What Access Does Each User level Have?
Within Natural HR there are predefined user access levels.
Employees do not automatically have access to the Natural HR system, they need to be setup as a user with at least employee user level access. Each user must be a member of at least one user group but in some cases they could also be a member of a Secondary group e.g. Manager and Recruiter.
Within Manager and HR user groups, there are additional configuration options such as the ability to hide financial information, set read only and to control site access for example. Additionally, for Finance, Manager and HR level users, it is possible to restrict access to financial and benefits information, meaning they cannot access salary information such as Employee benefits.
Finally, all user groups (with the exception of Main admin) also function with employee level access in additional to any chosen access - for example, a Manager level user will "revert" to an employee user when they need to submit their own time off which they would have to do via Self Service for approval by their Manager/Approver.
To assist with security, menus are hidden and pages have inbuilt checking to ensure that users with insufficient permissions cannot access restricted areas even if they know the URL.
These are the user access levels in order of their level of access:
Main admin |
This is the account which is used to sign up for the system and is the only account which is not linked to an employee file and which cannot be assigned to any specific employee or user. This account can also be used to make license based changes to your Natural HR subscription. The main admin account should not be used for any specific requests on the system, for example time off, expenses or mileage etc. as this will bypass any approval process and will most likely cause the request to be in "limbo" as it will not be linked to any particular Employee/user. |
Admin | Admin users have no restrictions whatsoever and can see all pages and all sections and information on all employees etc, this account is linked to a self-service account but cannot be used to make license based changes to your Natural HR subscription. Use with caution. |
HR | Cannot access Administration -> Company menu but can see the Administration -> HR menu, all other pages and sections and information on all employees. HR users can carry out self-service on their own account. |
Can have secondary user group? | No |
Can limit employees they can access? | Yes - By site, job level or company on an individual user basis. |
Can limit actions they can take? | Option to apply global manager restrictions to an individual user |
Can limit access to pay/benefits? | Option to apply global manager restrictions to an individual user |
Can limit access to specific fields? | Option to apply global manager restrictions to an individual user |
Can prevent from deleting? | Can “hide” delete button from individual users - does not strictly prevent deleting |
Modules accessible by default | All |
Other information | By default, an HR user will be able to manage their own account, but you can disable this globally meaning they will not be able to access their employee record, add time off etc for themselves unless done as an “employee” user via self-service, this prevents an HR user from bypassing the approval process. |
Manager |
Manager users are also “employee” users for self-service purposes – additionally, any Manager user can also be assigned as an Approver by default. Cannot access Administration -> Company/HR. |
Can have secondary user group? | Can have secondary group of Finance, Recruiter, Trainer or Facilities |
Can limit employees they can access? | Can only see those within their downline. Optionally, can also see candidates for whom they are set as hiring manager/Additional Reviewer |
Can limit actions they can take? | Option to apply global manager restrictions to ALL Managers |
Can limit access to pay/benefits? | Option to apply global manager restrictions to ALL Managers |
Can limit access to specific fields? | Option to apply global manager restrictions to ALL Managers |
Can prevent from deleting? | Can be set to read-only which only applies to employee record – for other “actions” like deleting time off etc, this can be archived using global manager restrictions |
Modules accessible by default | All |
Click here to read about setting global Manager restrictions
Approver | All Manager, HR and Admin level users can also be assigned to an employee as Approver, by default. If also Manager or HR level, the same restrictions will be applied as the corresponding group for the relevant employees |
Can have secondary user group? | Can also be Manager, HR or Admin |
Can limit employees they can access? | Can access those for whom they are set as Approver |
Can limit actions they can take? | As an Approver they can only approve time off, training etc. Can optionally be allowed to add and edit time off and/or time tracking records |
Can limit access to pay/benefits? | Already has no access as Approver |
Can limit access to specific fields? | Cannot see any employee fields as Approver |
Can prevent from deleting? | Cannot delete anything as Approver |
Modules accessible by default | Time off, training, timesheet, expenses and mileage approval access for those they are set as Approver for |
Click here to read about adding and assigning an Approver
Finance | Finance users are employees with access to the Expenses and Mileage modules |
Can have secondary user group? | Manager |
Can limit employees they can access? | By site, job level or company to an individual user |
Can limit actions they can take? | Option to apply global manager restrictions to an individual user |
Can limit access to pay/benefits? | Yes on an individual user basis |
Can limit access to specific fields? | Option to apply global manager restrictions below to an individual user |
Can prevent from deleting? | Can delete expenses and mileage |
Modules accessible by default | Expenses and mileage |
Other information | Can give optional user group admin rights to an individual user which will allow them to access expense and mileage settings and timesheet settings |
Trainer | Trainer users are employees with access to the Training module |
Can have secondary user group? | Manager |
Can limit employees they can access? | No |
Can limit actions they can take? | No |
Can limit access to pay/benefits? | Already has no access as Trainer |
Can limit access to specific fields? | No |
Can prevent from deleting? | Can only delete training as Trainer |
Modules accessible by default | Training |
Other information | Can give optional user group admin rights to an individual user which will grant them access to the training library |
Recruiter |
Recruiter users are employees with access to the Recruitment module |
Can have secondary user group? | Manager |
Can limit employees they can access? | No |
Can limit actions they can take? | Can prevent from downloading CVs |
Can limit access to pay/benefits? | Has no access to employee data as Recruiter – would be able to see requisition salary or offer details, for example |
Can limit access to specific fields? | Can anonymise candidates to globally hide names, address and contact information (such as email address). Can optionally restrict access to answers to company and role custom questions. Finally, global option can be set to not include monitoring information against a candidate, so would not be able to see gender, nationality, date of birth, religion, disability and so on. |
Can prevent from deleting? | No |
Modules accessible by default | Recruitment |
Other information | Can give optional user group admin rights to an individual user which will allow them to access recruitment settings |
Facilities |
Facilities users are often members of IT teams and are employees |
Can have secondary user group? | Manager |
Can limit employees they can access? | No |
Can limit actions they can take? | No |
Can limit access to pay/benefits? | Already has no access to employee data as Facilities |
Can limit access to specific fields? | No |
Can prevent from deleting? | No |
Modules accessible by default | Assets |
Other information | Can also be given optional access to: Forms, Workflows, Timesheets tasks/references and User management. User management can be full or restricted whereby they cannot administer or add anyone of a higher user group than themselves, so could not see/edit/add an admin, for example, nor change themselves to HR or admin. |
Employee | Employee, by default, can only see a sub-section of their information and actions generate an alert or require approval |
Can have secondary user group? | No |
Can limit employees they can access? | Can only see their own record |
Can limit actions they can take? | See global employee restrictions below |
Can limit access to pay/benefits? | Can only ever see own data – can optionally give access to view own salary etc |
Can limit access to specific fields? | See global employee restrictions and permissions |
Can prevent from deleting? | See global employee restrictions and permissions |
Modules accessible by default | See global employee restrictions (within the bounds of self-service) |
Click here to read about setting global Employee restrictions and permissions
Marketing permissions
Any user level can be given “Marketing permissions” which will allow them access to Branding settings, Pages (Intranet) and Announcements:
Contractors permissions
Any user level can be given “Contractors permissions” which will give them full and unlimited access to all contractors. None of the other restrictions such as ability to access National Insurance numbers or the ability to edit/delete will be applied.
What is a contractor? In addition to “employees”, Natural HR can be used to store information on “Contractors” – a contractor is most often used for contractors, volunteers and the like where there is no concept of employment. This means there is no start date, no job title or manager etc and the contractor themselves cannot access self-service nor be referenced in any of the system modules (i.e. you
cannot add time off, training, timesheets, expenses etc for them).
Click here for further information on Contractors.
Module templates
From the above tables you can see the modules that an individual has access to – for example, an employee has access to all modules which means they can access any module you have enabled such as expenses.
A module template allows you to define a list of enabled modules which an individual user can access and then apply this to a user or group of users. This allows you, for example, to enable expenses but only allow specific users or groups of users to access expenses.
Click here to read about module templates
Restrict access to pay/benefits
In a number of the user groups above, there is reference to the ability to restrict access to pay and benefits. Whilst for some users, such as managers, this is a global option set within Administration -> Company -> Settings -> Display Settings (i.e. once turned on it applies to all managers) there is the option to control what access is limited to.
The three options are pay/salary, benefits and payments. This means you could stop all your managers from seeing pay and benefits but still allows them access to payments, for example:
Reporting
By default, no user group (other than admin) has access to any dataset for reporting purposes and you must explicitly add access for each user group to each dataset.
Within that dataset, all the permissions applied against the user are carried through. This means that if a user is given access to the employee dataset, for example, they will only be able to see the data of those whom they are allowed to see in the system. Additionally, if they are unable to access pay, date of birth, National Insurance and bank details then these fields will not be available to them in reporting.
Further, if you share a report to a user and that report has fields which they would not be allowed to see then we will prevent you from sharing and, if the permissions for the user change after you have shared, the user would be restricted from accessing the report if their current permissions mean they should not be able to access any of the selected fields in that report.
Finally, within reporting, the vast majority of the datasets are associated with an employee – when you give access to the training dataset to a Trainer user, for example, this means they also get access to the information about that employee. However, the employee information they have access to is limited to relevant “work” information so they do not see: Pay, Date of birth, National Insurance, Gender, Marital status, Nationality, Ethnicity, Disability, Sexuality, Religion, Any address/personal contact information,
Emergency contact information and bank details.
Click here to read more about Report Builder Permissions
Comments
0 comments
Please sign in to leave a comment.