Can restricted users access employee details?

Prior to 9 March 2021 any restricted user set up was given read-only access to basic employee details. This occurred by default and the employees visible to restricted users were those within the location and/or employee group access permitted to the restricted user.

 

This article will explain the different options available to restricted users around accessing employee details. To clarify, access to employee details will be restricted to only those employees the restricted user has permission to access. For example, if a restricted user is set up with employee group access and the criteria within that employee group is:

  • full time employees; and
  • primary location is 'Head office',

then the restricted user will only get access to full time employees whose primary location is 'Head office'. All other employees in the business that do not meet this criteria will not be visible to the restricted user.

For all other permissions available to restricted users, refer to this article

Options available for accessing employee details

When setting up a new restricted user, or editing an existing restricted user's access, you will be able to configure whether the user should have access to employee details and, if so, the level of access. This configuration is to be done for each location and/or employee group access assigned to the restricted user. These options are listed under the 'Employee' category within the user's access setup and include:

Screen_Shot_2021-02-24_at_3.01.47_pm.png

No access to employee details

This is the default option that will apply to any restricted users created on or after 9 March 2021. If this option is chosen, restricted users will not have access to any employee records. This is because when a restricted user logs into their management dashboard there will be no 'Employees' tab and no list of employees to be able to access.

View employee details

This is the default option that will apply to any existing restricted user created prior to 9 March 2021. Full access users can change this to any other option if needed. This option provides restricted users a read-only view of employee (active and terminated) personal details such as address, contact phone numbers, email, date of birth, emergency contacts and start date. To reiterate, restricted users will only have access to complete employees they have been granted specific permission to via their location and/or employee group access.

Incomplete employees (ie employees that do not have all details set up in their file that are required to include them in a pay run) will not be visible to restricted users with this permission.

Edit basic employee details

This option allows restricted users to view and edit the following employee (active and terminated) details: 

  • Personal information such as address, contact phone numbers, email and date of birth
  • Basic work details such as start date, anniversary date, employee Id (external and system generated) and tags
  • Emergency contacts
  • Bank accounts

The above information (excluding the basic work details) corresponds with what employees can  change via their employee portal. If employees are not provided with employee portal access or not given the ability to change any of their details, this option allows businesses to delegate the role of maintaining existing employee data to department managers, HR, or an office manager (to name a few). As this option does not make any payroll details visible, business owners can be assured that no sensitive information is being made available to unauthorised personnel.

To reiterate, restricted users will only have access to complete employees they have been granted specific permission to via their location and/or employee group access. Incomplete employees (ie employees that do not have all details set up in their file that are required to include them in a pay run) will not be visible to restricted users with this permission.

If the business has enabled employees (with portal access) to be notified via email when their personal or bank account details have changed the notification will be triggered if a restricted user makes changes to any of those details. This notification is configured via Payroll Settings > Employee Portal Settings:

Screen_Shot_2021-02-27_at_10.43.52_pm.png

 

Edit all employee details

This option allows restricted users to view and edit all employee (active and terminated) details. What exactly does this mean? It is the equivalent of what a full access user sees when they access an employee file. Specifically, the restricted user assigned this option will access the following employee screens:

  • Employee settings, including Details, Emergency contacts, Statutory details, Opening balances
  • Pay run settings, including Pay run defaults, Pay rates, Locations, Leave allowances, Pay run inclusions, Bank accounts, Qualifications, Work types
  • Employee management, including Pay slips, Other income/benefits, IRAS forms, Documents, Leave balances, Employee portal access, Time and attendance.  

To reiterate, restricted users will only have access to employees they have been granted specific permission to via their location and/or employee group access.

Additionally, any incomplete employees (ie employees that do not have all details set up in their file that are required to include them in a pay run) will be visible to restricted users with this permission. Restricted users will then have the ability to complete the employee record using the employee wizardSpecial note: depending on the restricted user's location and/or employee group permission, the user may not be able to access the employee once the wizard process is complete and the employees details are finalised. Refer here for further information.  

If the business has enabled employees (with portal access) to be notified via email when their personal or bank account details have changed the notification will be triggered if a restricted user makes changes to any of those details. This notification is configured via Payroll Settings > Employee Portal Settings:

Screen_Shot_2021-02-27_at_10.43.52_pm.png

What is the difference between a full access user and a restricted user with 'edit all employee details' permission?

Specifically in terms of accessing and editing employee details, a restricted user with 'edit all employee' details permission cannot undertake the following functions which a full access user can:

  • Terminating employees: Terminate an employee from the employee's Details screen. Terminating employees should be managed as part of the payroll process and so only a full access user will continue to have the ability to terminate an employee. This restriction also extends to adding a termination reason against and existing terminated employee and anonymising and downloading terminated employee data.
  • Pay run inclusions: In instances where a business has not set up expense categories or employer liability categories, a full access user is able to to do this via an employee's Pay Run Inclusions screen. This option is not made available to restricted users as they are business  related settings. 
  • Qualifications: In instances where a business has not set up qualifications, a full access user is able to to do this via an employee's Qualifications screen. Unless the restricted user also has explicit 'Manage qualifications' permission as part of their user access, this option is not made available as it is a business related setting.
  • Documents: When viewing any documents attached to an employee file that are linked to either a leave request, expense request or timesheets, full access users can then access that specific leave request, expense request or timesheet via the 'Links' section as shown below. Unless the restricted user also has:
      • explicit 'Approve leave requests' or 'View leave requests' permission as part of their user access, the user will not be able to access the employee's leave requests;
      • explicit 'Approve expenses' or 'View employee expenses' permission as part of their user access, the user will not be able to access the employee's expense request records;
      • explicit 'Approve timesheets' permission as part of their user access, the user will not be able to access the employee's timesheets.

Screen_Shot_2021-02-27_at_2.21.18_pm.png

 

I have completed an incomplete employee's detail but can no longer access their record. Why?

As stated above, restricted users with 'edit all employee details' permission will be able to view all  employees in an incomplete status (example shown below) in their employee list. An employee is deemed incomplete if they do not have all the information required to include them in a pay run and be paid, such as bank details, start date and pay run default settings. 

Screen_Shot_2021-02-27_at_3.28.07_pm.png

Once the employee is completed via the wizard, the system will then have the required information to know whether the restricted user should have access to this completed employee. This is because the system will compare the employee's settings against the restricted user's location and/or employee group access settings. If they do not match, then the restricted user will not have access to that employee. To explain what this means and the consequences, we will provide some examples:

Scenario 1: Restricted user with location permission to 'Location A'

If a restricted user is given location permissions this means that any employee with that location assigned to their record (be it as a primary location or ancillary location) will be visible to the restricted user. When completing an employee using the employee wizard, the only location setting available to configure for such user is the employee's primary location (in the 'Employment details' section of the wizard). If the user:

  • selects 'Location A' as the employee's primary location, the employee will then display in their employee list upon completion.
  • selects a different location as the employee's primary location, the employee will not display in their employee list upon completion.    

A full access user will need to either select 'Location A' as an ancillary location to the employee or change the employee's primary location to 'Location A' for the restricted user to then have access to that employee.

Scenario 2: Restricted user with employee group permission to a specific pay schedule

Say a restricted user was set up with employee group permission for all employees paid under the 'Weekly' pay schedule, for example:

Screen_Shot_2021-02-27_at_4.38.18_pm.png

 

When completing an employee using the employee wizard, the user can configure the employee's pay schedule (in the 'Employment details' section of the wizard). If the user:

  • selects 'Weekly' as the employee's pay schedule, the employee will then display in their employee list upon completion.
  • selects a different pay schedule, the employee will not display in their employee list upon completion.    

The above is one example on how employee group permissions work using pay schedules. There are many criteria available in setting up employee groups but the same principle applies in terms of whether a restricted user with employee group access is given access to the employee once they are an active (completed) employee.

Refer here for more information on the differences between location permissions and employee group permissions. 

How to track any updates made to employee details by restricted users

This section is applicable to:

  • full access users, and/or
  • restricted users with reporting access, specifically access to the Employee Details Audit Report

Any edits/updates made to employee details by restricted users can be tracked via the Employee Details Audit Report. This will ensure full access users, specifically users managing the pay runs, are totally aware of any type of user that has made a change to an employee's record.

 

If you have any questions or feedback, contact us via support@yourpayroll.io.

Was this article helpful?
0 out of 0 found this helpful

Comments

0 comments

Article is closed for comments.