Security: How to Configure Desktop Security for Employees
Security setup for access to employees can be found in the Configure Desktop under security in the Configure Security Roles menu. Different levels of access can be created for each role, so once a role is selected, administrators can decide how each user assigned to that role will work with employee information.
Start by checking employees. This will automatically allow access to every section of the employee record, so be sure to expand this section for full visibility to each area. Remove the checks for areas users should not have access to.
In order to best determine what to allow, administrators should become familiar with each of these categories in the employee record. To do so, go to the Employees Desktop and search for an employee. Open the employee record and walk through each category. Each of these sections, and the tabs within these sections, are what are being allowed in securities.
After becoming familiar with the full employee record, administrators should be ready to start the security set up. If any of the tabs within the section is not suitable for a role, then simply do not put a check next to the corresponding category. Then users will not have any visibility at all to that area of the employee record.
Once the appropriate areas have been opened up for a role, the data contained within each section can be made read-only or denied. This is managed in the Data Security tab. It is only necessary to complete this step if you have allowed access to a particular section and want to control how the data is used. If access has not be allowed to a section altogether under the desktop security tab, then the users do not even have the rights to get to the data.
The Data Group “All Employees” defaults to affect all employees within the database. Expand this to see the various folders that contain the data fields of the employed record. For example, when expanding employee, each data field will be presented in the Demographics section under desktop security. If access has been allowed to this section and the goal is to limit the users from editing the data, then apply checkmarks in the read-only column for each field to be protected. If denied is marked for a field, the data is replaced with an asterisk so that the information is blocked. For example, administrators may want to block the Social Security number from being seen, while the remaining fields can be seen, but not edited. Continue on this path for all relative folders.
Additional data groups may need to be created if these read-only and denied settings should be isolated to a particular group of employees. For example, if a user should be able to have full access, both viewing and editing rights, for the employees in their cost center, but should only have read-only rights for employees in other cost centers, then the settings should not be applied to the default All employees group. Rather, a new data grouping should be created.
That is done by going to Configure–>Security–>Configure Data Groupings. Add a data grouping and give it a name. In the example below, the group is being created to protect employee data. Add Parameter to define the group; whether it will be by specific client, Q-supervisor, or cost center. Then select accordingly. Once the data grouping has been saved, then apply the read-only and denied settings accordingly for each role in the data security tab.