies to configure these levels and use hierarchy-based access control to restrict access of site level managers. 
+Hierarchy-based access control enables you to configure granular access to users based on the [agent hierarchy](./agent-hierarchy.html) that is assigned to a user. You can [configure](./hierarchy-based-access-control.html) hierarchy-based access controls by using the API/SDK or the Amazon Connect admin website.
@@ -13 +13 @@ You can use hierarchy-based access control together with tag-based access contro
-###### Contents
+The only resource that supports hierarchy-based access control is agents. This authorization model works with [tag-based access control](./tag-based-access-control.html), so you can restrict access to users, allowing them to see only other agents who belong to the same hierarchy group and who have specific tags associated to them.
@@ -15 +15 @@ You can use hierarchy-based access control together with tag-based access contro
-  * Important things to know when using tag- and hierarchy-based controls simultaneously
+###### Contents
@@ -17 +17 @@ You can use hierarchy-based access control together with tag-based access contro
-  * Step 1: Enable hierarchy-based access control for reports and dashboards
+  * How to enable hierarchy-based access control for reports and dashboards
@@ -19 +19 @@ You can use hierarchy-based access control together with tag-based access contro
-  * Step 2: Assign security profiles permissions to access dashboards, reports, and resources
+  * Assign security profiles permissions to access dashboards, reports, and resources
@@ -26,3 +26 @@ You can use hierarchy-based access control together with tag-based access contro
-## Important things to know when using tag- and hierarchy-based controls simultaneously
-
-  * When a supervisor or manager is assigned to two security profiles, and each security profile has unique configurations of both tag-based access control and hierarchy-based access control, Amazon Connect cannot enforce granular access control on reports. 
+## How to enable hierarchy-based access control for reports and dashboards
@@ -30 +28 @@ You can use hierarchy-based access control together with tag-based access contro
-In this scenario, to prevent supervisors or managers from viewing data that may not be intended for them, we recommend that you do **not** grant them security profile permissions to access real-time and historical metrics reports. (Dashboards don't support tagging so only the hierarchy-based access control is enforced.) 
+To enable granular access control for a given user based on the hierarchy they belong to, you configure the user as an access controlled resource. To do this, you have the following two options:
@@ -32 +30 @@ In this scenario, to prevent supervisors or managers from viewing data that may
-  * When you enable tag-based access control and hierarchy-based access control simultaneously, the [configuration limitations](./tag-based-access-control.html#tag-based-access-control-config-limitations) imposed by tag-based access still exist.
+  * **Enforce hierarchy-based access control based on the user's hierarchy**
@@ -34 +32 @@ In this scenario, to prevent supervisors or managers from viewing data that may
-  * When you enable tag-based access control and hierarchy-based access control simultaneously, Amazon Connect enforces each control method independently. This means that supervisors or managers must meet the requirements of both control types in order to gain access to agent data and resources such as routing profiles, queues, and performance data.
+This option ensures that the user being given access can only manage agents that belong to this hierarchy. For example, enabling this configuration for a given user enables them to manage other agents that either belong to their hierarchy group or a child hierarchy group.
@@ -36 +34 @@ In this scenario, to prevent supervisors or managers from viewing data that may
-  * When a supervisor or manager is assigned to two security profiles, and one security profile has tag-based access control and the other security profile has hierarchy-based access control, Amazon Connect restricts access on both tag and hierarchy as though tag-based access control and hierarchy-based access control are on a single security profile.
+  * **Enforce hierarchy-based access control based on a specific/custom user hierarchy**
@@ -38 +36 @@ In this scenario, to prevent supervisors or managers from viewing data that may
-  * When a supervisor or manager is assigned to two security profiles, if both security profiles have hierarchy-based access control, but one of the security profiles has tag-based access control, the applicable tags are enforced for agents who are in both hierarchies.
+This option ensures that the user being given access can only manage agents that belong to the hierarchy defined in the security profile. For example, enabling this configuration for a given user enables them to manage other users that either belong to the hierarchy group specified in the security profile or a child hierarchy group.
@@ -40 +37,0 @@ In this scenario, to prevent supervisors or managers from viewing data that may
-  * When a supervisor or manager is assigned to two security profiles, and both security profiles have tag-based access control, but one of the security profiles has hierarchy-based access control, then the hierarchy filter is applied to resources (agents, routing profiles, queues, and performance data) that have either set of tags.
@@ -43,0 +41 @@ In this scenario, to prevent supervisors or managers from viewing data that may
+![The Hierarchy-based access control option, the Targeting dropdown list.](/images/connect/latest/adminguide/images/dashboard-hbac-enable.png)
@@ -45 +43 @@ In this scenario, to prevent supervisors or managers from viewing data that may
-## Step 1: Enable hierarchy-based access control for reports and dashboards
+## Assign security profiles permissions to access dashboards, reports, and resources
@@ -47 +45 @@ In this scenario, to prevent supervisors or managers from viewing data that may
-You can configure hierarchy-based access controls by using the [API/SDK](./hierarchy-based-access-control.html#hierarchy-based-access-control-api-sdk) or the Amazon Connect admin website. The following instructions explain how to configure it using the Amazon Connect admin website.
+The user will need one of the following permissions to view the reports and dashboards:
@@ -49 +47 @@ You can configure hierarchy-based access controls by using the [API/SDK](./hiera
-  1. Log in to the Amazon Connect admin website with an **Admin** account, or an account assigned to a security profile that has **Users and Permissions** \- **Security profiles** \- **Edit** permission. 
+  * **Analytics and Optimization - Access metrics - Access** : If you choose this option, access is granted to Real-time metrics, Historical metrics reports, Dashboards, and Agent activity audit.
@@ -51 +48,0 @@ You can configure hierarchy-based access controls by using the [API/SDK](./hiera
-  2. On the left navigation menu, choose **Users** , and then choose the security profile you want to edit. 
@@ -53 +49,0 @@ You can configure hierarchy-based access controls by using the [API/SDK](./hiera
-  3. On the **Manage security profiles** page, choose the security profile you want to edit. 
@@ -55 +50,0 @@ You can configure hierarchy-based access controls by using the [API/SDK](./hiera
-  4. Scroll to the bottom of the **Edit security profile** page, choose **Show advanced options** , and then choose **Hierarchy-based access control** , as shown in the following image. 
@@ -57 +52 @@ You can configure hierarchy-based access controls by using the [API/SDK](./hiera
-![The HIerarchy-based access control option, the Targeting dropdown list.](/images/connect/latest/adminguide/images/hbac-dashboards.png)
+OR
@@ -59 +54 @@ You can configure hierarchy-based access controls by using the [API/SDK](./hiera
-  5. Under **Resources** , choose **Users**.
+  * **Analytics and Optimization - Real-time metrics - Access**
@@ -61 +55,0 @@ You can configure hierarchy-based access controls by using the [API/SDK](./hiera
-  6. Under **Targeting** , use the dropdown list to select one of the following options: 
@@ -63 +56,0 @@ You can configure hierarchy-based access controls by using the [API/SDK](./hiera
-     * **Assigned user hierarchy**. Select this option to enable supervisor to manage agents who either belong to the supervisor's hierarchy group or a child hierarchy group.
@@ -65 +57,0 @@ You can configure hierarchy-based access controls by using the [API/SDK](./hiera
-This option ensures that the supervisor or manager who is given access can only view data for agents who also belong to this same hierarchy or a child hierarchy group. 
@@ -67 +59 @@ This option ensures that the supervisor or manager who is given access can only
-     * **Custom user hierarchy**. Select this option to to specify a custom hierarchy and the agent hierarchy level. Supervisors or managers can view data for agents who belong to a different hierarchy than them. For example, this option allows Site 1 manager to view data for Site 2 agents.
+OR
@@ -69 +61 @@ This option ensures that the supervisor or manager who is given access can only
-This option also enables you to be very specific about the hierarchy level a supervisor can access. For example, the following image shows a security profile that gives supervisors access to view reporting data for agents who are in Division1/Location1/Section1. 
+  * **Analytics and Optimization - Historical metrics - Access**
@@ -71 +62,0 @@ This option also enables you to be very specific about the hierarchy level a sup
-![The Hierarchy-based access control option, the Custom user hierarchy option.](/images/connect/latest/adminguide/images/hbac-dashboards2.png)
@@ -73 +63,0 @@ This option also enables you to be very specific about the hierarchy level a sup
-  7. Choose **Save**.
@@ -75,0 +66 @@ This option also enables you to be very specific about the hierarchy level a sup
+OR
@@ -76,0 +68 @@ This option also enables you to be very specific about the hierarchy level a sup
+  * **Analytics and Optimization - Dashboards - Access**
@@ -78 +69,0 @@ This option also enables you to be very specific about the hierarchy level a sup
-## Step 2: Assign security profiles permissions to access dashboards, reports, and resources
@@ -80 +70,0 @@ This option also enables you to be very specific about the hierarchy level a sup
-After you assign hierarchy-based access control to a supervisor or manager, you must grant them one or more of the following permissions so they can access the appropriate tabs on the **Dashboards and reports** page, as shown in the following image.
@@ -82 +71,0 @@ After you assign hierarchy-based access control to a supervisor or manager, you
-![Tabs on the Dashboards and reports page.](/images/connect/latest/adminguide/images/access-control-hierarchy2.png)
@@ -84 +73 @@ After you assign hierarchy-based access control to a supervisor or manager, you
-  1. On the **Edit security profile** page, assign the supervisor or manager the following permissions as needed so they can access dashboards and reports:
+OR
@@ -86 +75 @@ After you assign hierarchy-based access control to a supervisor or manager, you
-     * **Analytics and Optimization - Access metrics - Access** : Grants access to all the tabs on the **Dashboards and reports** page.
+  * **Analytics and Optimization - Agent Activity Audit - Access**
@@ -88 +76,0 @@ After you assign hierarchy-based access control to a supervisor or manager, you
-     * **Analytics and Optimization - Real-time metrics - Access** : Grants access to the **Real-time metrics** tab.
@@ -90 +77,0 @@ After you assign hierarchy-based access control to a supervisor or manager, you
-     * **Analytics and Optimization - Historical metrics - Access** : Grants access to the **Historical metrics** tab.
@@ -92 +78,0 @@ After you assign hierarchy-based access control to a supervisor or manager, you
-     * **Analytics and Optimization - Dashboards - Access** : Grants access to the **Dashboards** tab.
@@ -94 +80 @@ After you assign hierarchy-based access control to a supervisor or manager, you
-     * **Analytics and Optimization - Login/Logout - Access** : Grants access to the **Login/Logout report** tab.
+![Tabs on the Dashboards and reports page.](/images/connect/latest/adminguide/images/dashboard-hbac-permissions.png)
@@ -96 +82 @@ After you assign hierarchy-based access control to a supervisor or manager, you
-  2. Assign the supervisor or manager security profile permissions to access resources such as users, routing profiles, and queues. 
+Additionally, the user will need permissions to access resources. The following image shows an example of security profile permissions that grant users the ability to view routing profiles, queues, and Amazon Connect user accounts. **Routing profiles - View** , **Queues - View** , and **Users - View** are selected.
@@ -98 +84 @@ After you assign hierarchy-based access control to a supervisor or manager, you
-For example, the following image shows security profile permissions that grant the ability to view routing profiles, queues, and Amazon Connect users. **Routing profiles - View** , **Queues - View** , and **Users - View** are selected. 
+!["View" permissions for routing profiles, queues, and users.](/images/connect/latest/adminguide/images/dashboard-hbac-resource-permissions.png)
@@ -100 +86 @@ For example, the following image shows security profile permissions that grant t
-!["View" permissions for routing profiles, queues, and users.](/images/connect/latest/adminguide/images/access-control-hierarchy3.png)
+## Limitations
@@ -101,0 +88 @@ For example, the following image shows security profile permissions that grant t
+The following limitations apply when you use hierarchy-based access controls in reports and dashboards:
@@ -102,0 +90 @@ For example, the following image shows security profile permissions that grant t
+  * Access to view **Agent Queues** is disabled.
@@ -103,0 +92 @@ For example, the following image shows security profile permissions that grant t
+  * There are additional things to consider if tag-based access control is being applied simultaneously with hierarchy-based access control:
@@ -105 +94 @@ For example, the following image shows security profile permissions that grant t
-## Limitations
+    * If tag-based access control is enabled along with hierarchy-based access control, the [limitations](./rtm-tag-based-access-control.html#rtm-tag-based-access-control-limitations) imposed by tag-based access will still be there.
@@ -107 +96 @@ For example, the following image shows security profile permissions that grant t
-You can only apply hierarchy-based access control to agents; no other Amazon Connect resource supports it. 
+    * When both tag-based and hierarchy-based access controls are in place, the system enforces each control method independently. This means that users must meet the requirements of both control types to gain access to resources.
@@ -109 +98 @@ You can only apply hierarchy-based access control to agents; no other Amazon Con
-The following limitations apply when you use hierarchy-based access controls in reports and dashboards.
+    * When one security profile has tag-based access control and the other has hierarchy-based access control, we will restrict access on both tag and hierarchy as though tag-based access control and hierarchy-based access control are on a single security profile.
@@ -111 +100 @@ The following limitations apply when you use hierarchy-based access controls in
-  * Access to view the **Agent queues** is disabled.
+    * If two security profiles have hierarchy-based access control and one of the profiles has tag-based access control, the applicable tags will be enforced for resources in both hierarchies.
@@ -113 +102 @@ The following limitations apply when you use hierarchy-based access controls in
-  * The **Agent Adherence** table on the Real-time metrics page is not supported.
+    * If two security profiles have tag-based access control and one of the profiles has hierarchy-based access control, then the hierarchy filter will be applied to resources with either tags.
@@ -114,0 +104 @@ The following limitations apply when you use hierarchy-based access controls in
+    * If both security profiles have unique configurations for tag-based and hierarchy-based access control, we cannot enforce hierarchy-based access control effectively. This could allow users to access more data than intended in certain scenarios. In such cases, we recommend not granting access to Real-time and Historical reports for users with this type of access control setup, or just leverage hierarchy-based or tag-based controls to restrict users access.
@@ -115,0 +106 @@ The following limitations apply when you use hierarchy-based access controls in
+    * If you have hierarchy-based access controls enabled in your Security Profile, the **Agent performance summary** widget on the dashboards will display a summary of metrics for the agent hierarchy you have access to.
@@ -118 +108,0 @@ The following limitations apply when you use hierarchy-based access controls in
-The options for these tables are shown in the following image of the **Real-times metrics** page.
@@ -120 +109,0 @@ The options for these tables are shown in the following image of the **Real-time
-![The Real-time metrics page, the Agent queues and Agent Adherence tables.](/images/connect/latest/adminguide/images/hbac-dashboards-agentqueues.png)
@@ -130 +119 @@ Use contact segment attributes
-Identify conferences and transfers
+Apply tag-based access control