Detailed access control
This is an note/information message.
Detailed access control is exclusively available in the Enterprise subscription of PayAnalytics.
This is an note/information message.
This section on configuring access control is for administrative users who have permission to edit users on an instance. The initial user, created by PayAnalytics, is the first administrator and is responsible for creating the subsequent users and configuring their access control as needed.
This is a tip message.
Keep in mind that defining access to data, operations and features is by nature complicated and it can be easy to make mistakes. To learn how to test the exact access you want to give to a new employee, see Test user access roles.
User roles
User roles are a predefined set of permissions that can be applied to a user or a group of users. Access can be provided to users by assigning them the same role (i.e., the same predefined set of permissions). User roles thus help the administrative user replicate access permissions across users without duplicating work and reducing the risk of errors in access permissions.
Creating a user role
To create a user role, proceed as follows:
Click on the settings icon and select User roles.
In the User roles page, you can see a list of the user roles you created.
Click on the Add role button, new window will open.
To define the access restrictions for a user role proceed as follows:
Enter the Name for the new user role.
-
Define the access restrictions through five categories of access:
Operations (adding, editing or deleting users)
Features (using compensation assistant or Job evaluations)
Per-label (only access Sweden labeled items)
Per-record (filter certain rows from datasets e.g. unionized employees)
Per-column (e.g. do not access or display employee ID)
Once you are happy with the user role, click the Add role button at the bottom of the page and the user role will appear at the top of the list.
Assigning a role to a user
You may assign the user role while creating a new user or you may select already existing users and assign them collectively to a selected user role.
For more information about selecting a role while creating a new user, see: 'Managing users'.
To add more users to the same role, proceed as follows:
Select the Users you want to add to the same role
Choose the Role from the drop-down list. The relevant access will be defined automatically.
Click Save to enable your changes.
Defining a granular access for a user or a user role
To define granular access, proceed as follows:
-
Click on the Settings icon.
If you are defining the access for an individual user, select User management
If you are defining access for a user role that can be applied to one or more users select User roles.
To define the access you should open the corresponding user or user role (either adding a new one or editing an existing one).
The user access settings are divided into five main categories that are described below. For simplicity, the description is based on a single user but the settings for user roles are identical.
-
Granted operations, where you decide which operations the user can carry out in PayAnalytics. Most of these operations are self-explanatory (e.g., granting access to upload a dataset) but there are a few that you should be aware of:
Granting access to create and modify users implies granting the user full admin access. This user can create, edit and delete users, change passwords or disable 2-factor authentication for any user. Note that a user with this access can modify their own access and thus grant themselves full access to all the options in PayAnalytics. We recommend that at least two people in the organization have this type of access since they can work as each other's backup.
As labels can be used for action controls (see Labels), granting access to modify labels may result in the user being able to give (or remove) other users access to data. This applies to labels for data sets, compensation benchmarking, compensation brackets and freezes, and job evaluation.
As system parameters are defined across the instance, any user with access to modify system parameters can modify them for all users.
-
System feature availability, where you decide which features the user should be able to see and use. Most of the features are either accessible or not, but there are two exceptions:
A user who does not have access to the data set/analysis overview could still be able to access a specific dataset if they have its URL. The third category describes how labels are used to control access to specific data sets.
The Compensation Assistant includes more granular access controls. The first four options control the content of the results page. If they are all unchecked (but the Compensation Assistant is checked), then the user only gets the suggested compensation without any context. The fifth option controls whether the user is forced to use the default reference analysis as defined in the system parameters, and the sixth option controls whether the user is able to share any results with other users.
-
Per-label access control, where you use labels to control access to different data in the platform. To learn how to configure labels, see Labels. You can use labels to define access to datasets, analysis, compensation benchmarking data, pay bands and freezes, and job evaluations. Note that the same label (or combination of labels) will be used to define the access to all the different types of data, (for example, if you give the user access to the label “Reporting”, the user will have access to all elements that have that label), unless you specify that the user should have access to all data of the same type.
To define data using labels, proceed as follows:
Uncheck the corresponding box(es) and select Add entry. A box will appear, there you can define the filter using labels.
Click on the Label icon and select the label that you want to restrict the user’s access based on to choose the labels. Once the restriction is accepted, the user will only have access to objects with that specific label. If you wish to limit the access further you can add another label in the same entry, so the user only has access to objects that have both labels.
If you wish to increase the access, click Add entry again and add another label in another entry, so the user has access to objects that have at least one of those labels.
This is a tip message.
When a user has label-based access to data sets, all data sets that the user uploads will be assigned labels. The label(s) will match the first entry in the dataset filter. For example, when the user with access to "Annual Report" AND "Reporting" uploads a dataset, that dataset will get both those labels, but if the user has access to "Annual report" OR "Reporting" then the uploaded dataset would only get the "Annual report" label.
This is a tip message.
If the label used for access control is applied to a dataset, then the user will gain access to all analyses on that dataset, independent of their labels. If the label is applied to an analysis, but not the dataset, then the user will not have access to the analysis nor the dataset.
-
Per-record or column access control, where you can define which rows of data sets the user has access to, and if they can see the detailed information of those rows. Note that these controls are only applied to data sets that the user has access to based on the per-label access controls.
To give detailed access to all rows make sure that both boxes are checked. To define access to a part of the rows, proceed as follows:
Uncheck the first checkbox.
Select a reference dataset that you will use to define the accessible rows by using filtering.
To choose the rows, click on the Filter icon of any variable and define the filters that give you the relevant rows. Remember, you can filter as many variables as you need.
Note that any columns where the data should not be visible will be treated in the following manner.
Columns with text will look like all cells are empty.
Columns with numbers will have 0 in all cells.
If the unique employee ID should not be visible, then the system replaces them with a sequence of anonymous numbers.
Per-column access control, where you can define what columns the user can see in the data sets they have access to. As in Per-record access control, you should define a reference dataset. Then you define the access to columns based on the available columns in that dataset.
For per-record and per-column access controls keep in mind that the reference dataset works as an example dataset. Therefore, the names of the variables (i.e., columns) and categories need to be exactly the same as the names in the data sets that the user has access to (through per-label access). If the names do not match, then the user will not have access to any data.
Access permissions breakdown
This section details all the access controls available in the system and their influence on the elements users see on screen and the actions they can perform.
Granted operations breakdown
Granted operations are focused on actions a user can do. This includes user management, label management, dataset management, as well as the execution of analyses and task runner actions.
By default, any user is able to do any operation, with the exception of creating and editing users and viewing the audit log.
The following table breaks down all the permissions in the Granted operations section:
| Permission | Description |
|---|---|
| Grant access to create and modify users |
Allows the user to create and manage users. This is useful for security or administrative roles. We recommend having at a minimum of two users with this role. |
| Grant access to create and use API access token |
Allows the user to use the API to retrieve your data from other systems. Give this access to users who are managing your data and if you are using the API import. |
| Grant access to view audit log |
Allows the user to view the system audit logs. This option is disabled by default. Audit logs should be restricted only to security or admin roles. Specific audit settings and log retrieval depend on your company policy. |
| Grant access to upload new datasets |
Allows the user to load new datasets into the system. If you are importing data via the API, you can disable this option. Similarly, you can disable this option if your data is managed locally or centrally. We recommend only having deletion enabled for the admin users. |
| Grant access to delete datasets |
Allows the user to delete datasets from the system. We recommend enabling this option for admin users. |
| Grant access to perform a task run |
Allows the user to use the task runner. The task runner is a premier feature which enables users to pull and collate results from multiple analysis. Since the feature allows the user to extract multiple analysis results, this role should be reserved to users with full access to all system data. |
| Grant access to task runner setups and run results |
Allows the user to access the task runner configuration and view run results. The task runner is a premier feature which enables users to pull and collate results from multiple analysis. Since the feature allows the user to extract multiple analysis results, this role should be reserved to users with full access to all system data. |
|
Grant access to modify dataset labels Grant access to modify analysis labels Grant access to modify compensation benchmarking labels Grant access to modify pay bands labels Grant access to modify job evaluation labels Grant access to modify run analysis presets labels Grant access to modify compensation assistant preset labels Grant access to modify employee groups labels |
Allows the user to modify the relevant labels. These options cover the different label management settings available; access should be enabled for users managing the label control access if this is enabled. Consider what functionality is in use and what is relevant for your Organization. |
| Grant access to run analysis |
Allows users to run pay equity analyses on datasets. Disable this option for users who should not run analyses but only view the pay equity analysis results. |
|
Grant access to modify currency tables Grant access to modify system parameters |
These two settings affect the full platform so it is recommended that this is managed by an admin role. For currency tables, it is important to note that changes to your currency rates need to be updated in the platform before configuring your dataset for the analysis. |
System feature availability breakdown
System feature availability parameters provide access to full features including the Compensation assistant, Job evaluation, Pay equity analysis, Pay bands and Labels.
The following table breaks down all the permissions in the System feature availability section:
| Permission | Description |
|---|---|
| Compensation assistant |
Premier feature than enables you to predict gender-neutral salaries for employees based on the variables of your compensation model. Within this feature, you can also choose to enable or disable different widgets displayed within the feature once enabled. |
| Job evaluations |
Compares different jobs and employee characteristics based on standard and objective criteria to ensure equal pay for work of equal value. This is used in countries, such as Sweden and Canada, that have specific legal requirements. |
| Dataset/Analysis |
Allows the user to view pay equity analysis pages and run analyses on your datasets. If left unselected, this view will be hidden and the user will not be able to view or run any analyses. When this feature is hidden, the user will not have access to the datasets, analyses and reports. |
| Pay bands | Enables you to create pay bands within any dataset in the platform. Once created, the pay bands can be used in analyses and raise suggestions to ensure no raises outside of the pay bands. |
| Compensation benchmarking |
Enables you to include compensation benchmarking data when you are deciding the salaries of employees. This feature is not required if you're not using the compensation assistant. |
| Label |
Gives access to labels in the system settings. Labels can be used to manage access at the dataset level. Only the users who are responsible for creating and managing label access should have access to this feature. |
Access controls breakdown
When setting up access control, you need to take the following principles into consideration:
Access controls can affect the visibility of different features. If you apply per-record access controls, then the user will not see the full analysis results.
You can apply multiple access controls simultaneously, such as label and record controls.
When access controls are applied, labels and datasets must remain consistent, in particular when it comes to naming conventions.
This is an note/information message.
It is important that you consider how you are using the pay equity analysis when setting up the access controls for your different user types.
The following table details the different access control types and their impact.
| Access control type | Use case | Principle of operation |
|---|---|---|
| Per-label access control |
Use this type of access control type if your pay equity approach is decentralized and you have local teams that are responsible for running and interpreting their own analysis. Use this if your datasets are split on a local basis and you do not have one global dataset or are running subgroup analysis. |
Gives full access where the label is applied based on the dataset, presets, compensation assistant or benchmarking. Users can only see the data in the system that have the labels to which they have access, and not anything else . |
| Per-record access control |
Use this type of access control if you have a central team who runs the global analysis and you want local managers to only review the raise suggestions and make corrections if required for their specific employee groups. Use this if you have run a global or sub group analysis and want local users to review their employee group results. |
Restricts what the user can see only to the specific group of employees whose raise suggestion and record data they are reviewing. Users cannot see the full pay equity results, compensation model or details of the full dataset. |
| Per-column access control | Your dataset contains columns that have not been used in the analysis and thar you don't want the user to see. |
Hides data columns from view in the pay equity analysis results. Make sure you don't hide any data columns that are required for the analysis. |