Scoped Permissions
OVERVIEW
Scoped permissions govern the abilities a role can use on other profiles, groups, or teams within a Namely site. Instead of just turning a specific permission on or off, you can scope the permission so that the access role can interact specifically with a particular subset of users.
GENERAL SCOPING RULES
Scoped Permissions can be managed by navigating to Company, selecting Roles and Permissions under Settings, and clicking Edit next to an existing access role. The Scoped Permissions section governs specific abilities using a scoping mechanism. For a full list of scoping options, see the Scoping Option Definitions section below.
For example, the Ability: assume users allows a role to view as a specific user. This is a powerful ability that effectively grants a user the ability to view a variety of sensitive information for other employees. It also allows a user to make changes as the person they are viewing as, so it is essential the use of this ability is carefully managed.
If you click Ability: assume users for an access role, it will expand to show you a series of scoping options. These options are generated using information from your system including:
-
Groups
-
Teams
-
Other Roles
-
Reporting Relationships
Each option you select on this list will grant the role the option to view as users who fall under that group.
Abilities
Scoped Permissions are described as an Ability. For a complete list of abilities and their definitions, see Definitions of Access Role Permissions.
WHITELISTS AND EXCEPTIONS
When you reach the end of the list you’ll notice there are two sub sections: Whitelists and Exceptions. They function in the following manner:
-
Whitelist:
-
Allows the role to apply the ability to a user who would otherwise be excluded from it.
-
For example, imagine you want managers in a specific department to be able to use the View As option for all of their direct reports, but there is a group of employees that all managers should be able to view as regardless of reporting relationships. If these employees were categorized in a preexisting group, like an office location, you could type its name into the Groups field. When you save the access role, it will be able to view as both direct reports and employees in this group. An example of this setup is shown below.
-
-
You also have the ability to Whitelist specific Access Roles and users.
-
Exception:
-
Prevents a role from applying the ability to a group, access role, or user who would otherwise be included.
-
For example, imagine your HR Admin team needs to be able to terminate all employees except for your CFO. You could select All and then add the CFO by name to the Profiles section. After you save, the role will now be able to terminate all employees except for your CFO. An example of this setup is shown below.
-
Whitelists and Exceptions can be created using the following categories:
-
Group
-
Access Role
-
Profile
ADDITIONAL SCOPING TYPES
In addition to the above scoping options, some abilities have a limited set of scoping options that cannot be changed. For example Ability: Team Read Structure only have the following scoping options:
-
All
-
Current Teams
-
Lead of Teams
While additional scoping options can’t be added, Whitelisting and Exceptions are still available.
DIVISION VS. TEAM
There are two groups of similarly worded abilities—one focused on Team and the other Division:
|
Ability: division modify settings |
Ability: team modify structure |
|
Ability: division read structure |
Ability: team modify settings |
|
Ability: division modify goals |
Ability: team modify goals |
These two ability sets act on two distinct, but related, parts of a Namely site.
-
Division
-
Refers to anything that has been set up in the Org Units section in Settings > Org Units, i.e. Departments, Office Locations, Divisions, etc.
-
Therefore the Division abilities all interact with the Org Units setup in your Namely site.
-
-
Team
-
Refers to anything that has been set up in the Custom Teams section of the Teams tab.
-
Therefore the Team abilities all interact with the Custom Teams set up in your Namely site.
-
This distinction between Divisions and Teams applies to all aspects of Roles and Permissions, but it is most pronounced in this section.
SCOPING OPTION DEFINITIONS
Abilities will have a mix of the following options depending on their type.
-
All: Permissions assigned this scope can be performed against every employee in the system.
-
Same department: Permissions assigned this scope can be performed against any employee in the same group. Groups are configured in Company Settings and can be composed of departments, divisions, or static teams.
-
Same office location:Permissions assigned this scope can be performed against any employee in the same office location.
-
Same team: Permissions assigned this scope can be performed against any employee on the same custom team.
-
Report under via team: Permissions assigned to this scope are based on the user’s position in a custom team.
-
Directly dotted line under via company:If your organization uses dotted line reporting relationships, use this scope to apply the permission to secondary managers.
-
Directly report under via company:Permissions assigned this scope can be performed against direct reports as assigned by the Reports To function, one level down only.
-
Report under via company:Permissions assigned this scope can be performed against any reports assigned by the Reports To function.
-
Self:Permissions assigned this scope can be performed only on the employee’s own profile
Troubleshooting
This section is the first of three that cause the majority of Roles and Permissions issues. Typically, issues related to the Scope Permissions section can be broken down into two major categories. Incorrect scoping or incorrect and unexpected Whitelists/Exceptions.
INCORRECT SCOPING
This type of issue is caused when a role has an ability scope which includes team members it should not. Typically this can happen due to one or a mix of the following options:
|
Option |
Example |
Solution |
|---|---|---|
|
The Ability was scoped incorrectly for the desired effect |
The role should be able to manage time off for its direct reports, but can manage them for everyone on their team instead. |
Review the role in question and ensure the ability is scoped as desired. |
|
The team members have a group or other category attached to their profiles that allows the role to utilize the ability access on them |
A role is scoped to be able to manage time off for everyone in its department and it can manage time off for an employee who isn’t part of said department. |
Review the ability in question to determine how it is scoped. |
|
The user in the role has an unexpected or undesired reporting relationship that grants their role the option to utilize this ability on said team member |
A role is scoped to be able to manage time off for both its direct and dotted line reports. A manager is able to manage time for an employee who has no relationship to them. |
Review the ability in question to determine how it is scoped. |
INCORRECT AND UNEXPECTED WHITELISTS/EXCEPTIONS
When a role is created by cloning an existing role, all scoping settings carry over to the newly cloned role. This includes any whitelists or exceptions.
If a role’s user is able/unable to use an ability on an employee it shouldn’t/should be able to, take the following steps to review and correct:
-
Go to Company > Settings > Roles & Permissions.
-
Click Edit next to the applicable role.
-
Click the appropriate Ability to expand.
-
Review the Whitelist and Exception section.
-
Remove any incorrect categories from the whitelist/exception options.