Limiting access by group is only available with Enterprise-level products.
You can limit which groups users in your system can access. Limiting a user’s access to a particular group means that user can only view users belonging to that group and its sub-groups, and their data.
Access is limited by role. For example, if you limit access for a user’s Administrator role to your New York location, administrators will only be able to view data for users who are assigned to your New York location when carrying out administrator duties.
If a user is assigned multiple roles, you can define different levels of access for each role. For example, the administrator who can view only New York employees when carrying out administrator duties could be allowed to manage payroll for users in all locations.
You can limit access in this way for the Administrator, Payroll Manager, Cost Manager, and Schedule Manager roles.
You can also limit which projects someone assigned the Project Management role can access, and what users someone assigned the User role can appoint as a substitute, or share reports with. Refer to Limiting access for Project Management and Users below for more information.
There are a few reasons why you might want to limit a user’s access:
You can limit groups for the Project Management and User roles, but access limits are a bit different for these roles.
For Project Management, the allowed groups limit which projects a manager can access; managers can only manage projects that are members of groups they're allowed access to. Projects must be assigned to groups to limit access in this way.
You can also restrict access by group for those assigned a User role, but in this case group limits don't determine whose items they can access, but instead restrict:
The user’s current visibility settings are always what limit who they can share with or assign as a substitute, even if their visibility is set to change in the future. For example, if I can currently share with other users in Canada, and I’m due to lose access to users in Canada at the end of this month, I can still set up a substitute from Canada for next month.
To limit what group a user can access:
A Roles & Permissions table displays. In the Access section, a field appears for each type of group defined in your system, for each supported role that’s been assigned to the user.
If the group is a hierarchy and you choose a parent group, the user will have access to all children under that parent, even if the check boxes aren't checked.
The 'or' in this case mean both selected combinations apply, not one or the other. For a user to be accessible to the administrator, they must belong to all the groups defined in one of the rows. In the example above, to be accessible to the administrator, the employee must belong to HR and be located in Calgary or Toronto, OR they must belong to Finance.
Now the user will only have access to users assigned to the group combinations you selected, including any sub-groups, for the role in question.
In some companies, employees should only have access to the group they belong to.
For example, Jim, a member of the Finance department, can only access the Finance group (i.e. he can only choose Finance group members to act as substitutes, and share reports with).
To make it easier to manage users like Jim whose group assignments might change, you can assign them one of the User's Location options, rather than updating their group access each time they move; group access will update to always match the user's group assignment.
For example, if Jim was assigned the User's Location option, and moved to the Accounting group, he would then automatically only be able to access Accounting group members.
If a user has access to the New York location and the Marketing division, they will be able to access data for users who are in New York AND Marketing. Users who are in New York but are in another division will not be accessible. The same applies for users who are in Marketing but are in a different location.
If you assign a user role without restricting access or assign a role that doesn't offer access filtering, the user will be able to see all data normally available for that role.
For example, if you limit a user’s access for the Administrator role to your Sydney location only, that user will only see staff from the Sydney office on the Administration > Employees and Organization > Users page.
However, if that user is also assigned the Supervisor role, they’ll be able to see all their direct reports from all offices, not just Sydney, in reports and on pages that supervisors can access, such as the Team pages.
Users can be assigned to a group in their user profile. That means they are a member of that group. The groups they belong to have no impact on the groups they have access to. For example, even if a user belongs to the Sydney group, they will only have access to all the users in the Sydney group if Sydney is selected in the Access drop-down.
New departments and employee types behave as groups, so if you've been upgraded to the new versions, you can limit access by membership in those groups. Otherwise, you can only limit access by location, cost center, service center, or division. Contact Replicon Support for information about upgrading to the new departments and employee types.
Refer to Setting up groups for information on that.
Access defined in any existing shared reports or schedules, and scheduled substitutions, will remain unaffected; you’ll have to get the user to delete these manually, if they should no longer have access.