Permission groups give you control over what information and functionalities each person in your organization has access to. This is extremely useful for cases where you have different users with different needs in terms of permissions. Create custom permissions groups if you wish to grant extra permissions to specific employees.

Transcript

Grant specific permissions to groups of employees.

In this video, we'll learn how to create a custom permission group.

Let's get started.

From the left menu, select Settings, Permission groups.

You'll see four default permission groups.

Create a custom group for people in your organization that may need additional permissions over features and people's data to complete their job responsibilities, like your site-specific HR admins.

Click + Create group to create a custom group.

Enter an easily identifiable group name, like HR Admins—London.

Select or add tags and a description to add more organization to your custom group.

In the Group members section, you can include everyone, people who meet certain conditions or specific people by name.

In this example, we'll select by conditions in the dropdown menus such as Site and Department to automate group membership.

You can also select specific employees from the dropdown menu.

Click Apply when you're done.

Most permissions are disabled by default, so you can choose exactly what permissions to grant them.

In the People's data tab, grant permissions related to employee info across Bob.

For example, in the Docs section, enable Request read approval, and View and Manage employee document requests so your HR admins can onboard new employees.

In the Access rights section, select which employees' information the permission group can access.

Select everyone marked as employed.

Select by condition to create a highly targeted list, such as Site equals London, so that the London HR team will have the permissions you choose for employees at their site.

Or you can select specific employees by name.

In the Features tab, grant permissions related to configurations and work areas at the company level.

For example, in the People section, select the employees section.

Then enable, Add new people to the company and Invite people to join Bob, so the HR admins can complete their hiring tasks.

Click Save.

Review the new permission group's setting summary, then click Apply.

And that's it.

Duplicate custom permission groups if you have similar roles and groups, such as your HR teams in Tel Aviv or Berlin.

Just change the conditions for who's in the group and to whom they have access.

Thank you for tuning in to hear about creating custom permission groups.

See you next time.

Get the most out of Bob

Save time by automating your permission groups using the condition-based participant selector and ensuring everyone has the correct permissions.

  • A new joiner to the London finance team will automatically join as a site-specific finance team employee for your London office, only giving them access to the relevant information and actions for that role/group.
  • An IT employee will be removed from the IT staff group if they leave the company.
  • See the history of all changes made to each permission group using the audit trail.

Before you begin

  • We have set four default groups already, but you control the permissions so that you can change them to suit your company. To learn more, see Manage permission groups.
  • Custom permission groups can include active and inactive employees.
  • An employee can be a member of multiple groups at any given time and gain rights from a combination of them.

How to create a custom permission group

Test new permission groups and changes to permission groups confidently in Sandbox. To learn more, see Getting started with Sandbox.

FYI: This capability is available only for accounts that have purchased Sandbox. To learn more, see HiBob's HRIS features.

Step 1: Create a group

  1. From the left menu, select Settings> Permission groups.
  2. Click + Create group or select a group to edit an existing custom permission group.
  3. Enter a name for the permission group.

    Tip: If you're setting permission groups by location, use consistent naming across groups to find them easily, e.g., HR Admin - London, HR Admin - New York.

  4. From the Tags dropdown menu, select a tag or click Edit list to add tags for an additional layer of organization to your permission groups.
    • Click + Add.
    • Enter your tag name, then click Save or press Enter.
    • Click Save.
    • Select the tag(s) you created, then click Apply.
    • Click Save.
  5. Enter a description to add more organization to your custom group (optional).
  6. In the Group members section, select people to add to your custom group.
    • Everyone whose lifecycle status equals Employed.
    • Select people by condition, click Edit, select conditions from the dropdown menu and specific employees if needed, then click Apply.

      Tip: Use conditions to automate group membership; e.g., by creating a Site equals London condition, all current and new joiners to the London site will automatically be added to the group. You can add as many conditions as you'd like, and all conditions must be met for a person to be included in the permission group.

    • Select people by name, click Select people, mark the checkboxes beside the people you want to add, then click Please select.
  7. Click Create, then click Confirm after reviewing the notification of who will be added.

Step 2: Set permissions

Your newly created permission group will have most permissions unmarked and disabled by default, so you can choose what permissions to include or exclude.

Permissions are split into two categories:

  • Features: Configurations and work areas at the company level
  • People’s data: Configurations related to employee info across Bob’s features

Within the categories are different sections associated with the various features, and in each section, various permissions can be enabled or disabled.

  1. From the Features tab, select the area of Bob you'd like to manage, then mark the checkbox(es) to enable or disable the permissions you’d like to give the custom group.
  2. From the People's data tab, select the area of Bob you'd like to manage, then mark the checkbox(es) to enable or disable the permissions you’d like to give the custom group.
  3. From the Access rights section of the People’s data tab, select whose data these permissions apply to.
    • Everyone: All employees marked as Employed in the system.
    • Select people by condition, click Edit, select conditions from the dropdown menu and specific employees if needed, then click Apply.

      Tip: Use conditions to automate access rights; e.g., by creating a Site is same as viewer, the group members will be able to access data for all current people and new joiners at the same site. You can add as many conditions as you'd like.

    • Select people by name, click Select people, mark the checkboxes beside the people you want to add, then click Please select.

      Note: All conditions must be met for a person to be included in the permission group.

  4. Click Save when you're finished adding or removing permissions, then click Apply after reviewing the summary of changes.
    Notes:
    Admins will receive an email notification:
    • Each time 5 or more members (in total) are added to a permission group with sensitive data, which includes access to data in the Payroll, Financial, Equity, or Identification categories.
    • When adding sensitive permissions to any group with any number of members.

    Use case examples of custom permission groups

    You can use conditions like Same as viewer and Is viewer to form groups based on the group members.

    Example: Company with multiple locations

    For example, if the group members are from London, selecting Site as Same as viewer will allow each group member to view employees only from their London site. Similarly, if the group members are HRBPs, selecting Job title as Is viewer will enable each HRBP to access the employees that each of the group members is their HRBP.

    Integrations can be pretty complex for some Admins to do on their own. Set custom permissions for IT to set up integrations for all employees.

    Example: IT Permission group
    1. Create a custom permission group for IT permissions with a name, description, and tags that describe the function of the group.
    2. In the Group members section, select the IT professionals to add to your custom group.
      • Select people by condition, click Edit, select conditions from the dropdown menu that apply only to IT professionals and specific employees if needed, then click Apply.
      • Select people by name, click Select people, mark the checkboxes beside the IT professionals you want to add, then click Please select.
    3. From the Features tab, select Integrations.
    4. Mark or unmark the checkbox to enable or disable Create, update and delete the integration for each section.
      • Automation
      • Calendar
      • Collaboration
      • CRM
      • Payroll
      • Productivity
      • Provisioning
      • Recruitment
      • SSO
      • Storage
      • Time Tracking & Scheduling
    5. From the Access rights section of the People’s data tab, select whose data these permissions to apply to.
      • Everyone: All employees marked as Employed in the system.
      • Select people by condition, click Edit, select conditions from the dropdown menu and specific employees if needed, then click Apply.

        Tip: Use conditions to automate access rights; e.g., by creating a Site is same as viewer, the group members will be able to access data for all current people and new joiners at the same site. You can add as many conditions as you'd like.

      • Select people by name, click Select people, mark the checkboxes beside the people you want to add, then click Please select.

        Note: All conditions must be met for a person to be included in the permission group.

    6. Click Save when you're finished adding or removing permissions, then click Apply after reviewing the summary of changes.

    You may want to grant HR professionals at each site the ability to add new people to the company and complete the new hire flow without giving permissions to other Admin capabilities, such as managing company settings.

    Example: Recruitment Admins

    Instead, create a recruitment admin custom permission group to grant specific permissions to HR professionals.

    Notes:
    • These permissions will also be available for the given employee outside the new hire flow.
    • Grant permissions specific to your organization’s needs. The following steps show how you can grant permissions to non-Admins and automate adding a new hire.
    1. Create a custom permission group for regional admins for multiple sites. For example, create a custom permission group for your Tel Aviv office.
    2. In the Group members section, select the regional HR professionals to add to your custom group.
      • Select people by condition, click Edit, select conditions from the dropdown menu that apply only to HR professionals and specific employees if needed, then click Apply.
      • Select people by name, click Select people, mark the checkboxes beside the HR professionals you want to add, then click Please select.
    3. From the Features tab, select People > Employees.
    4. Mark or unmark the checkbox to enable or disable:
      • Add new people to the company to open the + New hire option in the Directory.
      • Invite people to join Bob to send the new hire a Bob invitation within the employee onboarding flow.
    5. From the People’s data tab, select Benefits > Active benefits.
    6. Mark or unmark the checkbox to enable or disable Add and manage selected people’s active benefits.
    7. From the People’s data tab, select Docs.
    8. Mark or unmark the checkbox to enable or disable:
      • Request eSign for employee in the eSign templates section
      • Request read approval, View selected employee requests, and Manage select employee requests in the Requests section
      • View and Upload selected employees’ docs in the folder in each relevant folder section.
    9. From the People’s data tab, select Time off > Requests.
    10. Mark or unmark the checkbox to enable or disable Create and manage selected people's time off requests.
    11. From the People’s data tab, select Tasks and flows > Task lists.
    12.  Mark or unmark the checkbox to enable or disable Trigger task lists for selected people (manually or automatically).
    13. From the Access rights section of the People’s data tab, select whose data these permissions to apply to.
      • Everyone: All employees marked as Employed in the system.
      • Select by condition, click Edit to create a highly targeted list using as many conditions as you like, such as Site and Lifecycle status equals Hired and Employed, then click Apply.

        Note: All conditions must be met for a person to be included in the permission group.

      • Select people by name, click Select people, mark the checkboxes beside the people you want to add, then click Please select.
    14. Click Save when you're finished adding or removing permissions, then click Apply after reviewing the summary of changes.

    How to review permission group changes

    View an audit trail of all the permission setting changes over time to see what changes have been made. To learn more, see Manage permission groups.

    FAQs

    How do I duplicate or delete a custom permission group?
    Select the custom permission group you’d like to duplicate or delete. From the Group actions dropdown menu, select Duplicate. You can edit the group details, such as the name to ensure it’s easily distinguishable and group members, plus the permissions available to the group members. From the Group actions dropdown menu, select Delete. Type DELETE, then click Delete. This cannot be undone.

    How can I delete a condition for who is in the permission group?
    From the left menu, select Settings > Permission groups. Select the group you'd like to edit. From the Group actions dropdown menu, select Edit details. From the Group members section, click Edit. Hover over the condition you wish to delete, click the trash icon to the right of the condition, then click Apply. Click Save, then Confirm.

    How can I remove a specific person from a permission group?
    From the left menu, select Settings > Permission groups. Select the group you'd like to edit. From the Group actions dropdown menu, select Edit details. From the Group members section, click Edit. Click the x icon beside the person’s name you’d like to remove, then click Please select. Click Save.

    What is the difference between the Group members and those chosen in Access rights?
    The people in Group members are those chosen for the permission group you are creating. They will have the permissions you grant them in Permission groups.

    The people chosen in the Access rights section are those on which the permission group can view and perform actions.

    For example, you create a permission group and choose your HR professionals in Group members, enable Request read approval in Docs in the People’s data tab. Select Site equals Tel Aviv in the Access rights section. These HR professionals will only be able to request read approval for docs from employees at the Tel Aviv site, not your London or Amsterdam locations.

    Which permissions can I not grant to custom permission groups?
    You can create a custom permission group for various groups of people and grant them Features and People’s data permissions. However, some permissions are exclusive to the default Admins group, as this is the most powerful group. The admin permissions that you cannot provide to a custom group include the following:

    • People’s data: View selected people's scheduled reports, View own company shared goals, or View own company personal goals.
    • Features: Manage company groups, Manage billing, Enable/disable Bob features for your company, Integrate info from bob with external services (calendars, SSO, etc.), Manage authorization groups and log in as other people, Manage sandbox, Edit the company's details (name, logo, etc.), Delete the company's profile and all its data, and Change task list owner.