About Supervision and Access

Supervision and access can be derived using the Organization and Position Setup or the Team and Supervisor Setup. The Access Setup Configuration page is used to select the preferred method.

Organization and Position Setup

If this method is used, access is granted to the entity Employee.

Who can be accessed is determined by an organization unit. Organization units work as containers of accessible employees. This selection can be further narrowed only to certain positions.

Supervision can be granted in different ways:

• Access Role Assignment - access rights are determined by an access role and given over all members of selected organization units.
• Supervising Position Assignment - access roles can be assigned to a position instead of an employee. As a result, everyone who holds the position receives relevant access roles. However, additional configuration is required. Supervision is granted only over members of relevant organization units who hold a position defined as one subordinate to the supervisor.
• Position Access Assignment - works just like supervising position assignment, except only position access is assigned instead of a position.

Team and Supervisor Setup

If this method is used, access is granted to the entity Person.

Who can be accessed is determined by Team assignments and Additional Access assignments. Each individual assignment can have a specific access role assigned to it.

Supervisors can be added to Teams, and persons (referred to as Members of the Team) can be directly assigned to supervisors.

Other entities who have access to a person, but are not their supervisors, can be added as Additional Access entities to a person. These accessing entities can be individual persons or Role Based Access Groups. If using Additional Access, it is possible to grant access to selected employments associated to a person.

For both the above methods, Access Roles determine what can be accessed. An access role specifies what data can be viewed and what operations can be performed, e.g., authorization, approval, cancellation, deletion.

HR Application Manager Access provides access to everything and everyone in Human Capital Management. This is usually reserved for a few selected people. Access roles are not application in this context.

Technical Information:

Access control is based on Logical Units, which are pieces of programming code devoted to a specific application area, e.g., travel expenses, time authorization, benefits administration. Access management allows you to protect employee data related to the selected logical unit (e.g. travel expenses, training and development, time and attendance, schedules and rules).

Access management is divided into 3 layers built on top of each other:

• Access Attribute - closest to the application's core, attributes determine what logical units are protected, what data operations are allowed (registration, modification, removal), what key columns are affected, and what values can be entered (e.g., approved; authorized). Attributes can set a lock that prevents anyone with a lower access level from overriding changes made by someone who uses the attribute.
  This layer is intended for advanced users.
• Access Role - roles work as containers for access attributes. Each role is filled with relevant access attributes and can be later assigned to someone, bestowing all attributes on that person.
  Roles have a special "power level" which determines the strength of an attribute access lock mentioned earlier. It means that if an attribute sets an access lock, the role determines lock's strength.
• Position Access - just as access attributes are grouped under access roles, access roles can be grouped under positions. This way, when a position or position access is assigned, all relevant access roles will be received. However, access bestowed by positions works only on employees who hold subordinate positions. Subordinate positions have to be defined for each supervising position.