We have strict data isolation requirements between divisions. Agents in Division A should NOT see agents in Division B in the directory or transfer menu.
Currently, all 500 agents see each other regardless of division. How do we restrict directory visibility?
# Create division-scoped directory roles
for div_name, div_id in divisions.items():
role_body = {
'name': f'Directory-{div_name}',
'permissions': ['directory:user:view'],
'permissionPolicies': [{
'domain': 'directory',
'entityName': 'user',
'actionSet': ['view'],
'resourceCondition': {'divisionId': div_id}
}]
}
auth_api.post_authorization_roles(role_body)
From a compliance standpoint, division isolation is mandatory for our healthcare deployment.
Under HIPAA, agents handling PHI for Hospital A must not have visibility into Hospital B’s staff. A transfer to the wrong division could expose PHI to unauthorized personnel. Directory isolation is a technical control that supports our BAA requirements.
The transfer menu is a separate visibility concern.
Even with directory isolation, the blind transfer search may show agents from other divisions if the queue membership spans divisions. Ensure queues are division-scoped as well. A queue in Division A should only contain Division A agents.
Directory visibility is controlled by the directory:user:view permission scoped to specific divisions.
Create a role with directory:user:view granted ONLY for Division A. Assign this role to Division A agents. They’ll only see other Division A users in the directory. Repeat for Division B with a separate role.