Prerequisites

1. A pairing link sent by Genesys Cloud support.
2. The following permissions:
   • Authorization > Org Trustor > All
   • Authorization > Org Trustor > View
   • Authorization > Org Trustee Group > Add
   • Authorization > Org Trustee Group > View
   • Authorization > Role > View

To access your Cloud organization, the Genesys Cloud Customer Care team may ask to pair their Genesys Cloud Customer Care Support Team organization to your organization.

NOTE: You can control their access to your organization by assigning roles, and you can revoke their access at any time.

Pair your organization with Customer Care organization

1. Log in to your Cloud organization.
2. To access the pairing request page, open the pairing link sent by Genesys Cloud Customer Care.

   • NOTE: The pairing link expires after seven days, and you can use it only one time. If your link expired, ask your Customer Care representative for a new one.

3. From the pairing request page, click Yes, I authorize access.
4. Click the Groups tab.
5. Assign roles to the Genesys Cloud Customer Care Support Team group by selecting roles in the Role(s) column.
6. Support recommends that you either assign every role to their group or create a new role with all permissions and assign it their group.

   • NOTE: Genesys Cloud does not bill your organization for the roles or licenses used by Customer Care.

Additional resources

• Genesys Cloud Customer Care ‘Support Orgs’: Details & FAQ (My Support login required)
• About authorized organizations

Prerequisites: See Roles and permissions for pairing organizations and Roles and permissions for authorized users and groups.

If another organization wants to pair with you, you receive an email that contains a generic pairing link. For example: https://apps.mypurecloud.com/directory/#/admin/people-permissions/auth-orgs/pair/9d0230d0-6b16-4f15-bfbb-aa5085ee1450

NOTE:A pairing link expires after seven days.

1. Click the link and read the message. 
   
   • WARNING: Do not approve a pairing request unless you know the sender.
   • NOTE:When granting system access to another user or group (“permitted user”), be aware that you are responsible for how the permitted user uses your system. Genesys is not responsible for any misuse of data, change to configuration, etc.
2. To accept the request, click Yes, I authorize access.
3. Select the appropriate role for the user or group.
   • NOTE: All members in the group receive the role and the associated permissions.

NOTE

• The roles you assign here determine how the user or group can work in your organization. 
• Assign only the roles that you are comfortable providing to the other organization. In the typical customer-to-partner scenario, it is common for the customer to assign the Master Admin role or the Admin role to their partner’s users or groups. Other roles may be necessary when working with Customer Care.

NOTE: When granting system access to another user or group (“permitted user”), be aware that you are responsible for how the permitted user uses your system. Genesys is not responsible for any misuse of data, change to configuration, etc.

An administrator from the Genesys Cloud organization in which the authorized users and groups work must assign the appropriate permissions to them. For example, in a customer-to-partner scenario, a customer must assign the appropriate permissions to the users and groups from the partner. Roles are predefined sets of permissions that streamline the process of assigning permissions.

Access control for authorized users and groups

Be aware of access control when you allow authorized groups or users the access to work in another organization. Genesys Cloud automatically grants authorized groups or users access to all divisions assigned to the roles that the member receives by pairing with the organization. 

Permissions for authorized users and groups

This table lists all the permissions that are available for authorized users and groups. You can assign any permission to any user or groups.

Minimum permissions

All external authorized users and groups require the following permissions.

Trusted External User role

An administrator must assign the Trusted External User role or the minimum permissions to all authorized external users and groups who work in the organization.

NOTE:The Trusted External User role is available only for Genesys Cloud organizations created on or after May 17, 2017. If your organization was created before May 17, 2017, create a custom role that has the minimum permissions necessary for authorized users. For more information, see Example of a custom role (Trusted External User).

Master Admin role

In the typical customer-to-partner scenario, it is common for customers to assign the Master Admin role to the authorized users from their partner. The default Master Admin role has all the permissions that are necessary for a user or group to administer your organization. When you seek assistance, Customer Care may require other permissions and roles.

NOTE: The permissions that a role contains are what enables a user to perform an action. Because you can modify existing roles, it is important to be sure that a role has the permission(s) required to perform a specified action.

If you do not want to assign the Master Admin role to an authorized user or group from another organization, create custom roles that contain only the permissions you want to assign. 

Example of a custom role (Authorized User Admin)

Here is an example of a custom role that provides the minimum permissions that are necessary for an authorized user or group.

1. Add a custom role called Authorized User Admin.
2. Assign the following rights to the Authorized User Admin role.

NOTE: A user who grants roles to authorized users needs this permission.

Example of a custom role (Trusted External User)

Here is an example of a custom role that provides the minimum permissions that are necessary for an authorized user or group. 

1. Add a custom role called Trusted External User.
2. Assign the following rights to the Trusted External User role.

Minimum permissions for partners

If you are a partner and you want to work with your clients, you must have the following permissions:

View your clients

To view your clients, you must have a role with these permissions:

• affiliateOrganization > clients > View
• externalOrganization > externalContacts > View
• authorization > orgTrustee > View

Pair with your clients

To pair with your clients, you must have a role with these permissions:

• Authorization > Orgtrustee > Add
• AffiliateOrganization > Clients > Pair
• AffiliateOrganization > Clients > View
• ExternalOrganization > Externalcontacts > View

Prerequisites: See Roles and permissions for pairing organizations and Roles and permissions for authorized users and groups.

After you approve a pairing request, you must authorize users and groups to work in your organization. To authorize users and groups, assign them the roles their work requires.

NOTE:When granting system access to another user or group (“permitted user”), be aware that you are responsible for how the permitted user uses your system. Genesys is not responsible for any misuse of data, change to configuration, etc.

When an administrator sends you a pairing link, the administrator can request authorization for multiple users and groups. Later, the administrator can request authorization for other users and groups as well. The maximum number of users that can access another organization is 25.

1. Click Admin.
2. Under People and Permissions, click Authorized Organizations.
3. Click Access To My Organization. 
4. Click the name of the paired organization.
5. Click the user’s or group’s name.
6. Under Roles, search for and select the roles for the user or group.

NOTE

• The default Master Admin role has all the permissions that are necessary for a user or group to administer your organization. When you seek assistance, Customer Care may require other permissions and roles.
• The permissions that a role contains are what enables a user to perform an action. Because you can modify existing roles, it is important to be sure that a role has the permission(s) required to perform a specified action.
• Until an administrator assigns one or more roles to a user or group, the user or group cannot work in the organization.
• When an administrator selects a role for a user or group, that user or group receives access immediately.

Auth Orgs is Care's implementation of a Genesys Cloud feature called Authorized Organizations. ​

Care combines the Authorized Organizations feature with OneLogin and Genesys Cloud Orgs in each AWS region to create the Auth Orgs system. Through this system Care can perform tasks inside a customer's org in a way that the customer controls, using the same roles used to manage their internal users. With authorized organizations, you can establish a secure relationship with another Genesys Cloud organization. This relationship allows permitted users and groups from one organization to log in to another organization.

Manage the pairing between two Genesys Cloud organizations

Learn how two organizations become paired. Create and send a pairing ID to an organization you want to pair with. If you receive a pairing request, understand what it means to accept it. Remove access or delete a pairing if necessary.

• Understand the pairing process
• Roles and permissions for pairing organizations
• Create and send a pairing request to an authorized organization
• Receive and accept a pairing request
• Remove access to your organization
• Pair your organization with Genesys Customer Care

Manage authorized users and groups

Allow users and groups from another Genesys Cloud organization to work in your organization and track their activity.

• Authorized users and groups
• Roles and permissions for authorized users and groups
• Authorize users and groups to work in your organization
• Clone a user in another organization
• View the users and groups who are authorized to work in your organization
• Request access for another authorized user or group
• Remove access from an authorized user or group

See your relationships 

See which organizations you can work in, and see who can work in your organization. 

• See the organizations you have granted access to
• See the organizations you can access

Support Users and Cloned Users

Once pairing is completed, Care will access a customer’s Org in one of two ways:

• Via a Support Org User​
• Via a Cloned User​

Access granted to these users is controlled by the role(s) the customer assigns to the pairing link. ​Actions taken by Care using either a Support Org User or Cloned User are audited as the first & last name of the engineer taking the action.​ Support Org Users are for tasks such as checking configurations, running reports, or reviewing specific interactions.​ Cloned Users are for agent tasks such as placing/receiving calls or ACD interactions or using Genesys Cloud chat features. 

To establish a pairing between two organizations, you must have specific permissions in your home organization. 

NOTE: When granting system access to another user or group (“permitted user”), be aware that you are responsible for how the permitted user uses your system. Genesys is not responsible for any misuse of data, change to configuration, etc.

Initiate a pairing request

To initiate the pairing request, you need one of these permissions:

• Authorization > Org Trustee > All
• Authorization > Org Trustee > Add

Authorize the pairing request

To authorize the pairing request, you need these permissions:

• Authorization > Org Trustor > All 
• Authorization > Org Trustor > View

Authorize users and groups

To authorize users and groups from another organization to work in your organization, you need these permissions:

• Authorization > Org Trustee User > Add
• Authorization > Org Trustee User > View
• Authorization > Org Trustee Group > Add
• Authorization > Org Trustee Group > View
• Authorization > Role > View

An authorized user is a user who has permission to work in an organization other than the user’s home organization. By managing authorized users and groups, you can allow users and groups from another Genesys Cloud organization to work in your organization and track their activity.

For example, if you are in a trusted relationship with a partner, you can allow the partner’s users to help you configure your Genesys Cloud organization. The partner’s team of support personnel are authorized users for a customer’s organization.

You can assign roles and permissions to ensure that each user or group has the appropriate level of access. You can also remove access if necessary. Use groups to streamline the management of which users have access to your organization.

To streamline the management of authorized users, use groups. Create groups in your home organization. Then request permission for them to work in another organization. All members in the group receive the same roles and permissions. If you change the membership of the group by adding or removing a user, you do not affect the other members of the group.

NOTE

• An organization can have a maximum 25 authorized users.
• Genesys Cloud tracks authorized users separately from regular Genesys Cloud users. Authorized users do not affect user counts for the purposes of licensing and billing.

Authorized users assist only with administrative tasks. The following functionality is unavailable to an authorized user in another organization.

Auth Orgs customers can control​:

• When Care can access their Org​
• The permissions Care has when accessing their Org

Disable access entirely

1. Go to Admin > Authorized Organizations > Access To My Organization.
2. Toggle Access to Off.
   

Limit access

1. Go to Admin > Authorized Organizations > Access to My Organization > [Support Org Name].
2. In the Groups tab, add or remove roles in the Role(s) section as desired.
   

The pairing process authorizes users and groups from one Genesys Cloud organization to work in another Genesys Cloud organization.

Examples

• A Genesys partner can assist a client in configuring, managing, or troubleshooting Genesys Cloud.
• A manager from a parent company can log in to a subsidiary organization to view usage reports.
• An application developer or an independent consultant can log in to a client organization to assist with customizations.

Notes

• Any organization can generate or receive pairing requests.
• You can pair with any other organization in your region.
• An organization can have multiple paired relationships, although each pairing can involve only two organizations. For example, a partner can have a separate paired relationship with each of its client organizations.

Process

1. Your organization generates a pairing request and sends it to the other organization
2. The other organization approves the pairing request and grants the appropriate permissions to users from your organization
3. Your organization, if necessary, promotes additional users to work in your organization
4. The other organization, as appropriate, approves the additional users from your organization to work in the other organization
5. Users from your organization log in to the other organization and perform requested work

Prerequisites: See Roles and permissions for pairing organizations and Roles and permissions for authorized users and groups.

1. Click Admin.
2. Under People and Permissions, click Authorized Organizations.
3. Click Create Pair. In the Add new person or group box, begin typing the name of the Genesys Cloud user or group in your organization who needs access to the other organization. Then select the user or group from the list. Tip: To see the users who already have access, click the Users tab. To see the groups who already have access, click the Groups tab.
4. In the Add new person box, begin typing the name of the Genesys Cloud user in your organization who needs access to the other organization. Select the user from the list.
5. Repeat step 4 to select more people. 
6. Click Click to Copy. The pairing link is now in your clipboard.
7. Paste the pairing link into an email or chat message and send it to the person at the other organization you want to pair with.

Prerequisites: See Roles and permissions for pairing organizations and Roles and permissions for authorized users and groups.

When two organizations are in a paired relationship, either side can remove access at any time.

NOTE: If you remove access from another organization, but the pairing with that organization remains, then you can reenable access to that organization at any time. All authorized users keep their roles.

1. Click Admin.
2. Under People and Permissions, click Authorized Organizations.
3. Click Access To My Organization or Access to Other Organizations, depending on how the pairing was established.
4. Do one of the following:
5. To remove the pairing with another organization, next to the organization’s name, click the X.
6. To disable temporarily the trust relationship, under Access, slide the toggle to Off.

1. Click Admin.
2. Under People and Permissions, click Authorized Organizations.
3. Click Access To My Organization. 

Prerequisites: See Roles and permissions for pairing organizations and Roles and permissions for authorized users and groups.

When you are part of a trust relationship with another organization, either party can remove access from any user or group in that relationship.

NOTE

• If your organization has users and groups from another organization working in it, then you can remove either specific roles from those users or groups, or you can remove those users or groups completely.
• If your organization’s users or groups work in another organization, then you can remove those users or groups. 
• If you remove access from a user or group while the user or group member is logged in to your organization, the user or group member is immediately logged out.

1. Click Admin.
2. Under People and Permissions click Authorized Organizations.
3. Click Access To My Organization or Access to Another Organization.
4. Click the organization name. The list of users appears.
5. To remove access from a user, click the Users tab.
   • To completely remove access for a user, click the x next to the user’s name.
   • To remove a role from a user, next to the user’s name, click the x for the role you want to remove.
6. To remove access from a group, click the Groups tab.
   • To completely remove access for a group, click the x next to the group’s name.
   • To remove a role from a group, next to the group’s name, click the x for the role you want to remove.
7. To remove access from a user, next to the user’s name, click the x.
8. To remove a role from a user, click Access to Another Organization. Next to the user’s name, click the x for the role you want to remove.  

Prerequisites: See Roles and permissions for pairing organizations and Roles and permissions for authorized users and groups.

When two organizations pair, the administrator of the organization providing the users or groups to complete the work requests authorization for them. The administrator of the organization in which the work will be performed assigns the roles for those users or groups.

Later, the same process of requesting and authorizing users and groups can occur if additional authorized users are needed. The maximum number of authorized users and groups that can access another organization is 25.

Note: When granting system access to another user or group (“permitted user”), be aware that you are responsible for how the permitted user uses your system. Genesys is not responsible for any misuse of data, change to configuration, etc.

1. Click Admin.
2. Under People and Permissions, click Authorized Organizations.
3. Click Access To Other Organizations.
4. Click the organization name. 
5. In the Add New Person or group box, begin typing the name of the person or group who needs access.
   
6. Click the user or group in the list. 
   • NOTE:The user or group does not yet have any roles in the organization, and therefore cannot perform work in it. An administrator in the other organization must authorize the user or group first.
7. The administrator in the other organization grants access and assign the roles to the user or group.

Prerequisites: See Roles and permissions for pairing organizations and Roles and permissions for authorized users and groups.

You can see the users and groups from another organization who work in your organization.

1. Click Admin.
2. Under People and Permissions, click Authorized Organizations.
3. Click Access To My Organization.
4. Click the organization name. To see the list of authorized users, click the Users tab. To see the list of authorized groups, click the Groups tab. The list of users from the organization with roles in your organization appears.

To see who is in a trust, you must be a member of its trusted group

Genesys Cloud’s Authenticated Organizations feature establishes a circle of trust between organizations. This circle of trust permits a user who authenticated with their home organization to access an external organization for which they do not have a user account. To view the names of other users in the trust, or the names of groups authorized by the trust, a user must be a member of the trusted group.

Notes:

• A user must be a member of the trusted group to do the following:
  • View details about the trust and its members.
  • Access the external organization.
• An untrusted user sees an empty list of users and groups in the trust along with a message about missing permissions.
• If you are not a member of the trusted group, Genesys Cloud does not reveal its name to you.
• To have yourself added to the group authorizing the trust, contact your Genesys Cloud administrator.

Prerequisites: See Roles and permissions for pairing organizations and Roles and permissions for authorized users and groups.

To assist another organization with testing or troubleshooting, you can clone a user within trust. The cloned user inherits all permissions granted from the trusting organization. You can have up to five cloned users in an organization. 

Once cloned, the trusting organization is able to manage the user like any other user within the organization. 

Note: When granting system access to another user or group (“permitted user”), be aware that you are responsible for how the permitted user uses your system. Genesys is not responsible for any misuse of data, change to configuration, etc.

To be cloned, a user must be trusted as a named user or part of a trusted group through a pairing request. For more information, see Create and send a pairing request to an authorized organization.

1. Click Admin.
2. Under People and Permissions, click Authorized Organizations.
3. Click the Access To Other Organizations tab.
4. Click the name of the paired organization.
5. Select a trusted user or a user from a trusted group. 
6. Under Cloned Users, select a user or user from a trusted group.
7. Log out of Genesys Cloud.
8. Log back into Genesys Cloud and select the targeted organization.

Note: Cloned users are non-billable and are limited to 5 at any given time within a trust.

1. Click Admin.
2. Under People and Permissions, click Authorized Organizations.
3. Click Access To Other Organizations.