Role management

Updated 4 days ago by Leigh Hutchens

You can use roll management to:

  • Add/edit/delete roles
  • Define permissions on feature groups for each role
  • Change level on roles
  • Add/delete levels

When you click on role management, you will see five default roles (click here to see a list of the default roles and permissions). Those are predefined roles with predefined permissions. You can rename, edit, or delete them (except for the employee role). They can also be copied and used as a template for a new role.

Only the role “Account owner/Manager” has access to the Account settings page by default. In order to access Account settings, an Account Manager must be on the domain/customer level.

Levels

Each of the default roles is placed on a “Level”. Levels are a new concept used to define what roles should or should not have access to sensitive information. The default rule for levels is that managers with the same role will not see data for colleagues who are on the same level or a level above but they will see data for colleagues on a level below.

For now, the rule for levels is only applicable on two feature groups (click here to read more about the existing feature groups):

  • Salary (not applicable on cost variables)
  • People

Example: Managers with a role on level 3 will be able to see salary details and people details on employees with roles on levels below (4, 5, 6). They will not see salary and people details for employees with roles on the same level or above (3, 2, 1).

It is possible to add more levels than the default ones. Just click “Add level”, give the level a name, and then move it up or down by using the buttons “Move level up” or “Move level down”. By doing this, you can, for example, have two roles for Local Managers but on different levels. The one higher up in the hierarchy will be able to see salary and people details for the one below and vice versa.

Add/edit roles

You can edit the existing permissions of the predefined roles or set permissions on roles you create.

  • To edit a role - click on Edit role.
  • To add a new role - click on Add role.
  • If you click on add new role, a popup will appear where you give your new role a name and select what template to copy from.
  • Then, a panel will open on the right-hand side.
  • This is where you set the permissions for each feature group:

The first headline is Permissions.

For each feature group (you can read more about feature groups here), you can select one of three different permissions:

  • No permission: The role will not see any data within that feature group.
  • View permission: The role will be able to view but not edit data within that feature group.
  • Write permission: The role will be able to view and edit data within that feature group.

When you have defined permissions for each feature group, click Save and you new role is ready to be used.

Remember, the permissions you see when managing roles are dependent on other permissions (and modules).

Example:

If you set the people permission to no access, you won't see the permissions for "people agreements" and "people details" since those two are dependent on the people permission:

People permission set to no access:

People permission set to read access:

If People permission is set as No access, then People Details and Agreement permission will be hidden for that role.

If Punches permission is set as No access, then Manual Salary types permission will be hidden for that role.

If Scheduling permission is set as No access, then Absence, Lock Schedule, Punches, and Manual Salary types permissions will be hidden for that role.All other permissions are independent.

Roles overview

Shared label

You can see if an employee is shared from another unit when looking at that employees role overview. The role that the employee has on the shared unit will be indicated with a blue label that says "shared":

Show groups with inherited roles

You can decide if you want to see inherited roles or not when looking at an employees role overview by checking the checkbox "show groups with inherited roles". The inherited groups will then be displayed and you will see a label called "inherited" next to the inherited role:

Visibility in Schedule and Base schedule

Background

Some users, such as senior managers and admins, might not necessarily need to be visible in the schedule on all the units and sections on which they have been assigned a role.

We distinguish whether a person is a "manager" (i.e. managing a unit/section) or whether a person is an "employee" (i.e. schedulable on shifts, able to punch in and out, request leave, etc.) by checking if they have the role "employee" on that unit/section.

Logic

This means:

  1. Only people with role "employee" will be visible in the schedule view for a particular group (unit, section, etc.).  
  1. Only people with role "employee" can be assigned on the shifts (punch, absence etc).
Note that a person will always need to have at least one role on the home unit.
In the case where a person has both a manager and an employee role and is planned to work on shifts in the future, if then the employee role is removed, the shifts cannot be edited, only deleted. The same goes if a shift is added to a person through Classic without an employee role in Neo. 
Inheritance logic

Just as a manager role, the employee role also has inheritance logic, which means that if a person has role employee on a unit, (s)he will also have an inherited membership on the sections below the unit and therefore be visible and scheduled on the sections. If that is not the desired behavior, the employee should instead be added to the specific sections in which he/she should be visible.

All people with manager roles in the system will also get an employee role when we release this functionality:

  1. If you don't want a person to be visible in the schedule and base schedule view, remove the role employee for that particular person and group under account settings or group settings. People  with manager role only will still be able to manage the unit/section, but they won't be able to be scheduled on that group. 
  2. When setting up a new manager and giving them a manager role, they must also have the employee role on the group in order to be scheduled. 
Visibility logic per schedule item

Shifts and tasks 

A manager with manager role in a given group can:  

  • See people in the schedule / base schedule view with role “employee”.
  • Assign shifts/tasks to people with role "employee".

Leave applications and absences

A manager with a manager role on a section can: 

  • See leave applications and absences from employees with the role "employee" on that section and whose home unit is the unit of that particular section.
  • When adding an absence, the list only contain employees from home unit with role employee on the section.

A manager with manager role on a unit can: 

  • See leave applications and absences from home unit employees with the role "employee"
  • The local manager can only add an absence for an employee with the role "employee" on the unit.

Punches

A manager with manager role on a unit can: 

  • See people with role "employee" in the schedule view
  • Add/edit punches to people with role "employee"
  • Attest time for people with role employee (note that anyone with a manager role can attest another managers punches/absences if they have write permissions on "Punches". The role levels are not considered here).

Notice of Interest

A manager with manager role on a unit can: 

  • View Notices of Interest (NoI) from people with the role "employee"

Unavailability in Schedule and Base schedule

A manager with manager role on a unit can: 

  • See unavailability for people with the role "employee".

What we don’t support but plan to in the future

  • It's not possible in this release to delete a future role.
  • It's not possible in the release to add the same role as the person has already had.

People with expired roles

It's possible to assign a role to a person who has previously had a role that has expired.

When going to Organization > Add member you can find people with expired roles, and you can assign them a new valid role.

For even more information, please see Roles and access rights FAQs.


How Did We Do?