Permission Management

Users must be granted permissions to access data, perform actions, and view content in the solution.

Overview

Permissions specify what data, actions, and content users can access in the solution. They are highly flexible and allow you to give users access based on their job function.

Permissions consist of three parts:

  • Data security: Consists of security filters and data access sets, which determine what data users can see in the solution. For more information, see Data Security for a Permission.
  • Capabilities: Define the actions users can perform in the solution. For more information, see Capabilities List.
  • Content packages: Define the content (analyses, metrics, dimensions, and key groups) that users can see in Explore when conducting ad hoc analysis. For more information, see Content Packages.

The Permissions room is where you create and manage your permissions. You can create new permissions or use the default permissions that come with the solution as templates. For more information, see Create a Permission. After you've created your permissions, you can assign them to users or User Groups.

To access the Permissions room, open a project and, on the navigation bar, click Security > Permissions.

Note: The Super Admin permission gives users full access to all data, capabilities, and content packages. Not only do users have access to what is loaded in the solution, but also everything that will be loaded in the future. For more information, see Super Admin Permission.

Best practices

Keep the following best practices in mind when creating and assigning permissions.

Create permissions based on job functions

Permissions should only give users the amount of access that is necessary to complete their duties and nothing more. They should be constructed based on a user's job function and how they'll use the solution. Try defining permissions as broadly as possible and avoid creating permissions for separate data sets (for example, a permission that gives users access to compensation data). It is recommended that you create 4 to 6 permissions that cover the different types of users who will use the solution.

The following is a list of some permissions you may want to create:

  • A permission that gives HR Business Partners a detailed view of compensation, performance, employee, and succession data.
  • A permission that gives Managers detailed access to their team and applicants and requisitions that they are hiring for.
  • A permission that gives Recruiters detailed access to requisitions and applicants for the organization they are responsible for.

Avoid assigning multiple permissions to users

Users can have multiple permissions assigned to them. However, permissions are additive, which means that users will get access to the sum of the data, capabilities, and content across the permissions. As a best practice, only assign multiple permissions to users when a single permission won't allow the user to do their job. For example, if a user needs detailed access to only one department and aggregate access to the rest of the company, they will need to be assigned two different permissions.

Example: Sum of the data across permissions

Users are assigned the following permissions:

  • Permission A: Access to employees in Japan.
  • Permission B: Access to employees in Canada.

Users will be granted access to the populations in permission A and B, so they will see data for employees in Japan and employees in Canada.

If there is a conflict between permissions, access will be based on the least restrictive permission.

Example: Conflicting permissions

Users are assigned the following permissions:

  • Permission A: Access to the Compare capability.
  • Permission B: No access to the Compare capability.

Users will get access to the Compare capability because permission A is the least restrictive permission.

Build security filters and data access sets first

When defining data security for a permission, you can create security filters and data access sets on the fly. Defining these elements may take a while, so we recommend that you create security filters and data access sets before creating your permissions. Doing so will also allow you to reuse these elements across permissions. For more information, see Data Security for a Permission.

Perform data security audits using the Permissions export

We recommend that you conduct regular audits of your permissions to ensure your data security is configured correctly. You can download the following security reports to help you assess your data security and determine which areas of the solution your users can access:

  • Permission Definitions: Examine your security definitions and see how your permissions have been configured in detail.
  • User Permission Report: See which permissions have been assigned to each user.
  • Data Security Report: Examine the populations and properties that a user has access to in detail.
  • Content Security Report: See the metrics, dimensions, and concepts that are visible or not visible for the user.

For more information, see Security Reports.

In this section