Limiting which groups a user can access
You can limit which groups users in your system can access. Limiting a user’s access to a particular group means that user can only view users belonging to that group and its sub-groups, and their data.
Access is limited by role. For example, if you limit access for a user’s Administrator role to your New York location, administrators will only be able to view data for users who are assigned to your New York location when carrying out administrator duties.
If a user is assigned multiple roles, you can define different levels of access for each role. For example, the administrator who can view only New York employees when carrying out administrator duties could be allowed to manage costs for users in all locations.
You can limit access in this way for the Administrator and Cost Manager roles.
You can also limit which projects someone assigned the Project Management role can access, and what users someone assigned the User role can appoint as a substitute, or share reports with. Refer to Limiting access for Project Management and Users below for more information.
There are a few reasons why you might want to limit a user’s access:
- To make it easier for users to find employees and projects they are responsible for
- To prevent users from viewing data they shouldn’t have access to
- To limit errors users could make to data they don’t need access to
You can limit groups for the Project Management and User roles, but access limits are a bit different for these roles.
For Project Management, the allowed groups limit which projects a manager can access; managers can only manage projects that are members of groups they're allowed access to. Projects must be assigned to groups to limit access in this way.
You can also restrict access by group for those assigned a User role, but in this case group limits don't determine whose items they can access, but instead restrict:
- Who they can assign as a substitute user
- Who they can share reports with
- Who they can send scheduled reports to
The user’s current visibility settings are always what limit who they can share with or assign as a substitute, even if their visibility is set to change in the future. For example, if I can currently share with other users in Canada, and I’m due to lose access to users in Canada at the end of this month, I can still set up a substitute from Canada for next month.
To limit what group a user can access:
- Go to Administration > Employees and Organization > Users.
- Click the name of the user whose access you want to modify.
- Select Roles & Permissions from the side menu.
A Roles & Permissions table displays. In the Access section, a field appears for each type of group defined in your system, for each supported role that’s been assigned to the user.
- Click the Access field for the group type you want to filter access by.
- In the drop-down that displays, select the group or groups the user should have access to.
If the group is a hierarchy and you choose a parent group, the user will have access to all children under that parent, even if the check boxes aren't checked.
- If more than one combination of group types is required, click the + icon at the end of the row, and select another combination that the user should be allowed to access.
The 'or' in this case mean both selected combinations apply, not one or the other. For a user to be accessible to the administrator, they must belong to all the groups defined in one of the rows. In the example above, to be accessible to the administrator, the employee must belong to HR and be located in Calgary or Toronto, OR they must belong to Finance.
- Click Save Roles & Permissions.
Now the user will only have access to users assigned to the group combinations you selected, including any sub-groups, for the role in question.
What do the User's Location options mean?
In some companies, employees should only have access to the group they belong to.
For example, Jim, a member of the Finance department, can only access the Finance group (i.e. he can only choose Finance group members to act as substitutes, and share reports with).
To make it easier to manage users like Jim whose group assignments might change, you can assign them one of the User's Location options, rather than updating their group access each time they move; group access will update to always match the user's group assignment.
For example, if Jim was assigned the User's Location option, and moved to the Accounting group, he would then automatically only be able to access Accounting group members.
What happens when access is limited for more than one group type?
If a user has access to the New York location and the Marketing division, they will be able to access data for users who are in New York AND Marketing. Users who are in New York but are in another division will not be accessible. The same applies for users who are in Marketing but are in a different location.
What data can a user see if they have their access filtered for one role, but have another role without limited access?
If you assign a user role without restricting access or assign a role that doesn't offer access filtering, the user will be able to see all data normally available for that role.
For example, if you limit a user’s access for the Administrator role to your Sydney location only, that user will only see staff from the Sydney office on the Administration > Employees and Organization > Users page.
However, if that user is also assigned the Supervisor role, they’ll be able to see all their direct reports from all offices, not just Sydney, in reports and on pages that supervisors can access, such as the Team pages.
Do a user's assigned groups affect which groups the user has access to?
Users can be assigned to a group in their user profile. That means they are a member of that group. The groups they belong to have no impact on the groups they have access to. For example, even if a user belongs to the Sydney group, they will only have access to all the users in the Sydney group if Sydney is selected in the Access drop-down.
What happens to user access if we move a group from one parent to another?
Refer to Setting up groups for information on that.
If I change a User’s access level, what happens to their existing shared reports and substitutions?
Access defined in any existing shared reports or schedules, and scheduled substitutions, will remain unaffected; you’ll have to get the user to delete these manually, if they should no longer have access.