# Back Office permissions, home label and SSO

There are 4 main permissions roles in Smartico backoffice:

* **CRM Admins** - the role with highest set of permissions. Can manage sensetive settings and create other user to access Smartico backoffice
* **CRM Manager** - the main role that has access to manager CRM and Gamification setup and many other settings needed in the daily work
* **CRM Manager + Engineer** - has same permissions as CRM Manager but can access private keys for the APIs, his role is to support integration with Smartico.
* **CRM Support** - can see everything, but cannot change most of the configurations. His main focus is on CRM User/player profile screen and possibility to investigate and do minor adjustments on the user/player level ("**give bonus**" is among such actions !!! )

You can find detailed explanation of all roles below.

Important to note that if you are managed multiple labels, specific user can have different permissions towards different labels. So one user can be CRM Admin in label A, and at the same time CRM Manager in label B.

## Concept of "Home" label

{% hint style="info" %}
If you have only one Label in Smartico you can skip reading this section entirely.
{% endhint %}

When a new user is created in Smartico BackOffice it should be assigned to a specific label as "Home label". You can think of home label as of the main label to which user belongs. Only CRM Admins of the home label can manage other user that belongs to this label.

Lets say you have started with label "**MyCasino Europe**" and you have created users under this label.

At some point your business is expanding and you created a new label "**MyCasino USA**". From this point:

* you can give to some of existing user access to MyCasino USA
* you can create new users under USA label and they will have access only to USA label
* you can create user with CRM Admin role under USA label. This user will be able to manage user of USA brand, but will not be able to manage user of Europe label.
* If you deicde to close USA label at all, then users that are created under USA label will lost access to Smartico at all. Because this was their main label, or what we call "Home" label

Every home label also has definittion of "**suffix**" for username, for example your Europe label may have suffix "mycasino", and then all the users under this label should have names in the format like john\@mycasino. Your another label could have same name or different one, depending on your vision.

As a concept, the suffix is reflecting an organizational unit or CRM group in your company.

## Default permissions groups in Smartico

Here you can find permission groups of the administrative users in the Smartico Back Office

<table data-full-width="false"><thead><tr><th width="241.39453125">Role</th><th>Allowed to do</th></tr></thead><tbody><tr><td>CRM Manager</td><td>Can manage campaigns, segments, assets for communication.<br>Can manage all gamification elements<br>Can access user profiles and:<br>- send messages<br>- adjust points<br>- give/complete missions<br>- change test and opt-out flags<br>- give mini-games spins<br>- give bonuses</td></tr><tr><td>CRM Admin</td><td>Same as <strong>CRM Manager</strong> and:<br>- SMS, Mail, IVR gateways<br>- Caps for mails &#x26; sms<br>- Brands configurations<br>- Create new Back Office users<br>- Other label level configurations<br>- Access REST API &#x26; Keys</td></tr><tr><td>CRM Support</td><td>Has read-only access to all Marketing &#x26; Gamification configurations<br><strong>Can</strong> access user profiles:<br>- send messages<br>- adjust points<br>- give missions<br>- give mini-games spins<br>- give bonuses<br><strong>Cannot</strong>:<br>- complete missions<br>- change opt-out flags<br>- change test flag</td></tr><tr><td>CRM Manager + Engineer</td><td>Same as <strong>CRM Manager</strong> and can additionally:<br>- Access REST API documentation &#x26; Keys</td></tr></tbody></table>

{% hint style="info" %}
Note that each role can be extended with additional permissions or some possibilities can be taken from role, for example - **CRM Admin** can create a new user with role of **CRM Support**, but exclude possibility to give bonuses, and additionally to give access to REST API documentation and keys
{% endhint %}

<figure><img src="https://77049817-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FfS5hl0PiysHtKAKMsQTe%2Fuploads%2Fgit-blob-047eae1c25e53173fa81efacf78a7a13603b4855%2Fimage.png?alt=media" alt=""><figcaption></figcaption></figure>

## "Additional" and "Restriction" roles

Operator can give what is called "Additional roles" to the users.

For example, the CRM Support role doesn't have permission to "Complete missions" manually for the players, but the role can be given to particular user as "Additional role"

<figure><img src="https://77049817-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FfS5hl0PiysHtKAKMsQTe%2Fuploads%2Fgit-blob-776b9987a247a1a5b70e8c0ca6d15f56c04344a2%2Fimage.png?alt=media" alt=""><figcaption></figcaption></figure>

Also, some permissions can be taken away on user level using "Restriction roles", for example to remove permission to adjust points

<figure><img src="https://77049817-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FfS5hl0PiysHtKAKMsQTe%2Fuploads%2Fgit-blob-bd59f5938277262ac3ad78cc8636d937d49049de%2Fimage.png?alt=media" alt=""><figcaption></figcaption></figure>

Current restriction roles that can be taken away from the user

<table><thead><tr><th width="304">Role</th><th>Explanation</th></tr></thead><tbody><tr><td>Don't allow to adjust points</td><td>Removes permission to adjust gamification points for player</td></tr><tr><td>Don't allow to send personal messages</td><td>Removes permission to send communication in manual way from the player profile</td></tr><tr><td>Don't allow to export segment</td><td>User won't be able to export segments</td></tr><tr><td>Hide links in SMS &#x26; Mail communication</td><td>When looking on the communication history and content of mails/sms/popups, user won't see the actual links</td></tr><tr><td>Don't allow to give bonus from user profile</td><td>User won't be able to give bonus manually to the player</td></tr><tr><td>Don't allow to read content of sent mails/sms/popups</td><td>User won't be able to see content of send communication, but will see only the facts that communication was sent</td></tr><tr><td>Don't allow activation of Campaigns &#x26; Rules</td><td>Users won't be able to activate campaigns or automation rules or do any changes in already active campaigns and rules. They can still created drafted versions that will be activated by other users with higher permissions</td></tr><tr><td>Restrictions \ Don't allow activation &#x26; editing of Operational Campaigns</td><td>Users won't be able to activate Operational campaigns or do any changes in already active campaigns. They can still created drafted versions that will be activated by other users with higher permissions.<br>Important: this role is restricting only Operational campaigns, but not Marketing</td></tr><tr><td>Don't allow to give mini-game attempts</td><td>User won't be able to give mini-game attempts manually to the player</td></tr><tr><td>Don't allow to give mission manually</td><td>User won't be able to give missions manually to the player</td></tr><tr><td>Don't allow giving raffle tickets from user profile</td><td>User won't be able to give raffle tickets manually to the player</td></tr><tr><td>Don't allow editing of communication assets</td><td>User won't be able to edit communication assets, but still able to see them and build campaigns using these resources</td></tr></tbody></table>

## Authorization with SSO

Smartico supports Single Sign-On (SSO), currently available for **Google** and **Microsoft** users, with plans to expand support to other providers in the future.

To enable SSO, the client needs to provide the email domain(s) used in their Google Workspace (e.g., **mycompany.com**). This setup allows users with emails under the specified domain (e.g., **<john@mycompany.com>**) to log in using SSO.

{% hint style="info" %}
Note: Smartico is not supporting authorization using personal mails managed under generally available domains like googe.com, yahoo.com etc. Only company managed emails/domains are supported
{% endhint %}

**When enabling SSO client must provide**

1. List of campaign owned **mail domains**, e.g. mycompany.com, mycompany.org
2. If to allow user creation on Smartico side when new user logins through SSO. In case "yes", then
   1. The **default permission role** to be assigned to new users (e.g., "CRM Support," "CRM Manager," etc.).
   2. The **Smartico label(s)** to which newly created users will have access. E.g. label ids - 4444 and 4445
   3. Which of the listed in point "b" labels will be assigned as "home" label

The logic of user matching and permissions assignment

* **For new users**: New users logging in via SSO will
  * automatically be assigned access to the specified label(s), listed in point 2b
  * they will get the default permission role as specified in point 2a
  * they will have "home" label assigned according to point 3c
* **For existing users:** If an existing user logs in via SSO, they will be matched by their email address and retain their current set of permissions.

Template of the request for enabling SSO:

<table data-header-hidden><thead><tr><th>Configuration</th><th>Value</th><th data-hidden></th></tr></thead><tbody><tr><td>Mail domain(s)</td><td>mycompany.com, mycompany.org</td><td></td></tr><tr><td>Allow new users creation</td><td>YES/NO</td><td></td></tr><tr><td>List of label IDs</td><td>4444,4445</td><td></td></tr><tr><td>Home label ID</td><td>4444</td><td></td></tr><tr><td>Default permission</td><td>CRM Support</td><td></td></tr></tbody></table>

Note: QA labels cannot be selected as Home label ID