User Groups and Associated Permissions
Within Natural HR there are a total of 9 different User Groups available for you to choose from when setting up a User. Each group gives the user a different set of permissions and access rights, and there are also a number of options available for users within those groups. This article describes the different User Groups available, as well as a number of other options available for controlling access to the system.
The following are the User Groups available within Natural HR.
Click on the links below for an overview of each:
The following sections describe other options available for controlling access to the system:
- Marketing permissions
- Contractors permissions
- Module templates
- Restrict access to pay/benefits
- Reporting
- Global manager restrictions
- Global employee restrictions
User Groups
Admin
User Group: Admin |
Admin users have NO restrictions whatsoever and can see everything and do anything in the system – use with caution! |
Can have secondary user group? | ❌ |
Can limit employees they can access? | ❌ |
Can limit actions they can take? | ❌ |
Can limit access to pay/benefits? | ❌ |
Can limit access to specific fields? | ❌ |
Can prevent from deleting? | ❌ |
Modules accessible by default | All |
HR
User Group: HR |
HR users, by default, are similar to Admin except they do not have access to the "Company" menu |
Can have secondary user group? | ❌ |
Can limit employees they can access? | ✅ By site, job level or company to an individual user |
Can limit actions they can take? | ✅ Option to apply global manager restrictions to an individual user |
Can limit access to pay/benefits? | ✅ Option to apply global manager restrictions to an individual user |
Can limit access to specific fields? | ✅ Option to apply global manager restrictions to an individual user |
Can prevent from deleting? | ✅ Can “hide” delete button from individual users - does not strictly prevent deleting |
Modules accessible by default | ALL |
Other information | By default, an HR user will be able to manage their own account but you can disable this globally meaning they will not be able to access their employee record, add time off etc for themselves unless done as an “employee” user via self-service. |
Manager
User Group: Manager |
Manager users are also "employee" users for self- service purposes – additionally, any manager user can also be an approver by default. |
Can have secondary user group? | ✅ Can have secondary group of Finance, Recruiter, Trainer or Facilities. |
Can limit employees they can access? | ✅ Can only see those who report into them. Optionally, can also see candidates for whom they are set as hiring manager |
Can limit actions they can take? | ✅ Option to apply global manager restrictions to an individual user |
Can limit access to pay/benefits? | ✅ Option to apply global manager restrictions to an individual user |
Can limit access to specific fields? | ✅ Option to apply global manager restrictions to an individual user |
Can prevent from deleting? | ✅ Can be set to read-only which only applies to the employee record – for other actions like deleting time off etc, this can be archived using global manager restrictions. |
Modules accessible by default | ALL |
Employee
User Group: Employee |
Employee, by default, can only see a sub-section of their information, and their actions generate an alert or require approval. |
Can have secondary user group? | ✅ Can have secondary group of Finance, Recruiter, Trainer or Facilities. |
Can limit employees they can access? | ✅ Can only access own record |
Can limit actions they can take? | ✅ See global employee restrictions |
Can limit access to pay/benefits? | ✅ Can only ever see own data – can optionally give access to view own salary etc. |
Can limit access to specific fields? | ✅ See global employee restrictions |
Can prevent from deleting? | ✅ See global employee restrictions |
Modules accessible by default | See global employee restrictions |
Approver
User Group: Approver |
All manager, HR and admin level users can also be assigned as approver, by default. If also manager or HR level, the same restrictions will be applied as the corresponding group for the relevant employees |
Can have secondary user group? | ✅ Can also be a Manager, HR or Admin |
Can limit employees they can access? | ✅ Can access those for whom they are set as approver |
Can limit actions they can take? | ✅ As an approver they can only approve time off, training etc. Can optionally be allowed to add and edit time off and/or time tracking records |
Can limit access to pay/benefits? | ✅ Has no access as an approver |
Can limit access to specific fields? | ✅ Cannot see any employee fields as approver |
Can prevent from deleting? | ✅ Cannot delete anything as approver |
Modules accessible by default | See global employee restrictions |
Finance
User Group: Finance |
Finance users are employees with access to the expenses and mileage modules |
Can have secondary user group? | ✅ Can also be a Manager |
Can limit employees they can access? | ✅ By site, job level or company to an individual user |
Can limit actions they can take? | ✅ Option to apply global manager restrictions to an individual user |
Can limit access to pay/benefits? | ✅ Yes to an individual user |
Can limit access to specific fields? | ✅ Option to apply global manager restrictions to an individual user |
Can prevent from deleting? | ✅ Can “hide” delete button from individual users - does not strictly prevent deleting |
Modules accessible by default | Expenses and mileage |
Other information | Can give optional access to timesheets and / or user group admin rights to an individual user which will allow them to access and administer:
|
Trainer
User Group: Trainer |
Trainer users are employees with access to the training module |
Can have secondary user group? | ✅ Can also be a Manager |
Can limit employees they can access? | ❌ |
Can limit actions they can take? | ❌ |
Can limit access to pay/benefits? | ✅ Has no access as a trainer |
Can limit access to specific fields? | ❌ |
Can prevent from deleting? | ❌ Can only delete training as trainer |
Modules accessible by default | Training |
Other information |
Can give optional user group admin rights to an individual user which will allow them to administer the training library
|
Recruiter
User Group: Recruiter |
Recruiter users are employees with access to the recruitment module |
Can have secondary user group? | ✅ Can also be a Manager |
Can limit employees they can access? | ❌ |
Can limit actions they can take? | ✅ Can prevent from downloading CV's |
Can limit access to pay/benefits? | ✅ Has no access to employee data as recruiter – would be able to see requisition salary or offer details, for example |
Can limit access to specific fields? | ✅ Can anonymise candidates to globally hide names, address and contact information (such as email address). Can optionally restrict access to answers to company and role custom questions. Finally, global option can be set to not include monitoring information against a candidate so would not be able to see gender, nationality, date of birth, religion, disability and so on. Can |
Can prevent from deleting? | ❌ |
Modules accessible by default | Recruitment |
Other information |
Can give optional user group admin rights to an individual user which will allow them to access recruitment settings
|
Facilities
User Group: Facilities |
Facilities users are often members of IT teams and are employees with access to the asset module |
Can have secondary user group? | ✅ Can also be a Manager |
Can limit employees they can access? | ❌ Under assets there are no restrictions, however, if you give Restricted Company user Management then they will not be able to administer anyone of HR or admin level. |
Can limit actions they can take? | ❌ |
Can limit access to pay/benefits? | ✅ Has no access to pay/benefits |
Can limit access to specific fields? | ❌ |
Can prevent from deleting? | ❌ |
Modules accessible by default | Assets |
Other information |
Can give optional access to forms, workflows, users, restricted user access (no ability to manage HR or admin level accounts), timesheets tasks and timesheets references
|
Marketing permissions
Any user level can be given “Marketing permissions” which will allow them access to Branding settings, Pages (Intranet) and Announcements.
Click on the following link for further information on this topic:
Contractors permissions
Any user level can be given “Contractors permissions” which will give them full and unlimited access to all contractors. None of the other restrictions such as ability to access National Insurance numbers or the ability to edit/delete will be applied.
What is a contractor? In addition to “employees”, Natural HR can be used to store information on “Contractors” – a contractor is most often used for contractors, volunteers and the like where there is no concept of employment. This means there is no start date, no job title or manager etc and the contractor themselves cannot access self-service nor be referenced in any of the system modules (i.e. you cannot add time off, training, timesheets, expenses etc for them).
Click on the following links for further information on this topic:
Module templates
From the above tables you can see the modules that an individual has access to – for example, an employee has access to all modules which means they can access any module you have enabled such as expenses.
A module template allows you to define a list of enabled modules which an individual user can access and then apply this to a user or group of users. This allows you, for example, to enable expenses but only allow specific users or groups of users to access expenses.
Restrict access to pay/benefits
In a number of the user groups above, there is reference to the ability to restrict access to pay and benefits. Whilst for some users, such as managers, this is a global option (i.e. once turned on it applies to all managers) there is the option to control what access is limited to.
The three options are pay/salary, benefits and payments. This means you could stop all your managers from seeing pay and benefits but still allows them access to payments, for example.
Reporting
By default, no user group (other than admin) has access to any dataset for reporting purposes and you must explicitly add access for each user group to each dataset.
Within that dataset, all the permissions applied against the user are carried through. This means that if a user is given access to employee dataset, for example, they will only be able to see the data of those whom they are allowed to see in the system. Additionally, if they are unable to access pay, date of birth, National Insurance and bank details then these fields will not be available to them in reporting.
Further, if you share a report to a user and that report has fields which they would not be allowed to see then we will prevent you from sharing and, if the permissions for the user change after you have shared, the user would be restricted from accessing the report if their current permissions mean they should not be able to access any of the selected fields in that report.
Finally, within reporting, the vast majority of the datasets are associated with an employee – when you give access to the training dataset to a Trainer user, for example, this means they also get access to the information about that employee. However, the employee information they have access to is limited to relevant “work” information so they do not see: Pay, Date of birth, National Insurance, Gender, Marital status, Nationality, Ethnicity, Disability, Sexuality, Religion, Any address/personal contact information, Emergency contact information and bank details.
Click on the following links for further information on this topic:
Global Manager Restrictions
IMPORTANT: these restrictions are global and, once set, will be applied against ALL manager users. You can also, optionally, apply these same restriction sets to individual HR or Finance users.
There are four main areas where restrictions can be applied against manager users:
- Pay and benefits – see Restrict access to pay/benefits
- Manager employee permissions – this controls what managers are able to do relating to employees. The options are:
- Add employees
- Quick add employees
- Approve employees
- Edit employees
- Delete employees
- Employee benefits (access to the module – this can be used in conjunction with option 1)
- Change employees
- Make leaver
- Start new employee workflows
- View employee workflows
- Manager module permissions – this controls what managers are able to do relating to system modules. The options are:
- Add, edit or delete time off
- Add or delete timesheet
- Add, edit or delete training
- Delete expenses
- Delete mileage
- Upload employee documents
You can also specify “folders” with varying user group permissions such as only allowing the employee to access or only allowing the manager to access. - Delete employee documents
- Access performance reviews
- Access warnings
- Edit performance goals
- Restricted fields – this controls what fields managers are able to access against the employees they are able to see. The options are:
- Date of birth
- National insurance number
- Gender
- Marital status
- Nationality
- Ethnicity
- Disabled
- Registered disabled
- Sexuality
- Religion
- Address
- Home phone
- Home mobile
- Home email
- Emergency contact
- Bank details
Note: as a manager user is also an employee, the Global employee restrictions below will also be applied against the manager user when administering their own account via self-service.
Global employee restrictions
There are three main areas where restrictions can be applied against employee users:
- “Modules” – please note, you can prevent complete access to other modules not listed via Module templates.
- Show time off allowance
- Show Bradford Factor
- Upload documents – options are:
- No
- Yes - able to choose upload folder
- Yes - not able to choose upload folder
- Employee map visible
- Reviews visible – see forms below for additional considerations
- Goals visible – options are:
- No
- Yes - view only
- Yes - can update
- Yes - can add and update
- Competency chart visible – options are:
- No
- Yes - view only
- Yes - can update
- Yes - can add and update
- Warnings visible
- Show working pattern on calendar
- Payments visible
- Organisation chart visible
- Planner visible
- Vehicles module access – this allows employees to add, edit etc their own vehicles
- Fields visible to employee about self:
- Works ID
- Job title
- Job description
- Salary
- Grade
- Department name and description
- Job attachment
- Changeable fields:
- Profile photo
- First name
- Middle name
- Surname
- Known as
- Marital status
- National insurance number
- Date of birth
- Gender
- Ethnicity
- Disabled
- Registered disabled
- Nationality
- Sexuality
- Religion
Finally, in addition, you can give employees access to a “public” calendar. By default, the employee will only see their own data on the calendar - this will include all types of data including time off, training, meetings, reminders and so on.
There is an option to set the calendar public which means that, in addition to the above, the employee will also see the time off and training of those employees who match the specified cohort (based on manager, department or site).
Comments
0 comments
Please sign in to leave a comment.