Define Access Roles

Explanation

This activity is used to create an access role and assign access attributes to it. Access roles are responsible for control of what data a user can access and register.

To understand how this activity functions, you need to know the following concepts:

• Access Attribute - a security setting that controls who can access or modify certain data in the application. It is configured in the Access Attributes window.
• Access Role - a group of access attributes, combined together for easy management. It is configured in the Access Role window.

There are two types of access roles:

• Access - this role groups together attributes responsible for access and control over data of other people or organizational data (e.g., headcount plans and vacancy requests).
• Self-Access - this role groups attributes that allow employees and persons to register their own data. If an area in the application is protected by a data registration access attribute, this attribute has to be included in an access role, and assigned to anyone who wants to access the protected content.

Note: You can only assign access attributes of the same access type as the access role. Access type access role can store only Access type attributes, and Self-Access type access role can store only Self-Access type attributes.

In the Access Role Type field, you can select the type of the access role. Once the type is selected, only registration of a specific type of attributes is possible.

You can select the Limited Access option if you want to limit the access only to what is specified by the access attributes.
If you set the option as No, and grant someone access to authorize expenses, this person will be able to see all employee data that are not specifically marked as protected.
However, if you set the option as Yes, and grant someone access authorize expenses, this person will only be able to authorize expenses and won't see any other employee data.

         Use options under Areas of Access to control access over specific types of data:

• Select Personal Data option to grant access to personal data of employees, e.g., personal basic data, competencies, licenses.
• Select Employee Data option to grant access to employee data, e.g., salary, absences, time registration.
• Select Organizational Data option to grant access to data connected to organization units, e.g., headcount plans, vacancy requests.
  Note: In case of self-access roles, these options are deactivated.

In the Attribute ID field, enter the unique identifier of an access attribute you want to assign to the role. You can use the list of values.

Select the Granted option, to activate the attribute. If this option is set to No, the attribute will not work, even if it is assigned to the role. This option is useful for making temporary changes to a role if you don't want to completely remove the record.

In the Attribute Level field, enter the authority level of the attribute. If two supervisors have the ability to alter the same data, the one with higher attribute value will be able to overwrite any changes.

Supervisors can temporarily share their own access roles with their substitutes. They can choose which attributes to give, but if you are certain that an attribute should never be given to anyone other than the person it was assigned to, set the Delegation Allowed option to No. This will prevent the attribute from ever being shared by the supervisor who has the access role.

Prerequisites

In order to perform this activity, access attributes have to be defined in the Access Attributes window.

System Effects

As a result of this activity, an access role will be defined and available for assignment.

Pages

Access Role

Activity Diagrams

HR Access Configuration