Do you feel that you need a helping hand to manage permissions and roles in HR-ON Staff?
This article will guide you through the different levels of roles and permissions.
Scope and Purpose of this article
This article describes a minimum setup of user roles in HR-ON Staff, allowing the users the following access:
- Employees can view selected data and documents about themselves, but not edit anything. They can sign documents and answer surveys (apps). As an option, they can view name, department, job title, phone and email of other employees - although this requires an additional role.
- Department Managers can view and edit selected data and documents for employees in departments where they have Department Manager access.
The minimum setup works under the assumption that the following sections of HR-ON Staff are not fully rolled out in the customer's organization:
- Vacation Calender
As such the setup works as a starting point for utilizing HR-ON Staff that can later be built upon, as the areas are rolled out in the organization. As the happens, more roles will need to be created and in addition, permission should be assigned to the existing roles. However, this is out of scope for this article.
To do a minimum permission setup in HR-ON Staff, you need 3 roles mirroring the 3 different user profiles in Staff:
In addition, a fourth role, "View Employees" can be used to allow all employees to see public data on all other employees.
Employee [Person level]
This role is intended to allow all employees to view data about themselves, while still allowing the HR-Department to maintain confidential data regarding the employees, such as warnings, that the employee view.
The assumption is that either the Department Manager of HR-Department maintains or edits the data, or optionally this is done through apps.
Department Manager [Department level]
This role is intended to allow all Department Managers access to view and edit selected data regarding departments where they are Department Managers. In addition, the Department Manager can assign apps to their own department and view app results for their own department. They cannot create new app templates, as this is reserved for the HR-Department.
This will allow the Department Manager to maintain data and documents for their department while the HR-Department maintains other data.
Also note, that roles on Department Level can be "inherited". If this is enabled, the permission is valid for that department and all departments below the department in the organizational hierarchy.
In addition, it should be noted that in a department with 2 managers, managers with this permission will be able to see both public and confidential data about each other, but not documents.
HR-Consultant [Company level]
This role is intended to allow selected employees from the HR-Department access to managers access to view and edit all data and documents for all employees. This role should only be given to trusted members of the HR department, since they will have access to all contracts, warnings, and other sensitive information.
This assumption is that data or documents of highly sensitive nature are maintained by the HR-department.
Employee [Company level]
This role is intended to allow all employees to view public data about other employees, such as name, address, and job title. Note that all employees will have this role, so making changes to this role could potentially show confidential information to all employees.
This assumption is that there is some data, everyone should be able to see about all employees. If this is not the case, don't use this role at all.
Manager vs Department Manager
Note that in this article, there are 2 terms - Manager and Department Manager. These are not the same.
A Manager is a member of a department who has the "shield" or Manager relationship to the department. This is not a permission role as such and does not give any special permissions by itself. However, it will prevent users that are not allowed to see or maintain Managers or Managers' documents from accessing data about the manager.
A Department Manager is a permission role that is given to an employee for one or more departments, allowing him or her to view and maintain data for employees in these departments. Often a Manager will also have the Department Manager role - but not always.
Note the "Inherit user rights", which will allow the user to have the role for all departments that are below the chosen department in the organization hierarchy.
The table below shows how the four roles should be configured. Please note that this is a different set of roles from the Demo data that comes with Staff by default, since it is more restricted, and intended for a minimum setup and not a product demo.
Some options, such as the "All" option for Employee data are omitted - these should be set to blocked, as they do not allow controlling access on a field/document type level.
The unfilled fields are options that are not available for the particular role, such as department options for company level roles. Also, note that only some Employee Data and document types are included since they will depend on the customer setup.
- R = Read
- W = Write
- B = Blocked
Department Manager [Department]
|HR-Consultant [Company]||Employee [Company]|
|Accesses to employees|
|View own direct manager||R|
|Manage the department's system users||B|
|Manage the department's employees||W|
|Manage the department's future employees||W|
|Manage the department's leaders||W|
|Manage the department's archived employees||W|
|Manage all system users||W||B|
|Manage all employees||W||R|
|Manage all future employees||W||B|
|Manage all leaders||W||R|
|Manage all archived employees||W||B|
|Create announcements in your departments
|Access to system announcements||B||B|
|Create announcements in all departments||B||B|
|Access results for own apps
|Assign apps to the department's employees||W|
|The department's templates||R|
|Access results for the department's employees||W|
|Assign apps to all employees||W||B|
|Access results for all employees||W||B|
|Access to evaluations and comments on own competences||B|
|Access own competences||B|
|Access to evaluations and comments on competences in own departments||B|
|Access assigned competences on employees in own departments||B|
|Access to evaluations and comments on competences in all departments||B||B|
|Access assigned competences on employees||B||B|
|Access to all dashboards||W||B|
|Assign employee to own departments||W|
|Edit own departments||R|
|Assign employee to all departments||W||B|
|All documents (no preview/download)||B||B||B||B|
|Employee Development Plan||R||W||W||B|
|Document folder access
|The department's folders||W|
|Document folders in all the employee's departments||B|
|Own documents folders||R|
|Access to company folders only||B||B|
|All document folders||B||B|
|Create own documents from template||N|
|Own document templates||N|
|Create employee documents from template||W||W||B|
|The department's document templates||R|
|All document types||W||B|
|All document templates||W||B|
|Address (Street Name & No.)||R||W||W||R|
|Date of Birth||R||W||W||B|
|Secondary Email Address||R||W||W||B|
|Social Security no.||R||W||W||B|
|Employee data card setup
|Employee data card setup||W||B|
|Assign equipment to yourself||B|
|Assign equipment to the department's employees||W|
|The department's equipment||R|
|Create custom fields for equipment||W||B|
|Assign equipment to all employees||W||B|
|Access to logs in all departments||R||B|
|Recruitment button is visible||B||B||B||B|
|Information bussion is visible||B||B||R||B|
|Assign role to employees in own departments||B|
|Assign role to employees in all departments||W||B|
|Manage types of user and user rights||W||B|
|Own processes, projects and tasks||B|
|Access the employee's processes||R|
|Assign processees to the department's employees||B|
|The department's process messages||B|
|The department's process templates||B|
|Access all employees' processes||W||B|
|Assign process to all employees||W||B|
|All process messages||W||B|
|All process templates||W||B|
|Access to own vacation/absence periods||B|
|Access to vacation/absence periods in own departments||B|
|Access to vacation/absence types||B||B|
|Access to vacation/absence periods||B||B|
The table below shows who should have each of the roles described in this document
|Department Manager [Department]||No||Yes||No|
* This role should be automatically assigned to all new employees