Limiting which groups a user can access
Looking for help with this feature in Polaris? Check out Limiting which groups a user can access in the Polaris help.
You can limit which groups users in your system can access. Limiting a user’s access to a particular group means that user can only view users belonging to that group and its sub-groups, and their data.
How access limits work
Access is limited by role. For example, if you limit access for a user’s Administrator role to your New York location, administrators will only be able to view data for users who are assigned to your New York location when carrying out administrator duties.
If a user is assigned multiple roles, you can define different levels of access for each role. For example, the administrator who can view only New York employees when carrying out administrator duties could be allowed to manage payroll for users in all locations.
You can also limit which projects someone assigned the Project Management role can access, and what users someone assigned the User role can appoint as a substitute, or share reports with. Refer to How access limits work for each role below for more information.
If you don't add limits, all roles have access to all users (and projects, in the case of the Project Management role).
Which Replicon products support groups functionality?
All Replicon products offer some groups for classifying users, but the following products offer 6 group types and support limiting access by group:
- TimeBill Plus
- Professional Services Automation
- Professional Portfolio Management
- ProjectTime Plus
- Workforce Management
- TimeOff Enterprise
- Replicon for ADP Workforce Now
- Polaris
Why might we want to limit access by group?
There are a few reasons why you might want to limit a user’s access:
- To make it easier for users to find employees and projects they are responsible for
- To prevent users from viewing data they shouldn’t have access to
- To limit errors users could make to data they don’t need access to
How access limits work for each role
For most roles (that is, Administrator, Payroll Manager, Cost Manager, Schedule Manager, Resource Manager, and Team Manager), a user assigned these roles can view and manage users who belong to the groups allowed for each.
But, this feature works a bit differently for the Project Management and User roles. Refer to the sections below for more details.
Access cannot be limited by group assignment for the Billing Manager, Client Representative, and Supervisor roles.
Access for the Project Management role
The allowed groups determine which projects a manager can access; managers can only manage projects that belong to groups they're allowed access to. Projects must be assigned to groups to limit access in this way, using the Project Info > Project Belongs To field for each project.
Access for the User role
For the User role, when you assign user access restrictions, you are determining:
- Who the user assigned that role can assign as a substitute user
- Who they can share reports with
- Who they can send scheduled reports to
- In Replicon, which projects they can be assigned to; limitation can be set up per project, using the Project Info > Assign Team From field for the project
Limiting access by group
To limit what group a user can access:
- Go to Administration > Employees and Organization > Users.
- Click the name of the user whose access you want to modify.
- Select Roles & Permissions from the side menu.
A Roles & Permissions table displays. In the Access section, a field appears for each type of group defined in your system, for each supported role that’s been assigned to the user.
- Click the Restrict Access field.
Then, click the field for the group type you want to filter access by.
- In the drop-down that displays, select the group or groups the user should have access to.
If the group is a hierarchy and you choose a parent group, the user will have access to all children under that parent, even if the check boxes aren't checked.
- If more than one combination of group types is required, click the + icon at the end of the row, and select another combination that the user should be allowed to access.
The 'or' in this case mean both selected combinations apply, not one or the other. For a user to be accessible to the administrator, they must belong to all the groups defined in one of the rows. In the example above, to be accessible to the administrator, the employee must belong to HR and be located in Calgary or Toronto, OR they must belong to Finance.
- Click Save Roles & Permissions.
Now the user will only have access to users assigned to the group combinations you selected, including any sub-groups, for the role in question.
FAQs
What do the User's Department and User's Location options mean?
In some companies, employees should only have access to the group they belong to.
For example, Jim, a member of the Finance department, can only access the Finance group (i.e. he can only choose Finance group members to act as substitutes, and share reports with).
To make it easier to manage users like Jim whose group assignments might change, you can assign them one of the User's Department options, rather than updating their group access each time they move; group access will update to always match the user's group assignment.
For example, if Jim was assigned the User's Department option, and moved to the Accounting group, he would then automatically only be able to access Accounting group members.
The user’s current group settings are always what limit who they can share with or assign as a substitute, even if their assignment is set to change in the future.
For example, if Jim is currently assigned to the Finance department, and is set to move to Accounting next month, he can still set up a substitute from Finance for next month.
What happens when access is limited for more than one group type?
If a user has access to the New York location and the Marketing division, they will be able to access data for users who are in New York AND Marketing. Users who are in New York but are in another division will not be accessible. The same applies for users who are in Marketing but are in a different location.
What data can a user see if they have their access filtered for one role, but have another role without limited access?
If you assign a user role without restricting access or assign a role that doesn't offer access filtering, the user will be able to see all data normally available for that role.
For example, if you limit a user’s access for the Administrator role to your Sydney location only, that user will only see staff from the Sydney office on the Administration > Employees and Organization > Users page.
However, if that user is also assigned the Supervisor role, they’ll be able to see all their direct reports from all offices, not just Sydney, in reports and on pages that supervisors can access, such as the Team pages.
If a user with different access to users or projects substitutes for me, what data will they be able to see?
When a user substitutes for you, they assume all of your system access and permissions. Therefore, the access assigned in their own profile doesn't apply, they are only limited by your assigned limits and permissions.
For example, payroll manager Jane has access to view and manage the Finance department, while administrator Jim does not have access to Finance as a payroll manager. She assigns Jim to carry out her payroll tasks when she's away, and when he logs in as Jane, he can see payroll data, and can carry out payroll tasks, for all members of the Finance department.
Do the groups a user is assigned to affect which groups the user has access to?
Users can be assigned to a group in their user profile. That means they are a member of that group. The groups they belong to have no impact on the groups they have access to. For example, even if a user belongs to the Sydney group, they will only have access to all the users in the Sydney group if Sydney is selected in the Access drop-down.
What happens to user access if we move a group from one parent to another?
Refer to Setting up groups for information on that.
If I change a User’s access level, what happens to their existing shared reports and substitutions?
Access defined in any existing shared reports or schedules, and scheduled substitutions, will remain unaffected; you’ll have to get the user to delete these items manually, if they should no longer have access.
Related links
Using groups to limit data access (video)
Setting up groups
Setting up locations
Setting up departments
Setting up employee types