Role assignments control which Managers and Regular Users access employee data and are used alongside user group access to protect the data of your employees. The motivation for using role assignments within your company is to give each user only the access to the employees that they need in order to perform their job.
Overview
How do Role Assignments work?
Roles assignments work at the level of programs— menu items—within Avanti and on the Avanti Self-Service Portal. When a Managers or Regular Users tries to access a program, their role assignments determine which employees display and what access they have to the employees.
When a user tries to access data with a role requirement in place, Avanti confirms the user's access to employee based on the role.
Then, only the employees which this user has access to are displayed.
To access employee data, the User must have Role Assignments and User Group Access to the employee's Pay Group. |
Which employees can a role assignment access?
When a user has a role assignment for a position, they will have access to all employees with this position.
Role assignments can be assigned for the employee’s primary or secondary positions—or restricted to just the primary position as required. |
Roles assignments are for a position not for individual employees. |
Role assignments are only required when accessing programs that have a role type requirement placed on them.
Some programs are restricted by default; Time and Attendance on the Avanti Desktop and all programs on the Avanti Self-Service Portal have default role type requirements. (Refer to Appendix B of the Web Services manual.) |
Let’s look at what effect a role type requirement on a program has when a user access the program.
With a role type requirement, the Employee Lookup limits which employees are displayed based on the role assignment of the current user.
2. Without a role type requirement, some Employee Lookup displays all employees the user has pay group permissions.
Role Assignments
Role assignments can be created from the user role assignment window located in System Administration > System Access Controls > Role Administration > User Role Assignments
.
Role assignments are created between a user and a position. This allows the user access to employees with that position within your organization.
Role assignments consist of a
Role Type
and aRole
.The Role Type
determines where the role assignment will be used, and theRole
determines what the role assignment allows the user to do.Multiple role assignments for the same position can be created for different
Role Types
.This allows you to control what access a user has to the employees depending on where they are accessing the employees from.
For example, a manager might be given view-only access for the employee data for scheduling and given full-access for time cards.
Role Types
Role Types are used to control who can access employee data from a given program. One way to think about how Role Types work is to think of them as locks: only users with the corresponding Role Type assignment can access employee data using the program with a Role Type.
For example, if Time Card program on the web requires that a user has the Time Entry
role type. Any users without a Time Entry role assignment will not have access to employee data from the Time Card program.
With role assignments, the manager has access to the employees they have role assignments for and can access each using the drop-down on the Time Cards window.
2. Without role assignment, the manager will not be able to access employee data.
Roles Types are applied on a per-menu-item basis and only one Role Type is allowed. A Role Type assigned to the Employee Profile
for example would require that any users accessing the Employee Profile
have the required Role Type.
One user could have full access to employee data with one Role Type but have no access with that same Role Type when accessing another menu item. This distinction is important to remember when working with Role Types: Role Types are per-menu-item. |
Let’s look at a practical example of different Role Types in action. In the scenario below we have two menu items each with different Role Types assigned to them. When a user with different roles assignments for each role type accesses the two menu items they will see different employee’s data.
The
Health and Safety
menu item uses Role Type A.Only the employee data corresponding to role assignments for Role Type A are displayed.
The
Employee Profile
menu item has a different Role Type BOnly the employee data corresponding to role assignments for Role Type B are displayed.
Roles
Roles control the kind of access—or permissions—that a user has for a given Role Type. The Role basically determines what a user will be able to do with the employee data they have role assignments for.
For example, one Role might only allow employee information to be viewed (a read-only role), while another might give full access to read, modify, and delete employee data (an admin role).
With a view only role the user can look at the information for the employees that they have role assignments for, but will be unable to do approvals, add new time, change time, or delete time.
Add, change, and delete time from the employee.
Approve time that has already been entered.
Positions
Role assignments are based on positions; this allows all employees with the same position to be included into one role assignment. In practice this would require that a manager user be given role assignments for all positions reporting to them, and that all employees have a position assigned to them.
This also means that employees with multiple positions could be have multiple role assignments for them through different positions. This allows you to spread the management responsibilities between two managers for each position for example.
Using Role Assignments effectively
Let’s look at a common scenario for Role Assignments within a company. We have a Manager that needs to schedule employees and approve the scheduled time for the employees directly under them.
To keep things simple we will assume that the employees beneath the manager all have the same position and this position is not shared by any other employees outside of this group. There are some "gotchas" with role assignments that you should keep in mind when using them. Checkout the Common Troubleshooting section for more details. |
In this scenario we need to setup the manager user account with role assignments for these employees. Let’s go over how to do that now.
Setting up the Manager
The manager will need a user account that they use to login with. This account is where the role assignments will be assigned. Since we are keeping things simple to begin with, we will only need to create 2 role assignments for the manager
one with the
Scheduling
role type for the employee position, andanother for the
Time Entry
role type for the employee position.
Open the user role assignments window located in
System Administration > System Access Controls > Role Administration > User Role Assignments
.Assign a new role assignment to the manager user:
1 Select the manager user from the left. 2 Select the Assign Roles
function for theTime Entry
role type.3 Select the Full Approval Permission
for theRole
4 Select the Scheduling
role type under additional role types.5 Select the position from the org-chart in the center. Selecting additional role types allows multiple role assignments for the currently selected positions to be made for different role types at once. This will save you time if you plan on having the same positions for each of the role assignments. Finish the role assignment by pressing
Assign
now.
With the role assignments for the employee position created, the manager will now be able to schedule employees and approve time worked.
One last thing we should do is check that the role assignment gives the manager access to all their employees. We’ll go over how to confirm this in the next section.
Confirm role assignments are correct
Now that we have created a role assignment for the manager, we probably want to confirm that they have access to the all the employees under them. We can do this by running the role assignment report.
Open the role assignment report from
System Administration > System Access Controls > Role Assignments Report
.Select the following options from the
Report Defaults
tab:Select only the manager user to report on.
Select one or more of the roles to report on.
Enable
Print Employees
to get a listing of every employee that the manager has a role assignment for.
From this report we can see that the manager has role assignments for Jessie and Ash for both the Time Entry
and Scheduling
roles.
Hiring new employees
Some time passes and the company has hired a new employee that will be starting under this same manager. So long as the new employee has the same position that the manager already has a role assignment for the new employee will automatically be accessible to the manager.
It’s important to keep in mind with role assignments that they operate at the position-level and not the employee-level. To see how this can introduce complications for role assignments checkout the common troubleshooting section. |
Let’s look at an example of how this works.
A new employee named Mell is hired under the existing position of Sales.
The manager automatically gets access to the employee’s because they already have a role assignment for this position.
Common Troubleshooting
At times using role assignments can get tricky when positions are too general. Some common scenario where role assignments have friction are listed below:
Multiple departments sharing the same positions
If you have more than one department in your company with the same position codes shared between them then any role assignments to this position will allow access to employees at both locations.
The solution in this case would be to split the shared position into separate position codes. After splitting the position, the role assignment for the shared position would be replaced with a role assignment for one of the new location positions.
Say that you have a sales team in Edmonton, and another sales team in Toronto but both teams are using the same Sales position. If we look at the roles assignments of both managers we might see something like below:
Managers from both locations have access to one-another’s employees!
We’ll fix this by
Creating new positions for each location and reassigning the positions for employees from both locations,
Removing the role assignments for the old position from both manager users,
Creating new role assignments for each manager (we give the Edmonton manager a role assignment for the Edmonton position, and the Toronto manager one for the Toronto position).
After applying this fix we will see that the managers now only have access to the employees at their location.
The Edmonton manager has access to all employees at the Edmonton location through the new Edmonton sales position.
Similarly, the Toronto manager has access to all employees at the Toronto location through the new Toronto sales position.
Employee outside of normal org-chart
Sometimes you might have a situation where you have an employee that you want to be accessible by a manager. The trouble is that this employee might have a position that is shared by other employees that you do not want the manager to access.
The solution in this case would be to create a secondary position just for this employee and create a role assignment for the manager to this secondary position.
The manager will only be able to schedule Richard using the new secondary position. |
Lets look at a scenario where we want to give a manager access to an employee Richard who will be doing some temporary work in their department. We don’t want to change Richard’s position because he will only be working under the manager for a short time.
To fix this we will
Create a temporary position and assign it to Richard.
Create a role assignment to this temporary position for the manager.
When we have finished, the manager will have access to Richard through this temporary position.
1 | The TEMP position allows the manager access to the employee "Richard". |
2 | Notice that "Richard" has a primary position of Manager but we are assigning a role for him through the TEMP position. |
Important: The role type must use secondary positions for this to be successful. |