Skip to main content

Help Center

Submit a request

Detailed access control

PayAnalytics Team

  • Last updated:

Detailed access control

This is an note/information message.

Detailed access control is exclusively available in the Enterprise subscription of PayAnalytics.

This is an note/information message.

This section on configuring access control is for administrative users who have permission to edit users on an instance. The initial user, created by PayAnalytics, is the first administrator and is responsible for creating the subsequent users and configuring their access control as needed.

This is a tip message.

Keep in mind that defining access to data, operations and features is by nature complicated and it can be easy to make mistakes. To learn how to test the exact access you want to give to a new employee, see Test user access roles.

User roles

User roles are a predefined set of permissions that can be applied to a user or a group of users. Access can be provided to users by assigning them the same role (i.e., the same predefined set of permissions). User roles thus help the administrative user replicate access permissions across users without duplicating work and reducing the risk of errors in access permissions.

Creating a user role

To create a user role, proceed as follows:

  1. Click on the settings icon and select User roles.

  2. In the User roles page, you can see a list of the user roles you created.

  3. Click on the Add role button, new window will open.

To define the access restrictions for a user role proceed as follows:

  1. Enter the Name for the new user role.

  2. Define the access restrictions through five categories of access:

    • Operations (adding, editing or deleting users)

    • Features (using compensation assistant or Job evaluations)

    • Per-label (only access Sweden labeled items)

    • Per-record (filter certain rows from datasets e.g. unionized employees)

    • Per-column (e.g. do not access or display employee ID)

  3. Once you are happy with the user role, click the Add role button at the bottom of the page and the user role will appear at the top of the list.

Assigning a role to a user

You may assign the user role while creating a new user or you may select already existing users and assign them collectively to a selected user role.

For more information about selecting a role while creating a new user, see: 'Managing users'.

To add more users to the same role, proceed as follows:

  1. Select the Users you want to add to the same role

  2. Choose the Role from the drop-down list. The relevant access will be defined automatically.

  3. Click Save to enable your changes.

Defining a granular access for a user or a user role

To define granular access, proceed as follows:

  1. Click on the Settings icon.

    • If you are defining the access for an individual user, select User management

    • If you are defining access for a user role that can be applied to one or more users select User roles.

  2. To define the access you should open the corresponding user or user role (either adding a new one or editing an existing one).

The user access settings are divided into five main categories that are described below. For simplicity, the description is based on a single user but the settings for user roles are identical.

  1. Granted operations, where you decide which operations the user can carry out in PayAnalytics. Most of these operations are self-explanatory (e.g., granting access to upload a dataset) but there are a few that you should be aware of:

    • Granting access to create and modify users implies granting the user full admin access. This user can create, edit and delete users, change passwords or disable 2-factor authentication for any user. Note that a user with this access can modify their own access and thus grant themselves full access to all the options in PayAnalytics. We recommend that at least two people in the organization have this type of access since they can work as each other's backup.

    • As labels can be used for action controls (see Labels), granting access to modify labels may result in the user being able to give (or remove) other users access to data. This applies to labels for data sets, compensation benchmarking, compensation brackets and freezes, and job evaluation.

    • As system parameters are defined across the instance, any user with access to modify system parameters can modify them for all users.

  2. System feature availability, where you decide which features the user should be able to see and use. Most of the features are either accessible or not, but there are two exceptions:

    • A user who does not have access to the data set/analysis overview could still be able to access a specific dataset if they have its URL. The third category describes how labels are used to control access to specific data sets.

    • The Compensation Assistant includes more granular access controls. The first four options control the content of the results page. If they are all unchecked (but the Compensation Assistant is checked), then the user only gets the suggested compensation without any context. The fifth option controls whether the user is forced to use the default reference analysis as defined in the system parameters, and the sixth option controls whether the user is able to share any results with other users.

  3. Per-label access control, where you use labels to control access to different data in the platform. To learn how to configure labels, see Labels. You can use labels to define access to datasets, analysis, compensation benchmarking data, pay bands and freezes, and job evaluations. Note that the same label (or combination of labels) will be used to define the access to all the different types of data, (for example, if you give the user access to the label “Reporting”, the user will have access to all elements that have that label), unless you specify that the user should have access to all data of the same type.

    To define data using labels, proceed as follows:

    1. Uncheck the corresponding box(es) and select Add entry.A box will appear, there you can define the filter using labels.

    2. ,Click on the Label icon and select the label that you want to restrict the user’s access based on to choose the labels. Once the restriction is accepted, the user will only have access to objects with that specific label. If you wish to limit the access further you can add another label in the same entry, so the user only has access to objects that have both labels.

    3. If you wish to increase the access, click Add entry again and add another label in another entry, so the user has access to objects that have at least one of those labels.

This is a tip message.

When a user has label-based access to data sets, all data sets that the user uploads will be assigned labels. The label(s) will match the first entry in the dataset filter. For example, when the user with access to "Annual Report" AND "Reporting" uploads a dataset, that dataset will get both those labels, but if the user has access to "Annual report" OR "Reporting" then the uploaded dataset would only get the "Annual report" label.

This is a tip message.

If the label used for access control is applied to a dataset, then the user will gain access to all analyses on that dataset, independent of their labels. If the label is applied to an analysis, but not the dataset, then the user will not have access to the analysis nor the dataset.

  1. Per-record or column access control, where you can define which rows of data sets the user has access to, and if they can see the detailed information of those rows. Note that these controls are only applied to data sets that the user has access to based on the per-label access controls.

    To give detailed access to all rows make sure that both boxes are checked. To define access to a part of the rows, proceed as follows:

    1. Uncheck the first checkbox.

    2. Select a reference dataset that you will use to define the accessible rows by using filtering.

    3. To choose the rows, click on the Filter icon of any variable and define the filters that give you the relevant rows. Remember, you can filter as many variables as you need.

    Note that any columns where the data should not be visible will be treated in the following manner.

    • Columns with text will look like all cells are empty.

    • Columns with numbers will have 0 in all cells.

    • If the unique employee ID should not be visible, then the system replaces them with a sequence of anonymous numbers.

  2. Per-column access control, where you can define what columns the user can see in the data sets they have access to. As in Per-record access control, you should define a reference dataset. Then you define the access to columns based on the available columns in that dataset.

For per-record and per-column access controls keep in mind that the reference dataset works as an example dataset. Therefore, the names of the variables (i.e., columns) and categories need to be exactly the same as the names in the data sets that the user has access to (through per-label access). If the names do not match, then the user will not have access to any data.

Up next

To explore and view examples of user roles to configure and apply to your users, see User role examples.

Attachments
Was this article helpful?
0 out of 2 found this helpful
Return to top