For larger organizations, it often makes sense to have local administrators manage employee records within their own areas instead of the global admins managing this responsibility for the global organization. You can create custom access control groups, making this possible.
This article will serve as a suggested best practice on how to enable local administrators the best experience with managing their side of the organization. It will contain:
- Peakon's recommendation
- Creating a local administrator access group
- Assigning segment access to the local administrator
- Allowing local administrators to manage access control groups
Peakon's recommendation
Here is a summary of how Peakon recommends an organization to configure local administrator access on Peakon, to allow full local access:
- Create a custom local administrator access control group
- Assign the local administrator access to the segment they manage (see Giving access to segment data by adding segment managers)
- Set up hierarchies to allow full access to the child segments (see About attribute hierarchies and how they work)
- Set up access controls that are connected to segments so local administrators can populate them indirectly
Creating a local administrator access group
Only global administrators have access to the access control groups page, and are therefore responsible for setting up and managing the access control groups, as well as adding new users to them.
Most organisations will utilise the default manager access control group where all managers have dashboard access with the same permissions enabled. When it comes to local administrators, it is recommended to create a custom access control group in order to provide them with a higher level of permissions within the platform.
To create a custom local administrator access control group:
- Go to Administration > Access Control
- Click on the Add group button
- Type in the group name
- Choose Managed employees access type
- Under the People section, select Choose manually
- Set the permissions* - use All access control permissions explained and Access by question set for reference
- Save the changes
Aside from the usual permissions a high access user may need, here are the recommended additional permissions for a local administrator:
| Permission | Description |
|---|---|
|
View employees |
Access to view employee records of their managed employees |
|
Update employees |
Access to update employee records of their managed employees |
|
Backdate employee data |
Access to set retroactive validity dates to changes made on employee records of their managed employees |
|
Administer employees |
Ability to add and delete employee records within their assigned area |
|
Segment management access |
Ability to add managers to segments they may need access to, provided that the user themselves has full access to that segment (directly or through hierarchy) |
Assigning segment access to the local administrator
These members will now be responsible for their "managed employees". Once they are assigned their managed employees, they can be added into the access control group. There are two ways of assigning managed employees:
- Adding them as a manager to a segment of employees (for example the entity or the country they manage) - see Giving access to segment data by adding segment managers
- Adding an additional "Employee" type attribute and updating employee records so that each employee 'reports' to both a manager and a local administrator/HRBP - see Introduction to attributes and segments
In the example below, Alice Smith is the HRBP for the Europe, Middle-East and Africa region. In order for her to become the local administrator for the region, she can either be made the segment manager, or all employees from this region should report to Alice as their HRBP.
Allowing local administrators to manage access control groups
It is possible to configure custom access control groups to automatically populate managers based on a specific segment that they are in. Local admins will not have access to the access control page, however when updating employees, they will be able to place a manager in the correct segment, which will automatically populate the access control group.
For this purpose, an option type attribute needs to be created, with segment options that reflect the custom access control groups. The attribute can be set to not appear on the dashboard's segments by restricting "Dashboard access" within the advanced settings (this is done from the attribute page).
Firstly, decide on the groups of managers that you would like to differentiate between. What will be the main differences between the different access control groups? Once this is decided, follow the steps below.
Stage 1. To create an attribute for the purpose of populating an access control group:
- Go to Administration > Attributes
- Click Add attribute
- Choose Option type
- Give it a name that makes sense for its purpose, eg. "Manager dashboard access"
- Click Create
- Click Add segment (not to be confused with Add attribute)
- Add some segment options eg. "Managers with full access" or "Managers without comment access" etc. These should reflect the group names that you will later create
- Click Edit attribute
- Expand the Advanced settings
- Under Dashboard access, choose Cannot see engagement scores by segments from this attribute
Tip: the access control group linked in the next stage will only populate when an exact match with the segment name is found. If local administrators are managing this via data imports, additional segments can be created due to spelling errors. This can be avoided under the Automatic creation of segments setting within the Edit panel of the attribute.
Stage 2. To create an access control group to be linked to an already created segment:
- Go to Administration > Access Control
- Click on the Add group button
- Type in the group name eg. Managers without comment access (it needs to match the name of a segment which you created in step 7 of stage 1)
- Choose Managed employees and Choose by segment options in the configuration
- Select the relevant segment that should populate the group
- Set the permissions - use All access control permissions explained and Access by question set for reference
- Click on Create group
Once this is set up, the local administrator can simply place a user into the 'Managers with full access' segment. Provided that the user manages employees or a segment, they will be automatically added to the connected access control group.
The article Adding or removing users on segment managed access control groups explains the steps a local administrator needs to take to manage user access using this method.
Comments
0 comments
Article is closed for comments.