Docs navigation

Extensions and users

In Exovo a user and their extension are one identity: the same record carries their web client login, SIP credentials for devices, voicemail box, forwarding behavior and permissions.

The Users page: extension list with registration, caller ID and 2FA status

Creating an extension

Admin → Users → Add User. The essentials are the extension number (fixed once created), first/last name and email — email is where voicemail notifications and system mail go, and doubles as a sign-in name. Optional from day one: mobile number, outbound caller ID (the DID shown when this user dials out — see Caller ID), and a separate fax caller ID.

Tick Send welcome email on create to email the new user their sign-in details and a softphone setup QR (the QR embeds a provisioning code valid for 7 days). The option is available only once SMTP is configured under System → Email.

The status dot in the list tells you at a glance whether the user's devices are registered (green), offline (gray) or the account is disabled (red). Filters across the top narrow the list by group, role and registration — plus a live On call filter that shows only the extensions in a call right now, with a running count beside it.

Bulk management: export, import, copy

For onboarding a whole team, the Users toolbar has Export, Import and Copy.

  • Export downloads the roster as CSV — extension, name, email, mobile, outbound caller ID, role and group. Passwords are never exported.
  • Import creates users from a CSV in that same shape (only the extension is required). Paste or upload the file and Exovo checks every row before creating anything: numbers must be valid and unassigned, roles must be ones you're allowed to grant, and groups must already exist — you see a per-row Ready/skipped preview, and only valid rows import. Each new user gets a freshly generated password. Round-trips cleanly: export a roster, edit it, re-import the additions.
  • Copy (select one user) clones that user's settings — role, group, caller ID, forwarding, recording and hours — to the next free extension number. Credentials and identity (email, mobile, registered phones) are not copied; the copy gets its own generated password.

The numbering plan

Numbers are 2–5 digits, and mixed lengths coexist — routing matches complete dialed numbers, so 3-digit extensions can live alongside a 4-digit branch plan without conflict. A few rules keep the namespace sane:

  • One namespace. Extensions, queues, ring groups and digital receptionists share it — the system rejects a queue numbered like an existing extension.
  • 90000–90099 is reserved for system device identities (gateways register with numbers allocated there) — user numbers in that range are rejected.
  • Emergency numbers (911, 933, 411, 112, 999, 988) can never be assigned.
  • Prefix overlaps warn, not block: creating extension 1001 alongside 100 is legal, but desk phones that dial on digit-timeout make the overlap mildly annoying, so the console points it out and lets you decide.

Roles and access

Each user has a role: User (the default — web client, own settings), Group Admin / Group Owner (manage users within their group), or System Admin / System Owner (the Admin console). Independent of role, the Users list shows each user's 2FA state (see below) and account Active/Disabled status.

Two-factor authentication

Exovo supports app-based two-factor authentication (TOTP) — the six-digit codes from Google Authenticator, Authy, 1Password and similar apps. Because a valid code can only come from the user's own authenticator, users switch it on themselves: under Settings → Security they choose Set up two-factor authentication, scan the QR code (or type the shown key into the app), and enter one code to confirm. After that, signing in asks for a code once the password checks out.

Admins don't hold users' authenticators, so they can't turn 2FA on directly — instead they set policy and handle recovery from Admin → Users:

  • Require it — select users and choose Require 2FA (or tick Require on a user's edit page). A required user can't turn 2FA off themselves, and the list flags anyone who hasn't set it up yet as Required — not set up.
  • Reset it — Reset 2FA clears a user's enrolled authenticator (lost-device recovery) so they can enroll a new one; if 2FA is still required they're prompted to set it up again.

Codes are time-based with a small clock-skew tolerance, and a used code can't be replayed. Pair 2FA with SSO and the hardening steps for defence in depth.

Impersonation

To see exactly what a user sees — to reproduce a problem or check their setup — select them in Admin → Users and choose Impersonate. The console reloads as that user, with an amber banner across the top (Viewing as … · Exit impersonation) so it's always obvious you're not in your own account. Exit impersonation returns you to your admin session, and an idle impersonation also ends on its own after about 15 minutes.

Guardrails: you can't impersonate yourself, a disabled account, or anyone who outranks you (a System Admin can't take over a System Owner), and you can't nest one impersonation inside another. Every action taken while impersonating is written to the audit log against both identities — the user and the admin behind them — and starting and stopping impersonation are logged too.

Reset password on the toolbar regenerates the user's credential set — web client password, SIP password and voicemail PIN together.

Groups and group permissions

Every user belongs to a group (new users land in the Default group). Groups (Admin → Groups) are both an organizational unit and a permission boundary: for each member you grant per-colleague rights — show my calls, barge-in/listen/whisper, see presence, see calls, call operations (transfer/park/pickup), user operations, send fax. These grants are what the operator panel enforces, so who may supervise whom is decided here, not on the panel. New members start with nothing granted.

Voicemail settings

Per user: voicemail PIN, greeting, and email options — none, a notification, the message as an attachment, or attachment-and-delete (the mailbox lives in email). Toggles cover playing the caller's number before the message and skipping PIN authentication from the user's own devices.

Forwarding and status

Each user has forwarding behavior per status (Available, Away, DND) — where calls go on no answer, when busy, or always. Users manage their own under Settings → Call Forwarding; a Forward All rule takes the extension out of normal ringing entirely, with exception rules for specific call types or times. Every forward target — voicemail, another extension, a queue, ring group or digital receptionist, or an external number — is chosen from a picker, so you select an existing queue or IVR by name rather than remembering its number.

When more than one exception rule could match a call, they're evaluated top to bottom and the first match wins — use the Move Up / Move Down arrows on each rule to set that priority.

One identity, many devices

The same extension registers from a provisioned desk phone, the web client in a browser, and the mobile app — simultaneously. Ring behavior, presence and history stay unified, and assigning a desk phone is a two-click affair from the user's IP Phone section (including per-key BLF/speed-dial layout, up to 128 keys on capable phones).

To set up a softphone, use QR Code on the user's edit page. It shows a scannable code plus the SIP account settings (server, extension, auth ID and password). The code is one-time and expires in 15 minutes: scan it with the Exovo mobile app to configure automatically, or type the shown settings into any SIP softphone by hand. Each time you open the dialog a fresh code is issued and the previous one stops working.