Permission groups give you control over what information and functionalities each person in your organization has access to. Default, out-of-the-box permission groups help you automate the permissions your people receive.

Transcript

Manage what information and functionalities each person in your organization can access.

In this video, we'll learn how to edit default permission groups.

Before we begin, please note that:

An employee can be a member of multiple groups with a combination of different permissions.

You can edit default permission groups, but not duplicate or delete them.

Let's get started.

From the left menu, select Settings, Permission groups.

You'll see four default permission groups.

Let's start with Admins.

Select the group to view and change permissions.

You'll see that all permissions are already granted as the Admin group is the most powerful.

Click Edit details to change who's in this group, then add specific people.

We recommend only including your HR team in this group.

Click Save and Confirm when you're done.

Next, we'll look at the most restricted role, All people - others' data, which has limited features and viewing and editing permissions to take on other employees' profiles.

Users are automatically added to this role and cannot be manually removed.

Here, we can select People from the People's data tab to remove viewing rights to other employees' Personal sections by disabling viewing the Personal section.

Now, let's see the Managers group.

When an individual has one or more people reporting to them, they'll automatically be able to view information about their direct and indirect reports.

In Access rights to people's data, we'll apply conditions to only include employees within a set lifecycle status.

Finally, the All people - own data group defines what employees can see and edit on their own profiles.

Like the All people - others' data group, you cannot manually add or remove people from this group, but can make changes as needed.

Monitor changes made to permission groups to protect sensitive data.

From the Group actions dropdown menu, select View audit trail to see changes made by date range regarding group members, permissions, and access rights.

View permissions individual employees have from their profiles.

Or, generate a report in Analytics to give you a bird's eye view of permission groups.

In Reports, create a new report or search for the Permission groups report template to assess permissions.

Thank you for tuning in to hear about managing permission groups.

See you next time.

Get the most out of Bob

  • Streamline employees' permissions with default permission groups. For example, a Customer Experience employee will be included in the Managers permission group once they’ve been promoted and gain access to the reports area.
  • See the history of all changes made to each permission group using the audit log.

Before you begin

The permission group feature version has changed. Admins can enable the updated feature in Manage features.

  • Depending on which feature version your admin enables for the organization, you may have two versions available to you.
  • The previous feature version will be available until February 27, 2023. After that, only the updated version will be available. We encourage you to adopt the new version as soon as possible so you can be familiar with it after the official release period ends. 
Previous New
  • Different default group names.
  • You need to click Manage group to enter a group.
  • Groups were organized in tiles that could not be sorted or searched.

Default permission group basics

  • Only active employees can be added to default permission groups.
  • You cannot duplicate or delete the default permission groups, but you may edit them.
  • An employee can be a member of multiple groups at any given time and gain rights from a combination of them.

We have set four default groups already, but you control the permissions so that you can change them to suit your company.

Admins This is the most powerful role with unlimited rights. Be careful with this one - with great power comes great responsibility.
Managers Making someone a manager provides enhanced permissions over the manager's direct and indirect reports. When managers view anyone else in the company, i.e., someone who doesn't report to them, they'll inherit the permissions of the Other people’s accounts group, meaning they can't manually add/remove people. Remember that as soon as an employee has someone else reporting to them, they will automatically be added to this group, so you don't need to do anything else.
All people - Others’ data This group has a limited amount of view rights and almost no actions on everyone else but can see everyone else’s public information. This is usually the lowest permission level. This group contains everyone in the company. You can’t manually add or remove people.
All people - own data Defines what employees can see and edit on their profiles. You can’t manually add or remove people.

How to manage a default permission group

Before you make changes in your production environment, you can test permission group changes confidently in Sandbox. To learn more, see Getting started with Sandbox.

FYI: This capability is available only for accounts that have purchased Sandbox. To learn more, see HiBob's HRIS features.

  1. From the left menu, select Settings > Permission groups.
  2. Select the permission group you’d like to manage.
  3. From the Group actions dropdown menu, select Edit details.

    Note: You cannot edit the name or description of default permission groups.

  4. From the Tags dropdown menu, select a tag or click Edit list to add tags for an additional layer of organization to your permission groups.
    • Click + Add.
    • Enter your tag name, then click Save or press Enter.
    • Click Save.
    • Select the tag(s) you created, then click Apply.
    • Click Save.
  5. In the Group members section, choose people to add to the Admins default group.

    Note: People cannot be added to the All people - own data, Managers, or All people - Others’ data groups because these groups are fully automated.

    • Click Edit.
    • Select people, then click Please select.
    • Click Save, then Confirm.
      Admins will receive an email when someone is added to the Admins group.
  6. Click Edit permissions to change what people can and cannot access.

    Note: Since Admins are super users with access to everything in Bob, there is no option to edit permissions.

  7. From the Feature tab, select a section, then mark or unmark the checkboxes beside each permission to enable or disable which features members can see and change.
  8. From the People’s data tab, select a section, then mark or unmark the checkboxes beside each permission to enable or disable access to people’s data in each platform area.
    Admins will receive an email any time sensitive permissions, such as payroll, financial, equity, or identification, are enabled for any group.
  9. From the Access rights section of the People’s data tab, select whose data these permissions to apply to in the group.

    Note: The Admins group can manage everyone’s profiles and actions.

    • Lifecycle status dropdown menu: This applies to the Managers group and will include direct and indirect reports’ data.
    • Everyone: All employees marked as Employed in the system.
    • Select people by condition: Click Edit to create a highly targeted list using as many conditions as you like, then click Apply.

      Note: All conditions must be met for a person to be included in the permission group.

  10. Click Save when you're finished adding or removing permissions and group members, then click Apply after reviewing the summary of changes.

To learn how to create a new permission group with specific features, people data permissions, and access rights, see Create a custom permission group.

How to review permission group changes

View an audit log of all the permission setting changes over time to see what changes have been made.

  1. From the left menu, select Settings > Permission groups.
  2. Select the permission group you’d like to manage.
  3. From the Group actions dropdown menu, select View audit trail.
  4. From the Group Members tab, view changes to who belongs to the group.
  5. From the Permissions tab, view the permissions enabled or disabled for the permission group and its members.
  6. From the Access rights tab, view the employee(s) whose data and/or settings can be accessed.

FAQs

How can I delete a condition for who is in the permission group?
From the left menu, select Settings > Permission groups. Select the group you'd like to edit. From the Group actions dropdown menu, select Edit details. From the Group members section, click Edit. Hover over the condition you wish to delete, click the trash icon to the right of the condition, then click Apply. Click Save, then Confirm.

How can I remove a specific person from a default permission group?
Of the default permission groups, only people from the Admins group can be added or removed since Managers, All people - others’ data, and All people - own data group membership is automated. From the left menu, select Settings > Permission groups. Select the group you'd like to edit. From the Group actions dropdown menu, select Edit details. From the Group members section, click Edit. Click the x icon beside the person’s name you’d like to remove, then click Please select. Click Save.

What is the difference between the people chosen as Group members and those chosen in Access rights?
The people in Group members are those chosen for the permission group you are creating. They will have the permissions you grant them in Permission groups.

The people chosen in the Access rights section are those on which the permission group can view and perform actions.

For example, you create a permission group and choose your HR professionals in Group members, enable Request read approval in Docs in the People’s data tab. Select Site equals Tel Aviv in the Access rights section. These HR professionals will only be able to request read approval for docs from employees at the Tel Aviv site, not your London or Amsterdam locations.