You can use roll management to:
- Add/edit/delete roles
- Define permissions on feature groups for each role
- Change level on roles
- Add/delete levels
When you click on role management, you will see five default roles (click here to see a list of the default roles and permissions). Those are predefined roles with predefined permissions. You can rename, edit, or delete them (except for the employee role). They can also be copied and used as a template for a new role.
Each of the default roles is placed on a “Level”. Levels are a new concept used to define what roles should or should not have access to sensitive information. The default rule for levels is that managers with the same role will not see data for colleagues who are on the same level or a level above but they will see data for colleagues on a level below.
For now, the rule for levels is only applicable on three feature groups (click here to read more about the existing feature groups):
- Salary (not applicable on cost variables)
- Scheduling (for scheduling the rule is that you will see data for the same level and below)
Example: Managers with a role on level 3 will be able to see salary details and people details on employees with roles on levels below (4, 5, 6). They will not see salary and people details for employees with roles on the same level or above (3, 2, 1).
It is possible to add more levels than the default ones. Just click “Add level”, give the level a name, and then move it up or down by using the buttons “Move level up” or “Move level down”. By doing this, you can, for example, have two roles for Local Managers but on different levels. The one higher up in the hierarchy will be able to see salary and people details for the one below and vice versa.
You can edit the existing permissions of the predefined roles or set permissions on roles you create.
- To edit a role - click on Edit role.
- To add a new role - click on Add role.
- If you click on add new role, a popup will appear where you give your new role a name and select what template to copy from.
- Then, a panel will open on the right-hand side.
- This is where you set the permissions for each feature group:
The first headline is Permissions.
For each feature group (you can read more about feature groups here), you can select one of three different permissions:
- No permission: The role will not see any data within that feature group.
- View permission: The role will be able to view but not edit data within that feature group.
- Write permission: The role will be able to view and edit data within that feature group.
When you have defined permissions for each feature group, click Save and you new role is ready to be used.
Remember, the permissions you see when managing roles are dependent on other permissions (and modules).
If you set the people permission to no access, you won't see the permissions for "people agreements" and "people details" since those two are dependent on the people permission:
People permission set to no access:
People permission set to read access:
If Punches permission is set as No access, then Manual Salary types permission will be hidden for that role.
If Scheduling permission is set as No access, then Absence, Lock Schedule, Punches, and Manual Salary types permissions will be hidden for that role.All other permissions are independent.
You can see if an employee is shared from another unit when looking at that employees role overview. The role that the employee has on the shared unit will be indicated with a blue label that says "shared":
Show groups with inherited roles
You can decide if you want to see inherited roles or not when looking at an employees role overview by checking the checkbox "show groups with inherited roles". The inherited groups will then be displayed and you will see a label called "inherited" next to the inherited role:
People with expired roles
It's possible to assign a role to a person who has previously had a role that has expired.
When going to Organization > Add member you will now be able to find people with expired roles, and you can assign them a new valid role.