Setting Up Application Security for Billing Accounts

This chapter provides an overview of application security for billing accounts and discusses how to enable or disable billing security.

Understanding Application Security for Billing Accounts

This section discusses:

Security enforcement.
Role-based privileges.
CRM security framework.

Security Enforcement

Security is based on the caller's relationship and role on the account. It is enforced through the customer 360-degree view in this way:

When a caller requests a change to a billing account, the customer service representative (CSR) enters caller information into the 360-degree search page. If the caller is a contact for the account, the system uses the business object ID (BO_ID) of the caller to access the caller's role and the membership lists, view lists, functional option groups, and security profiles that are associated with the role.

In the 360-degree view, the Accounts tree node and grid show accounts based on member or manager privileges. If the agent chooses Search Accounts from the tree node or the left navigation, the Configurable Search page opens and the agent can open any Account. In this instance the system is dealing with the contact's privileges and not the agent's. Search Accounts can be disabled if needed.

Role-Based Privileges

Specific privileges are assigned to account members, account managers, and billing account administrators.

Account Members

Account members can:

Access accounts where they are assigned as account members.
Access and modify their own installed services.
Initiate a case for themselves.
Create orders for themselves.
Modify their own installed services.

The Account Member role is the most restricted role on an account. Account members cannot view billing on the account, access payment information, or create a dispute.

Account Managers

Account managers have all the privileges of account members for themselves. Additionally, they can:

View all accounts where they are assigned as account manager and account member.
View all installed services for related accounts.
View account balance and account usage.
View bills related to an account.
View dispute history.
Update the account name, sponsoring account, parent account on an account, account access question, billing cycle, and billing address.
Add a new account member or account manager.

Account managers can add members or other managers from a list of company contacts or consumer contacts, and update member roles on the account. Only account managers can remove account members from an account.

Account members can be removed from an account even if they still have installed services assigned. When a member is removed from an account and still has installed services that are linked to the account, the removed member still owns those services but cannot modify the services or access account details.
Change the primary account manager on an account.
Create a case for themselves or any account members.
Create bulk orders for other members on that account.

Only account managers can create bulk orders for new services (for recipients who are related to the accounts), but every child order from a bulk order is owned by the account member for whom it is ordered.
Modify installed services for everyone on the account using bulk orders.
Create new accounts on behalf of companies or consumers for which they are already account managers on existing accounts.

For example, if John is an account manager on an account for ABC Company, then John can create a new account for ABC Company.

Billing Account Administrators

Billing account administrators can access all company accounts with the privileges of an account manager.

The billing account administrator is not visible as a role on the account. To assign billing account administrators to a company, you must use the Relationship Viewer in the Company, Person, or 360-Degree View component to assign the role to a contact of the company.

A billing account administrator can:

Assign another company contact as primary account manager.
Access all accounts of the company with the privileges of an account manager.
Create new accounts on behalf of companies for which he is a billing account administrator.

CRM Security Framework

Access to the billing account functionality in CRM is administered through security profiles that link membership lists, view lists, and functional options together to grant access depending on their role and responsibilities.

This is the list of specific security objects are maintained for each billing account:

Membership lists.

For each account, two dynamic and two static membership lists are maintained. The dynamic membership lists are BILLING_ACCOUNT_ADMINISTRATOR and ACCOUNT_MANAGER. The static membership lists are ACCOUNT_MANAGER and for the ACCOUNT_MEMBER role.

When you add a contact to an account in any of the BORM roles on the Members tab of the account object, the membership list for the role is updated.
Security profiles for the Billing Account Administrator and Account Manager roles.
View lists.

These are created and updated by the system for each account and define the functionality available to each user that is linked to the account.
Functional options.

These are delivered with the system, and control the role-based privileges that are available to an account user. The three functional option groups are:

Group

Group Code

Account Manager

ACCMANFOG01

Account Member

ACCMEMFOG01

Billing Account Administrator

BILACCFOG01

Group	Group Code
Account Manager	ACCMANFOG01
Account Member	ACCMEMFOG01
Billing Account Administrator	BILACCFOG01

Security administrators who thoroughly understand the CRM security framework should view and modify the functional options for each option group.

Enabling or Disabling Billing Security

This section provides an overview of billing security enablement and lists the page used to disable billing application security.

Understanding Billing Security Enablement

By default, billing security is enabled for billing account management in the communications and energy industries. Enterprises that do not use billing application security can disable it on the Communications Setup page by setting the configuration parameter RBTAPPSEC to Y (enabled) or N (disabled).

See Setting Up Billing Integration for the Communication and Energy Industries.

Page Used to Disable Billing Security

Page Name	Object Name	Navigation	Usage
Communications Setup	RBT_CONFIG_PG	Set Up CRM, Product Related, Communications, Communications Setup, Communications Setup Set Up CRM Product Related, Energy, Energy Setup, Energy Setup, Communications Setup	Disable or enable application security for billing applications in the communications and energy industries. The option that controls application security is the RBTAPPSEC.