Authorizations (General)

The authorizations regulate what the system users can see, record and mutate.

The necessary basic authorization roles are stored for each system when the system is created. However, new authorization roles can also be created.

NOTE that changes to the authorization roles can have a serious impact on the system. Please read these instructions carefully before making any changes. If you have any questions or concerns, please contact our support service.

When creating a new employee profile, it is important to select the necessary authorizations for the employee. You can read more about this here: Create new employee profile

How are the authorization roles called up? #

The authorization roles are managed via Employee management / Customer addresses / Supplier addresses → Advanced menu → Users & authorizations → Authorization roles. Regardless of which menu area you use to open the roles (employee list, customer addresses, supplier addresses), you will be directed to the same authorization roles.

Overview of authorization roles #

Searching and filtering authorization roles #

• Enter the search term in the search field. The search settings can be used to select whether a full text search or a search by internal or external number should be carried out.
• It is possible to filter according to role definitions and types:

The roles employee of / supervisor (1), employee function (2) and organization / department (3) are automatically stored by the system when the employee is integrated (more information: Creating a new employee profile). Each time the integration is changed, the employee is assigned to the new roles.

The Show inactive authorization roles option makes the deleted and no longer active roles visible.

Authorization role list #

Columns #

The view of the authorization role list can be set via the column settings. The column settings are opened via the cogwheel symbol.

Can be displayed:

• Code / Roll number
• Status (active from-to / not active)
• Assignment (manually created – index finger // automatically created – universe icon, …x – how many users the role is assigned to)
• Name of the authorization role
• Activated functions of the role

The back arrow resets the settings to default.

Functions #

Illustrate activated functions:

• whether and how many notifications are switched on (more about notifications: Notifications)
• whether an authorization profile is activated (whether profile authorizations have been selected under Basic data → Global settings )
• Whether and how many cost elements and hierarchy structures (departments) are active
• whether and how many time and wage types are activated
• whether and for how many employees the role administrators are (who can, for example, manage time recording / staff scheduling)
• Whether and how many authorization templates have been set up

Edit and delete authorization roles #

To edit the role, double-click on the role or open it via the three-bar menu on the right → Edit. To delete a role, use the same menu

or with the delete button in the role itself.

To delete multiple roles, select the roles and click on Delete in the three-bar menu below the list.

It is not possible to delete automatically created authorization roles.

If the authorization role does not contain any data, it is deleted / deactivated by the system and can be displayed again via the search option Show inactive authorization roles, reactivated and used again.

Reuse inactive authorization roles #

If the validity period of the authorization role has expired or a role has been deactivated manually or by the system, such a role can be reactivated and used again. You can find such roles by activating the Show inactive authorization roles option. Double-click on the role or use the role menu → Edit to change the to date and confirm with Save. The authorization role is now active again, can be set and used again.

Types / provisions of the authorization roles #

A distinction is now made between 3 types of authorization roles:

• for employees – find out more: Authorizations for employees
• for customers (who are granted access to the system) – read more: Authorization roles for customers
• for suppliers (who receive access to the extranet) – read more: Authorization roles for suppliers

The role is defined when it is created. The accessible settings / authorizations vary depending on the definition.

Create new authorization role #

Record basic data #

Click Plus to create a new authorization role.

The following data is stored in the basic screen:

• Destination: for employees / customers / suppliers
• Validity of the role: from – to (you can set the validity for a certain period of time, so it is deactivated on the to date)
• Designation of the roll
• Remarks: if the role is stored for certain purposes, a comment can be left here.

Then click on Save. The full screen of the role opens.

You can find out about further steps for the authorization roles for employees here: Authorizations for employees

You can find out about further steps for the authorization roles for customers and suppliers here: Authorization roles for customers and authorization roles for suppliers

Notification settings #

Notifications can also be set for the authorization roles. You can read more about this here: Notifications

Automatically and manually assigned authorizations #

A distinction is made between 2 types of authorization roles:

• Manually set roles (marked with the index finger symbol in the overview)

• Automatically set roles (in the employee profile have the remark “Auto-Add”; in the overview – a universe icon; are automatically assigned after the profile is created overnight or when the maintenance job interface is executed) – the employees of an auto-role must not be added manually – they are automatically activated by the system according to the department and function of the employee at night after the profile is created. The automatically created roles can be used to store the authorizations for employees of certain superiors, with certain functions and from desired departments.

The open role also contains a note that it was created automatically.

Active and passive authorizations of employees #

Active authorizations (what the employee is allowed to view and record in ems) #

Assigned (“active”) authorizations of the employee can be seen under Employee administration → Mutate employee profile → “Authorizations” tab.

To check and edit the assigned authorization roles, open the roles by clicking on the three dots on the right → Edit authorization role.

This allows you to access the role and view which modules and functions are accessible for the role.

Passive authorizations (who is allowed to edit the employee’s data) #

(“Passive”) authorizations for the employee’s time recording and data management can be seen under Employee administration → Mutate employee profile → “Time recording” tab → “Authorization for time recording for this employee” below.

The role authorizations are cumulative in most cases. This means that if I have access to the sickness time type in group/role A and to vacation in group/role B, I can access both in the end.

BUT please note that personal authorizations have priority over authorization roles. (i.e. persons from the Employees column have priority over the authorization roles)

For example, if the system administrator Thomas Huber has a personal authorization and a role authorization as system administrator for the time recording of an employee, the settings of the personal authorization count. In this case, he can only record the time for the employee, but has no access to the employee’s shift planning or to the release of reports and time requests (which he is allowed to do as a system administrator). To change this, the personal authorization must be deleted.

Assignment of authorization roles #

Assignment of active authorizations #

Active authorizations are either stored in the role (recommended)

or assigned in the employee profile.

Assignment of passive authorizations #

Passive authorizations are either defined in the corresponding role (with desired administrators) → Personnel management → Time recording → Assigned employees

or assigned and set in the employee profile of the employee to be managed in the Time recording tab.

The setting of the passive authorization includes:

• Shift planning (whether the employee can be scheduled in workforce planning);
• Time recording (whether the time for this employee may be recorded);
• Time recording (control/completion) (whether the employee’s time recording /by the project manager – optional/ (interim) control and /by the supervisor/ may be completed);
• Time requests (control/completion) (whether the employee’s time requests /may be (intermediately) controlled by the project manager – optional/ and /completed by the supervisor/).

Passive authorizations are assigned to a role or a person. In the case of the role, all participants in the role are authorized to use selected functions in relation to this MA. If the authorization is granted to individual persons, this is a private authorization that has priority over the role authorization.