Role Based Access Group

Explanation

This activity enables the creation and management of Role-Based Access Groups, enabling Teams or individuals to be granted access to multiple Persons simultaneously. In these groups, a Member's Context can be set as either a Person or a Team. If the context is set to Team in the Member section, access will be granted exclusively to the Members of that specific Team. Each Member within the group can be assigned distinct Access Roles, each with a specified Validity Period that defines the specific data they can access and actions they can perform for the individuals within the group.

The primary objective of these groups is to empower authorized personnel to seamlessly access the Person Data and Employee Data of a group of individuals and their associated employees collectively.

This approach eliminates the need for assigning permissions on an individual basis. Moreover, it is particularly beneficial when certain persons cannot be accessed through the standard Team-based Supervisor-Member access.

It is possible to assign an Expiration Date to a Role-Based Access Groups. Once this expiration is reached, the group's status automatically changes to Inactive, and any access-related tasks dependent on the group will be disabled.

By default, a Member will only have visibility of transactions that were registered during the Validity Period of an Accessible Person. To view transactions from a different period, the following options are available:

• Select the Manual Entry Trans. From option and input a date in the Trans. From field. This date determines the earliest point from which the Member can view transactions.
• Select the Manual Entry Trans. To option and input a date in the Trans. To field. Transactions occurring after this date will be inaccessible to the Member.

After creating a Role-Based Access Group and adding Members, you can proceed to add and manage Persons within the group’s Accessible Persons list. This can be achieved by either adding individual Persons to the Accessible Persons list or through bulk access configuration, enabling the efficient setup of permissions for multiple personnel to be added simultaneously as Accessible Persons.

To add Accessible Persons in bulk, a Bulk Update Setup configuration must be completed. Each configuration is assigned a unique Bulk Setup Number, which is linked to a specific Role-Based Access Group.

The setup includes a defined Validity Period that specifies the duration for which the configuration remains active. Optional fields include Access From (Before) and Access To (After), each of which can be specified with a corresponding Period (Unit). The Access From (Before) field defines the period before the start of the Accessible Person's Validity Period during which they are accessible, while the Access To (After) field defines the period after the Validity Period ends during which access remains available to the Accessing Person within the Role-Based Access Group.

There are two options for obtaining Accessible Persons: by Team or by Organization. From these options, selecting a Team will include all members of that specific Team in the results.

When selecting an Organization along with a Structure, additional filtering options for Employments, Assignments, and Subordinate Organizations become available. These options include Matching Employments Only, Primary Assignment Only, and Include Organization Subordinates, which enable more precise filtering within the Organizational Structure. Furthermore, if the Organization's Structure is of the Matrix type, all connected Companies within that Matrix Structure will be included in the results. The assigned Employees and their associated Persons, based on the selected filters, will be taken into account when determining the results.

When changes occur in the system, such as adding or removing Persons or Employees, four options are available under the Update Accessible Person List to effectively manage updates for the Accessible Persons within the Role-Based Access Group.

• Auto-Add Persons Only: This option updates only relevant incoming Persons or Employees in the system during background job execution.
• Auto-Remove Persons Only: This option updates only relevant outgoing Persons or Employees in the system during background job execution.
• Auto-Add and Auto-Remove Persons: This option automatically updates relevant incoming and outgoing Persons or Employees in the system during background job execution.
• Manual Update Only: This option blocks any new updates to the Accessible Persons list during the background job execution.

In the Role-Based Access Group, if a Bulk Update Setup needs to be omitted, designated Persons and their associated Employees (if available) will be excluded from being included as Accessible Persons. In this scenario, the Exclude with Yes option can be applied, prioritizing exclusion as the primary criterion. For a new setup, the Exclude toggle will be available to enable (Exclude) or disable (Include) the setup. Afterward, any modifications can be managed using the Exclude/Include button. To manage record statuses, the Exclude button is displayed for records marked with an Exclude - No status, allowing them to be designated as excluded. Conversely, the Include button is shown for records with an Exclude - Yes status, enabling their inclusion. However, if a combination of records with both Exclude - Yes and Exclude - No statuses is selected, neither button will be displayed.

The system prevents duplication in the Bulk Update Setup by disallowing the addition of the same record more than once for Teams or Organizations when all columns match. In the Organization option, duplication is prevented if a record exists with the same Organization, Validity Period (or overlapping period), Exclude or Include status, and settings such as Matching Employments Only set to No, Primary Assignment Only set to No, and Include Organization Subordinates set to Yes. Additionally, if a record exists for the Organization setup with any combination of Yes or No for Matching Employments Only, Primary Assignment Only, and Include Organization Subordinates, adding a duplicate record for the same Organization, Validity Period (or overlapping period), Exclude or Include status, with Matching Employments Only set to No, Primary Assignment Only set to No, and Include Organization Subordinates set to Yes is also not permitted.

Additionally, in the Organization option, if either Matching Employments Only and/or Primary Assignment Only are set to Yes, it is not permitted to set the Exclude option to Yes.

After defining a Bulk Update Setup for the Role-Based Access Group, Persons (along with Employee details, if applicable) can be added to the Accessible Person list by clicking the Manually Refresh Accessible Persons button. Additionally, any changes such as additions, modifications, or deletions in the Bulk Update Setup can be updated either manually through the same button or automatically during the next scheduled execution of the background job.

The Last Updated field records the date and time of the most recent update to the relevant Bulk Update Setup, regardless of whether the update was performed manually or through the execution of a scheduled background job.

The Accessible Person list will display individuals to whom Members of the Role-Based Access Group have access. Each Accessible Person is associated with a Validity Period, during which group Members can access their data. When adding Accessible Persons manually, a specific Validity Period can be defined. For Accessible Persons derived from the Bulk Update Setup, the Validity Period is determined by the intersection of the Bulk Update Setup's Validity Period and the Person Assignment Period (for Teams) or Employee Assignment Period (for Organizations). Additionally, the previous and future access duration specified in the Bulk Update Setup will be added to the Validity Period of the Accessible Person.

The access validity for each Member is determined by the intersection of their own Validity Period and the Validity Period assigned to the Accessible Person. This ensures that access is granted only during overlapping periods of validity, aligning with both the Member's and the Accessible Person's access timelines.

The configured Bulk Setup Number will be displayed alongside the Accessible Person, helping to identify the source of the Bulk Update Setup result within the Role-Based Access Group. If the Accessible Person is added manually, this field will remain blank. The Accessible Persons and their associated Employees generated from the Bulk Update Setup are non-editable and non-removable. However, manually added records can be edited or removed later, subject to specified validations.

The Exclude/Include option is exclusively modifiable for manually added Accessible Persons within the Role-Based Access Group. By default, when manually adding Accessible Persons to the Role-Based Access Group, the Exclude option is set to No, meaning the Person is automatically included in the Accessible Persons list. If the Exclude option is set to Yes, exclusion takes priority, and the individual will not be considered as an Accessible Person for the group when access is granted. For new records, the Exclude toggle will be available to enable (Exclude) or disable (Include). Afterward, any modifications can be managed using the Exclude/Include button. The Exclude button appears when records with an Exclude - No status are selected, and the Include button appears for records with an Exclude - Yes status; if both statuses are selected simultaneously, neither button will be displayed.

When adding Accessible Persons manually, the default setting for All Employments is Yes, meaning all Employees associated with the Person are included in the list, and individual Employees will not be listed separately. Additionally, there is an option to manually add specific active Employees associated with a Person only when the Exclude option is set to No. If at least one Employee is manually added, or if all Employees associated with the Person are added manually, the All Employments option will automatically be set to No, and changing the Accessible Peron's Exclude option to Yes will also be disabled.

When Accessible Persons are derived from the Bulk Update Setup, the All Employments setting depends on that setup's results. If the Bulk Update Setup specifies particular Employees, the All Employments option is set to No, and the associated Company and Employee details will be shown in the Employments section. However, if the Bulk Update Setup does not specify any Employees, All Employments is set to Yes, allowing access to all Employees associated with that Person without listing them in the Employments section, as long as there are Employees available. Additionally, the exclusion criteria for Accessible Persons resulting from the Bulk Update Setup are also defined by the setup. If the Exclude option is set to Yes, it takes precedence, and the individual will not be considered an Accessible Person for the group, resulting in denied access.

The following procedures outline how access will be granted to Accessible Persons within the Role-Based Access Group.

• Access is granted based on the Validity Periods for each Accessible Person when both manual and bulk records are provided as Exclude – No (indicating inclusion).
  • When there are no overlapping Validity Periods, both manual and bulk records will be considered for access.
  • When Validity Periods overlap, a new manual record cannot be added if there are existing overlapping manual records. On the other hand, overlapping bulk records will still be taken into account for access.
  • A manual record cannot be added if it overlaps with an already existing bulk record.
  • If a bulk record is added after a manual record with an overlapping period, it will only be considered for the duration not covered by the manual record, provided its Validity Period is greater. If the bulk record's Validity Period is equal to or shorter than that of the manual record, it will not be considered, and access will be determined solely by the manual record.
• Access is granted based on the Validity Periods for each Accessible Person when one record is marked as Include and the other as Exclude.
  • If there are no overlapping Validity Periods, access will be granted based solely on the Include record.
  • Manual records cannot overlap, regardless of their Include or Exclude status.
  • When bulk records overlap, access will be denied if an Exclude record's Validity Period is equal to or longer than that of an Include record. If the Validity Period of the Exclude record is shorter, access will be granted for the remaining time.
  • When a manual record exists and a bulk record with overlapping Validity Periods is added, access is determined by the Validity Period of the Exclude record: if the Exclude record's Validity Period is equal to or greater than that of the Include record, no access will be granted. Conversely, if the Exclude record's Validity Period is less, access will be granted for the remaining time after excluding the period covered by the Exclude record.
  • When a bulk record is present, adding a manual record with overlapping Validity Periods follows these guidelines: If the bulk record is marked as Include and a manual Exclude record is added, access is denied if the Validity Period of the Exclude record is equal to or greater than that of the Include record; however, access is granted for the remaining time if the Exclude record's Validity Period is shorter. If the bulk record is marked as Exclude, the addition of a manual Include record is not permitted, regardless of the Validity Periods.

Prerequisites

• Persons: Must be registered in the system.
• Supervisor's Access Roles: Need to be defined in the Access Role.
• Teams: Registration in the system is optional.
• Structure/Organization: Registration in the system is optional.
• Employees: Registration in the system is optional.

System Effects

As a result of this activity, a Role-Based Access Group will be created.

Pages

Role Based Access Group

Activity Diagrams

HR Access Configuration