Limiting which groups a user can access

Limiting access by group is only available with Enterprise-level products.

You can limit which groups users in your system can access. Limiting a user’s access to a particular group means that user can only view users belonging to that group and its sub-groups, and their data.

Or, it means they can only view and manage projects belonging to that group.

Access is limited by role. For example, if you limit access for a user’s Administrator role to your New York location, administrators will only be able to view data for users who are assigned to your New York location when carrying out administrator duties.

If a user is assigned multiple roles, you can define different levels of access for each role. For example, the administrator who can view only New York employees when carrying out administrator duties could be allowed to manage payroll for users in all locations.

Currently, you can only limit access by group for the Administrator, Payroll Manager, Project Management, and Schedule Manager roles.

Why might we want to filter users and projects by group?

There are a few reasons why you might want to limit a user’s access:

  • To make it easier for users to find employees and projects they are responsible for
  • To prevent users from viewing data they shouldn’t have access to
  • To limit errors users could make to data they don’t need access to

Limiting data by group

To limit what group a user can access:

  1. Go to Administration > Employees and Organization > Users.
  2. Click the name of the user whose access you want to modify.
  3. Select Roles & Permissions from the side menu.

A Roles & Permissions table displays. In the Access section, a field appears for each type of group defined in your system, for each supported role that’s been assigned to the user.

  1. Click the Access field for the group type you want to filter access by.

  1. In the drop-down that displays, select the group or groups the user should have access to.

If the group is a hierarchy and you choose a parent group, the user will have access to all children under that parent, even if the check boxes aren't checked.

  1. If more than one combination of group types is required, click the + icon at the end of the row, and select another combination that the user should be allowed to access.

The 'or' in this case mean both selected combinations apply, not one or the other. For a user to be accessible to the administrator, they must belong to all the groups defined in one of the rows. In the example above, to be accessible to the administrator, the employee must belong to HR and be located in Calgary or Toronto, OR they must belong to Finance. 

  1. Click Save Roles & Permissions.

Now the user will only have access to users assigned to the group combinations you selected, including any sub-groups, for the role in question.


What happens when access is limited for more than one group type?

If a user has access to the New York location and the Marketing division, they will be able to access data for users who are in New York AND Marketing. Users who are in New York but are in another division will not be accessible. The same applies for users who are in Marketing but are in a different location.

What data can a user see if they have their access filtered for one role, but have another role without limited access?

If you assign a user role without restricting access or assign a role that doesn't offer access filtering, the user will be able to see all data normally available for that role.

For example, if you limit a user’s access for the Administrator role to your Sydney location only, that user will only see staff from the Sydney office on the Administration > Employees and Organization > Users page.

However, if that user is also assigned the Supervisor role, they’ll be able to see all their direct reports from all offices, not just Sydney, in reports and on pages that supervisors can access, such as the Team pages.

Do a user's assigned groups affect which groups the user has access to?

Users can be assigned to a group in their user profile. That means they are a member of that group. The groups they belong to have no impact on the groups they have access to. For example, even if a user belongs to the Sydney group, they will only have access to all the users in the Sydney group if Sydney is selected in the Access drop-down.

How can I limit access by department or employee type?

You can currently only limit access by membership in the customizable group types – location, cost center, service center, or division.

If you need to limit access by department or employee type, rename one of the customizable group types and use it as a department or employee type filter.

What happens to user access if we move a group from one parent to another?

Refer to Setting up groups for information on that.