Open navigation

Role Assignments

Role assignments control how users access employee data and are used alongside user group access to protect the data of your employees. The motivation for using role assignments within your company is to give each user only the access to the employees that they need in order to perform their job.

Overview

How do Role Assignments work?

Roles assignments work at the level of programs—system menu items—within Avanti and on the Avanti Self Service Portal. When a user tries to access a program their role assignments determine the employees and type of access to those employees that they are given.

3 4 2019 10 02 51 AM
  1. When a user tries to access data with a role requirement in place the system checks the roles this user has.

  2. Then, only the employees which this user has access to are displayed.

Roles are different from User Group Access in that they are a control on the employee data itself and not on the program (or window). This means that a user can still access a program with a role requirement but may not be able to access any employee data.

User Group access controls will always take priority to Role assignment access. In practice this means that a program that a user does not have user group access to—but has a role assignment for—will not be accessible to that user.

Which employees can a role assignment access?

When a user has a role assignment for a position, they will have access to all employees with this position.

Role assignments can be assigned for the employee’s primary or secondary positions—or restricted to just the primary position as required.
diagram
Roles assignments are for a position not for individual employees.
Where are roles required?

Role assignments are only required when accessing programs that have a role type requirement placed on them.

Some programs are restricted by default; Time and Attendance and Web Services programs have default role type requirements. (Refer to Appendix B of the Web Services manual.)
Example 1. Practical result of a role type requirement

Let’s look at what effect a role type requirement on a program has when a user access the program.

3 15 2019 10 01 20 AM
  1. With a role type requirement, the Employee Lookup limits which employees are displayed based on the role assignment of the current user.

3 4 2019 10 01 54 AM
  1. Without a role type requirement, the Employee Lookup will display all employees in the company.

Role Assignments

Role assignments can be created from the user role assignment window located in System Administration > System Access Controls > Role Administration > User Role Assignments.

  • Role assignments are created between a user and a position. This allows the user access to employees with that position within your organization.

  • Role assignments consist of a Role Type and a Role.

    The Role Type determines where the role assignment will be used, and the Role determines what the role assignment allows the user to do.
  • Multiple role assignments for the same position can be created for different Role Types.

    This allows you to control what access a user has to the employees depending on where they are accessing the employees from.

    For example, a manager might be given view-only access for the employee data for scheduling and given full-access for time cards.

Role Types

Role Types are used to control who can access employee data from a given program or subfunction within Avanti. One way to think about how Role Types work is to think of them as locks: only users with the corresponding Role Type assignment can access employee data using the program with a Role Type.

For example, the Time Card program on the web requires that a user has the Time Entry role type. Any users without a Time Entry role assignment will not have access to user data from the Time Card program.

3 13 2019 8 08 29 AM
Figure 1. Time Card access with Role assignment
  1. With role assignments, the manager has access to the employees they have role assignments for and can access each using the drop-down on the Time Cards window.

3 13 2019 8 09 21 AM
Figure 2. Time Card access without Role assignment
  1. Without role assignment, the manager will not be able to access employee data.

Roles Types are applied on a per-menu-item basis and only one Role Type is allowed. A Role Type assigned to the Employee Profile for example would require that any users accessing the Employee Profile have the required Role Type.

One user could have full access to employee data with one Role Type but have no access with that same Role Type when accessing another menu item. This distinction is important to remember when working with Role Types: Role Types are per-menu-item.

Let’s look at a practical example of different Role Types in action. In the scenario below we have two menu items each with different Role Types assigned to them. When a user with different roles assignments for each role type accesses the two menu items they will see different employee’s data.

3 13 2019 9 07 31 AM
  1. The Health and Safety menu item uses Role Type A.

  2. Only the employee data corresponding to role assignments for Role Type A are displayed.

3 13 2019 8 45 07 AM
  1. The Employee Profile menu item has a different Role Type B

  2. Only the employee data corresponding to role assignments for Role Type B are displayed.

Roles

Roles control the kind of access—or permissions—that a user has for a given Role Type. The Role basically determines what a user will be able to do with the employee data they have role assignments for.

For example, one Role might only allow employee information to be viewed (a read-only role), while another might give full access to read, modify, and delete user data (an admin role).

3 13 2019 8 21 35 AM
Figure 3. View Only Role
  1. With a view only role the user can look at the information for the employees that they have role assignments for, but will be unable to do approvals, add new time, change time, or delete time.

3 13 2019 8 31 52 AM
Figure 4. However, if the same user has a role with full access they will be able to:
  1. Add, change, and delete time from the employee.

  2. Approve time that has already been entered.

Positions

Role assignments are based on positions; this allows all employees with the same position to be included into one role assignment. In practice this would require that a manager user be given role assignments for all positions reporting to them, and that all employees have a position assigned to them.

This also means that employees with multiple positions could be have multiple role assignments for them through different positions. This allows you to spread the management responsibilities between two managers for each position for example.

Using Role Assignments effectively

Let’s look at a common scenario for Role Assignments within a company. We have a Manager that needs to schedule employees and approve the scheduled time for the employees directly under them.

To keep things simple we will assume that the employees beneath the manager all have the same position and this position is not shared by any other employees outside of this group. There are some "gotchas" with role assignments that you should keep in mind when using them. Checkout the Common Troubleshooting section for more details.

In this scenario we need to setup the manager user account with role assignments for these employees. Let’s go over how to do that now.

Setting up the Manager

The manager will need a user account that they use to login with. This account is where the role assignments will be assigned. Since we are keeping things simple to begin with, we will only need to create 2 role assignments for the manager

  • one with the Scheduling role type for the employee position, and

  • another for the Time Entry role type for the employee position.

Steps
  1. Open the user role assignments window located in System Administration > System Access Controls > Role Administration > User Role Assignments.

  2. Assign a new role assignment to the manager user:

    3 11 2019 8 43 34 AM
    1Select the manager user from the left.
    2Select the Assign Roles function for the Time Entry role type.
    3Select the Full Approval Permission for the Role
    4Select the Scheduling role type under additional role types.
    5Select the position from the org-chart in the center.
    Selecting additional role types allows multiple role assignments for the currently selected positions to be made for different role types at once. This will save you time if you plan on having the same positions for each of the role assignments.
  3. Finish the role assignment by pressing Assign now.

With the role assignments for the employee position created, the manager will now be able to schedule employees and approve time worked.

One last thing we should do is check that the role assignment gives the manager access to all their employees. We’ll go over how to confirm this in the next section.

Confirm role assignments are correct

Now that we have created a role assignment for the manager, we probably want to confirm that they have access to the all the employees under them. We can do this by running the role assignment report.

  1. Open the role assignment report from System Administration > System Access Controls > Role Assignments Report.

  2. Select the following options from the Report Defaults tab:

    3 11 2019 9 12 04 AM
    1. Select only the manager user to report on.

    2. Select one or more of the roles to report on.

    3. Enable Print Employees to get a listing of every employee that the manager has a role assignment for.

Example 2. Result of the Manager’s role assignments

From this report we can see that the manager has role assignments for Jessie and Ash for both the Time Entry and Scheduling roles.

3 11 2019 9 06 59 AM

Hiring new employees

Some time passes and the company has hired a new employee that will be starting under this same manager. So long as the new employee has the same position that the manager already has a role assignment for the new employee will automatically be accessible to the manager.

It’s important to keep in mind with role assignments that they operate at the position-level and not the employee-level. To see how this can introduce complications for role assignments checkout the common troubleshooting section.

Let’s look at an example of how this works.

Example 3. New Employee with the same Position

A new employee named Mell is hired under the existing position of Sales.

The manager automatically gets access to the employee’s because they already have a role assignment for this position.

3 11 2019 9 28 51 AM

Common Troubleshooting

At times using role assignments can get tricky when positions are too general. Some common scenario where role assignments have friction are listed below:

Multiple departments sharing the same positions

If you have more than one department in your company with the same position codes shared between them then any role assignments to this position will allow access to employees at both locations.

The solution in this case would be to split the shared position into separate position codes. After splitting the position, the role assignment for the shared position would be replaced with a role assignment for one of the new location positions.

Example 4. Position shared between two locations

Say that you have a sales team in Edmonton, and another sales team in Toronto but both teams are using the same Sales position. If we look at the roles assignments of both managers we might see something like below:

3 11 2019 10 01 06 AM
Figure 5. Shared positions give access to employees at both locations

Managers from both locations have access to one-another’s employees!

We’ll fix this by

  1. creating new positions for each location and reassigning the positions for employees from both locations,

  2. removing the role assignments for the old position from both manager users,

  3. creating new role assignments for each manager (we give the Edmonton manager a role assignment for the Edmonton position, and the Toronto manager one for the Toronto position).

After applying this fix we will see that the managers now only have access to the employees at their location.

3 11 2019 10 09 55 AM
  1. The Edmonton manager has access to all employees at the Edmonton location through the new Edmonton sales position.

3 11 2019 10 12 33 AM
Figure 6. After splitting up the position each manager only has access to employees at their location.
  1. Similarly, the Toronto manager has access to all employees at the Toronto location through the new Toronto sales position.

Employee outside of normal org-chart

Sometimes you might have a situation where you have an employee that you want to be accessible by a manager. The trouble is that this employee might have a position that is shared by other employees that you do not want the manager to access.

The solution in this case would be to create a secondary position just for this employee and create a role assignment for the manager to this secondary position.

The manager will only be able to schedule Richard using the new secondary position.

Lets look at a scenario where we want to give a manager access to an employee Richard who will be doing some temporary work in their department. We don’t want to change Richard’s position because he will only be working under the manager for a short time.

To fix this we will

  1. Create a temporary position and assign it to Richard.

  2. Create a role assignment to this temporary position for the manager.

When we have finished, the manager will have access to Richard through this temporary position.

3 11 2019 10 23 24 AM
1The TEMP position allows the manager access to the employee "Richard".
2Notice that "Richard" has a primary position of Manager but we are assigning a role for him through the TEMP position.

Did you find it helpful? Yes No

Send feedback
Sorry we couldn't be helpful. Help us improve this article with your feedback.