The Manage User settings allows you to set up and control what users have access to in the business as well as the type of access and permissions.
To access Manage Users, go to Business > Payroll Settings > Manage Users (under the Business Management list). Alternatively (and for QBO users), go to Payroll Settings > Manage Users (under the Business Management list).
This page allows you to add a new user and assign permissions, edit existing user permissions and export all user permission settings.
Add a New User
To add a new user, click the "Add" button to the right of screen. The screen will appear as follows:
You will be required to complete all of the following:
- The user's email address;
- The user's full name;
- Select the access level for that user by clicking on either ‘Full Access’ or ‘Restricted Access’. Full access gives the user administrator access to ALL areas and functions of payroll, including the ability to authorise STP pay event lodgements. Restricted access is commonly given to managers. Here you can select what specific areas you want the user to access and restrict by employee group and/or location.
- If ‘Full Access’ is selected, then click ‘Save’. The new user will receive two separate emails with login details and instructions on creating a password and logging into payroll.
- If ‘Restricted Access’ is selected, further settings will appear for you to complete. There are 3 different sub-settings you can provide a restricted user with. You can choose to activate one or all 3 of the different types of access. The sub-settings are:
- Employee access: choose an employee or group of employees the user can access. To create an employee group from this section, click on ‘Create’ for the context panel to appear. From there enter a name for the employee group and complete the criteria required that make up this group. You can include more than one criteria by clicking on “Add another criteria” and then choose whether the multiple criteria must match ALL or ANY of the criteria selected. You can also create employee groups from the ‘Manage Employee Groups’ tab, which is explained further below.
- Location: choose a location(s) the user can access. You can also select a location and all it's sub-locations to be be included as well (this means that the user will have access to all sub-locations sitting underneath the location selected).
- Reporting: provide the user with access to one, some or all reports. Keep in mind any reports that are accessed are "whole" reports - ie. the reports are not restricted based on employee and/or location access granted to the user.
- Payroll: provide the user with authorisation to approve STP pay events by clicking on "STP Pay Event Approver" (as shown below). This permission is only relevant to businesses that use a registered BAS/TAX Agent to make ATO submissions and have set their ATO Supplier Settings as such. This permission is not restricted by employee groups or locations. However, an STP Pay Event Approver will only be authorised to approve a pay event once a full access user has specifically assigned the user.
- If you have chosen Employee access and/or Location access for a user, you will then need to select one or more permission, as follows:
- View Leave Requests: Can only view leave requests (ie. read-only).
- Create Leave Requests: Can only create leave requests but not approve or view leave requests.
- Approve Leave Requests: Permissions of ‘View Leave Requests’ and ‘Create Leave Requests’ as well as the ability to approve requests.
- View Employee Expenses: Can only view expenses (ie. read-only).
- Create Employee Expenses: Can only submit expense requests for other employees but not approve or view expense requests.
- Approve Employee Expenses: Permissions of ‘View Employee Expenses’ and ‘Create Employee Expenses’ as well as the ability to approve requests.
- Manage Employee Documents: Can add employee documents
- View Employee Documents: Can only view employee documents
- Manage Employee Qualifications: Can add/allocate Employee Qualifications
- View Employee Qualifications: Can only view Employee Qualifications
- View Employee Rosters: Can only view the roster (ie. read-only).
- Manage Employee Rosters: Users can create, edit, delete and publish shifts as well as add employee unavailability.
- Create Timesheets: Users can create and import timesheets. They can also edit and delete timesheets submitted by employees they manage.
- Approve Timesheets: Permissions of ‘Create Timesheets’ plus ability to approve timesheets.
- View Shift Costs: Users can see the shift and/or timesheet costs.
- Create Tasks: Users can view and create pay run tasks.
- Initiate Employee Self Setup: Users can start the employee self set up process for new employees.
You can select one or a combination of these permissions to assign to a user. Once permissions have been assigned, click on 'Save'.
Edit an Existing User
Click on the pencil icon located on the right hand side of the user's name to display the user's settings. From here you can change the employee's name, the access type and/or permissions granted. Then click on 'Save'.
N.B. The user will not receive an email once you have updated their access settings.
Delete an Existing User
Click on the bin icon located on the right hand side of the user's name. A delete confirmation popup box will appear:
N.B. The user will not receive an email notifying them their access has been revoked.
You can export all the users and their permission information into an excel spreadsheet. To do this click on 'Export' (located on the right hand side of the screen).
Manage Employee Groups
Create an Employee Group
In order to provide users with permissions for a set of employees, we first need to define that set of employees. To do this, you need to create an ‘Employee Group’.
One of the interesting properties of employee groups is that they are dynamic. When a new employee is added that matches the criteria, they are automatically added to the group. This reduces the configuration overhead required when setting up new employees.
To create an employee group click on “Create” (located on the top right hand side):
The context panel will appear where you can then follow the above instructions on creating a group.
As an example, Ashley Bailey is responsible for managing staff primarily engaged in Administration and Guest Services. Additionally, she is not allowed to approve any of her leave and expense requests. To create an employee group based on that scenario, the criteria would be set as follows:
As discussed earlier, this group is dynamic and as such if new employees are added to Administration or Guest Services, they will automatically be added to the employee group.
When you change the criteria, the UI is updated, indicating the number of employees that match this criteria.
Other criteria (or combination of) than can be used to create an employee group include:
- employment type; and/or
- pay schedule; and/or
- tag; and/or
- employing entity.
Edit an Employee Group
Click on the pencil icon located on the right hand side of the employee group to bring up the context panel. From here you can change, add or delete any of the criteria used to define the employee group. Then click on 'Save'.
Delete an Employee Group
Click on the bin icon located on the right hand side of the employee group. A delete confirmation popup box will appear:
View an Employee Group
From this screen, you can also view the employees who form part of an employee group. To do this, click on the ‘x matching employees’ text to the right of the employee group name.
Manage Two-Factor Authentication
Two-factor authentication (2FA) provides an additional layer of security and makes it harder for attackers to gain access to your account. 2FA, if enabled, will only be enforced to full-access users, however this does not prevent any other user type from enabling 2FA on their account.
When accessing this tab for the first time, you will see one of the two following options:
2FA not enforced by White Label Manager
By default, this setting will be unticked:
If you want to activate this option, tick the checkbox. You will then be provided additional options to enforce 2FA when (a) creating super batches via our ClickSuper integration and/or (b) prior to lodging a pay event:
Remember to click "Save" to save your settings.
2FA enforced by White Label Manager
If you have not performed any action, ie neither enabled or disabled 2FA, the White Label Manager can enforce 2FA on your business. You will know this has occurred when the following message is displayed:
This means that all full access users will be required to authenticate their settings and enable 2FA prior to being able to login and access business data.
You can choose to disable this setting by clicking on "Click here to disable it for this business".
Enabling 2FA for a User
If 2FA is enabled, full access suers will need to verify their settings. Detailed instructions on verifying email address and/or mobile phone can be found here.
If you have any questions or feedback, contact us via firstname.lastname@example.org.