WFM UK: HR: Making Changes to the Access Level Hierarchy

Overview                         

The Access Level Hierarchy is a set of access levels that employees are assigned to, which establishes where they sit in a company hierarchy. The hierarchy also determines which other employees users can view when logged into the portal.

This article provides guidance on making changes to Access Level Hierarchy levels in HR & Payroll. This is a full guide that covers all changes, but each section can be used independently for making changes to Permission Templates or reporting lines. Changes to Access Level Hierarchy are typically made by a System Administrator.

Understanding how the Access Level Hierarchy works is important when embarking on such a task. Please refer to WFM - Access Level Hierarchy Explained in preparation.

Key Requirements

Access to the following areas is required:

• Access Level Hierarchy
• HR Reports and Exports 

The user making the changes will also need an admin login. Refer to this article for guidance: WFM - HR Admin and Super User Login Differences.

Preparation

Access Level Hierarchy

First, review the current hierarchy.

• Go to HR > Company Admin > Access Level Hierarchy > select the required Company Hierarchy
• Review the Access Levels and the permissions they contain
• To understand the layout of the hierarchy and where Permission Templates are being applied at multiple levels of the hierarchy, download the template from the bottom of this article and complete it
• Create or reuse any existing hierarchy levels or make any inactive that are no longer required
  Please note: do this only after all employees are moved to the correct hierarchy level
  • To identify templates assigned, select Level
  • To view employees on that access level, select View

Permission Templates             

Permissions control what a user can do within the solution. It’s important to ensure the impact on users is minimal by using the Access Level Hierarchy Template. The Access Level Hierarchy Report details what permissions are assigned to a current template.

Steps to take:

• Review the Permission Templates and apply them to the Access Level Hierarchy Template
• If unsure of particular permissions, please review this article, and if still unsure, please raise a discussion on the community here.
• Any Permission Templates that need to be created and don't already exist, prefix with 'new' on the Access Level Hierarchy Template. The Permission Template does not require 'new' in the description.
• Create new or update existing Permission Templates. Please note: this will have an immediate effect on users’ access.
• Assign the new template to the existing hierarchy level.

To update existing templates via the Access Level Hierarchy, go to:

• HR > Company Admin > Access Level Hierarchy 
• Select Company Hierarchy
• To identify templates assigned, select the Access Level > Edit > Save changes.

Creating and Updating existing Templates

Note that you will require the Admin Login to the portal. To create a new template:

• Select Module > Users > Templates > Create Template > Assign Permissions > Save

To update existing templates:

• Select Module > Users > Templates > Select Template > Assign Permissions > Save

Preparing and Updating employees

To prepare a list of employees that require changes, use the Employee Access Level Report. If concerned about any access levels, test the new hierarchy by creating a dummy login or use an employee record that does not yet have access to the system to avoid dummy records on the portal.

Steps to take:

• To identify employees Location/Division/Job Title, what Access Level they are on, and who they are reporting to, run and export the Employee Access Level Report. Use this to identify the current access, and if needed add an additional column to detail the new access required.
• To identify which Location and Division have been assigned to each user for each module, run the Security Matrix Report. This is useful to ensure that no one will see anyone they shouldn’t during the change.
• If any changes need to be made, update the Access Level and assign relevant Locations and Divisions to the required modules in the employee record.
• Check any users who might have had bespoke access by running the Bespoke Access Report.

Risks and areas of concern

Highlighted below are the key areas that can cause issues and expose too much data to users. If unsure of anything, please collate all questions and raise a discussion here, or reach out to the relevant Fourth contact.

Issue/Risk/Action		Suggested Steps
Updating current Permission Templates has an immediate effect.		Test with a dummy login to ensure the desired access is granted.
Incorrect permissions being assigned to the template can allow a user to view information they should not have access to.		Review all templates before implementing and ensure a full understanding of the permission is clear.
Incorrect Location/Division assigned can allow a user to access Locations/Divisions they should not have access to.		Ensure the employee list is correctly updated with the right Divisions/Locations detailed for each module. This can be done by running the Employee Access Level Report.
Holiday requests sent to the wrong manager.		Ensure the employee list is correctly updated with the correct 'Reports to'. This can be done by running the Employee Access Level Report.
Run the Security Matrix Report to ensure that no one will see anyone they shouldn’t during the change.		To view Location and Division allocations per module, per employee, run the Security Matrix Report.
Make the changes from the top-down, otherwise employees might not be able to report to the higher-level users and this will also prevent access overlapping.		When building the employee list ensure the top-level changes are done first and are detailed at the top of the document.
The Employee Level Access Report will display former employees in the 'Reports to' element. The actual employee record will state 'Please select' as the user has been terminated.		In order to get an accurate report of gaps within 'Reports to' assignments, create a customised report with the field “Reports to”.
The 'Assign User Access' permission allows the user to assign bespoke access. This removes the template and any changes to the template will no longer be applied to this employee.		Remove 'Assign User Access' permission from all module templates of users that should not be granting bespoke access. This leads to risks such as too much access or too little when bespoke access is removed.
Bespoke Access		To identify Bespoke Users run the Bespoke Access Report. Check the users' templates prior to removing bespoke access to ensure all required permissions are applied to the new template.

Key Permissions

This section details some key permissions to be aware of within this project and the combinations of some permissions to be mindful of. Please review this article for a better understanding of permissions.

Assign User Access

This permission allows the user to assign bespoke access in any module, which removes the template and any changes to the template will no longer be applied to this employee.

HR Module

• HR Administration (use with caution) - Does not amend or grant additional permissions. Allows the user to see everyone regardless of where they sit in the hierarchy and what Location and Division they have been assigned. For example, if the user doesn't have access to the Head Office Location but this permission is enabled, the Head Office Location may appear on some reports.
• Access Level Hierarchy - Ability to amend the Access Level Hierarchy, edit permissions, and make the hierarchy level inactive/active.
• Employee Batch Update - Allows the user to mass update records. The 'Employee Attributes' should be reviewed to ensure that the user can have access to change all of these elements.

A combination of how salary information can be displayed, and the editing of salaried employees are highlighted below with regards to the Annual Salary Permission only:

• Read Only + Enable Editing of a Salaried Employee - This user can save the employment details page and terminate an employee, but cannot change their salary
  No Access + Enable Editing of a Salaried Employee - This user can save the employment details page and terminate an employee, but cannot see their salary
• Full Access + Enable Editing of Salaried Employee - This user can save the employment details page, terminate an employee, and can amend their salary
  Full Access + No Access to Enable Editing of a Salaried Employee - This user can edit a salary box but not save it, and cannot save employment details or termination of an employee.

Rota Module 

There is a permission in the Rota Module that determines what you can see regarding costs on the Rota. The different options are listed below with the outcome of using each permission:

• View Summary- No Access – No access to any costs in the Rota summary
• View Summary- with Subordinates Currency – Only displays subordinates’ currency in the Rota summary
• View Summary- with All Currency – Displays all currency in the Rota summary
• View All Employees on the Rota – allows a user to view all employees in the division regardless of their place in the hierarchy
• Rollback Rota - This allows the user to roll back a Rota after submission to payroll and should only be assigned to a limited number of users such as the payroll administrator
• Shift Types - This will allow a user to create shift types and also assign and remove the shift types from all locations and divisions.

Payroll Module

• Payroll Global Access (use with caution) - Does not amend or grant additional permissions. Allows the user to see everyone regardless of where they sit in the hierarchy and what Location and Division they have assigned.
• Payroll Administrator (use with caution) - Allows the user to see everyone regardless of where they sit in the hierarchy and what location and division they have assigned. This user can grant all permissions to employees

 

Exports

Exports are the product of a report and aid in Access Level Hierarchy changes, and understanding the current hierarchy configuration.

Access Level Hierarchy Report            

This report allows the user to identify which permissions are assigned to a template, which templates are assigned to each module, and which modules are assigned to each hierarchy level. This report does not include any permissions that are not assigned to a template.

To export this report, go to:

• HR > Reports > Exports > Access Level Hierarchy Details > Run Report

Security Matrix Report

This report allows the user to identify which Location and Division have been assigned to each user.

To export this report, go to:

• HR > Reports > Exports > Security Matrix Export > Run Report

Employee Access Level Report

This report allows the user to identify the employees' Location/Division/Job Title, what Access Level they are on, and whom they are reporting to.

To export this report, go to:

• HR > Users > Employee Access Level > Current Employees > Run > Export to Excel.

Bespoke Access Report           

This report allows the user to identify the employees with bespoke access assigned.

To export this report, go to:

• HR > Reports > Exports > Bespoke Access Export > Run Report

Removing Bespoke Access

The correct template must be reapplied to the affected users for each module. This is the only way to remove the bespoke access. For more information on bespoke access, take a look at this article.

To export this report, go to:

• *Applicable Module* > Users > Assign User Access > Select user > User Profile> Apply Template > Apply> Save > Repeat for each module and user

 

Project Plan

High-level Project Plan

• Complete Current/New Hierarchy Templates
• Complete Permission Templates
• Prepare Employee List
• Update Access Level Hierarchy
• Update Employee Records
• Re-run Employee Access Level Report and check all changes have been made correctly

Access Level Hierarchy

• Review Current Hierarchy
• Complete New Hierarchy Template
• Create new hierarchy levels
• Make any hierarchy levels inactive that are no longer required after all employees are moved to the correct hierarchy level

Permission Templates

• Review and complete the applicable Permission Templates
• Create new Permission Templates or update existing Permission Templates (with immediate effect)
• Assign the new template to the existing hierarchy level

Employee Prep

• Run the Employee Access Level Report and export to excel
• Identify the current access and add an additional column to detail the new access required
• Additional columns for Locations and Division assignment per module (if applicable)
• Additional column for New Reports to assignment required
• Run the Security Matrix Report to check access before making the change

Test New Hierarchy

• Create a dummy login to test access or use a yesterday portal
• Assign the New Hierarchy Level and relevant Locations and Divisions in the employee record
• Run the Access Level Hierarchy Report, and export to ensure all the correct permissions are assigned to the correct levels

Update Employees

• Select Employee from Employee List and navigate to Employee Access > Assign Access Levels
• Assign relevant Locations and Divisions to the required modules in the employee record
• Run the Employee Access Level Report and confirm changes are complete
• Run the Security Matrix Report to ensure all users have the correct Location/Division access
• Make relevant hierarchy levels inactive that are no longer required after all employees are moved

Remove Bespoke Access

• *Applicable Module* > Users > Assign User Access > Select User > User Profile> Apply Template > Apply> Save > Repeat and apply to each module

Support 

If after reading this guide further support is required, the below options are available:

• For permission related questions, raise a discussion in our Customer Community here
• For further support with making these changes, please reach out to the relevant Fourth Contact who will advise on the best next steps
• If there are any technical issues as a result of these changes please raise a ticket here

Template