This guide is for Payroll customers using integrated payslip documents. If you are using the Payslip Importer, this is different configuration therefore please refer to the linked guide.
Contents
Overview
- For customers that utilise both Ciphr HR and Payroll there is an important consideration around payslip security that should be discussed with your Ciphr Implementation Consultants as part of the implementation project
- This guide is aimed at those individuals within your organisation that are responsible for the configuration of the user roles and overall access to HR and/or those individuals responsible for the decision making on these roles. Typically this will be HR Users, System Administrators and/or HR licence holders or senior members of the HR/Project Team
- The guidance is particularly relevant where the organisation may have a requirement to restrict certain levels of access to some user roles. For example, there could be a scenario whereby the HR Users are permitted to view all employee records in the system with the exception of the Directors
Record Groups
- During the early stages of the Ciphr implementation project, your HR Consultant will have discussed a term called Record Groups (see linked guide for more details)
- These Record Groups would have been configured in the following menu:
- Latest (left-hand) menu: System Configuration > Manage Record Groups
- Pre 2025 (top) menu: System > Security >Manage Record Groups
- Typically it will look similar to the screenshot below, but there could be additional groupings required such as HR, Volunteers, Contractors, SMT, Board etc.
- Record Groups are designed to provide a method of separating employees into different security groups. If an employee is placed into a Record Group called Directors, decisions can be made as to whether the HR Users will be permitted, security wise, to see that group, or whether the employees in that group should be viewed, but as ‘read only’. Some customers will place the members of the HR Team into a Record Group called “HR” and then hide the group from the HR User role so that the team members cannot see each other’s record
User Roles and Record Groups
Once the Record Groups have been configured, the next stage is to consider the level of access required to these groupings for the user roles. To configure this go to:
- Latest (left-hand) menu: System Configuration > Role Management
- Pre 2025 (top) menu: System > Security > Role Management
- In this example, the role is an HR type role called HR User and the security has been set to provide the following access:
- General Staff: Write Access to all information for employees in this group
- Management: Write Access to most information except Job and Pay details, (or elements of the Job and Pay record such as basic pay, annual pay, hourly rate etc) which are set to Read Only for employees in this group
- Directors: Write Access to most information except Job and Pay details, (or elements of the Job and Pay record such as basic pay, annual pay, hourly rate etc) which are set to Hidden for employees in this group
- Whilst it is would appear the pay elements for the Directors group are hidden from the HR User role, there is also another important area to consider, which is payslips
Ciphr Payroll payslips and security
- The Ciphr Payroll Payslip pages do not have the same security setup as the Record Groups and Fields, nor do they conform to the usual Personal Document security
- Where it is possible to hide one single field such as NI Number or Basic Pay which appear on specific pages, whilst giving the users overall access to the page, the same security cannot be applied to the Ciphr Payslip pages.
- Typically the pages are located under the Job Pay & Reward menu as shown to the right (under Documents in the legacy top menu)
- As standard, with regards to overall document security, there is detailed security access control around the upload, viewing, or editing of Personal Documents whereby users can be blocked from seeing these documents completely if they are set to hidden, or where user roles
- The Payroll Payslip Documents do not form part of the same security configuration
- So the scenario is that HR Users can view the Directors' overall record and could therefore see Personal Details or Time Off for example, but cannot see their salary details. This level of security needs to be considered if the Payslip Documents are also made available in HR
- The Payslip Documents page is a static viewing page which is either switched on or off for the user role. There is no field security available on this page. If you do not wish for HR Users to see Job and Pay and salary information via HR and this is restricted, then the user role will need the following configuration at page level specifically for the payslip pages:
- Latest (left-hand) menu: System Configuration > Role Management
- Pre-2025 (top) menu: System > Security > Role Management
- Select Role > click on Pages
- Then search for the Payslip page(s). Change the Subordinate Permissions to Hidden
- This security set up will mean that the HR Users can see and download their own payslip but cannot see any other payslips throughout the entire organisation irrespective of the Record Group those employees are in
- It is worth considering whether an individual(s) should have a specific user role that does provide them with overall access to all payslips
- Where the HR Users do not have any access to a specific Record Group at all, rather than having partial, the record will not be available to search for, and therefore the payslip will also remain hidden. In this scenario, the Subordinate Permissions for the Payslip Documents page can be set to Write Access so that the user role can see all payslips for all subordinates across all Record Groups, apart from the Record Group for which they have no access at all
Footer
Comments
0 comments
Article is closed for comments.