ChartHop keeps all sensitive data controlled according to user access levels. Most members of the organization should receive access, which is tied to their organizational managerial responsibilities.
For example, a department head will have access to sensitive data, such as compensation, for all of their reports, and their reports, all the way down the tree -- but would not receive special access to peers or those in other departments.
However for a number of roles, including members of HR, Recruiting, Finance, IT, and more, additional permissions may be appropriate, depending on the needs of your organization. Please review carefully and grant permissions only according to business need, following the principle of least privilege.
- are allowed full access to everything, including the ability to change user permissions, configure integrations, and alter organization-wide settings. Because of the scope involved, this access should be tightly restricted.
- are allowed to manage user permissions, configure apps and integrations, update custom fields, and alter organization-wide settings. However, they do not receive direct access to sensitive people data in the application. Because of the ability to configure data access and API keys, a Technical Owner could indirectly establish access to sensitive data (although such activity would be auditable), so this role should be granted with care to appropriate IT staff.
- are allowed to view all information, and make official, permanent changes to the primary timeline. This access should be restricted tightly and limited to a few authorized individuals in HR, Finance, or similar roles.
- users are allowed to view all information, including sensitive data such as compensation and reporting, and can create scenarios, but cannot change the primary timeline.
- users are allowed to view and make changes to open jobs, including target compensation levels and sensitive jobs. They are not allowed to make changes to, or access sensitive data about, current employees other than those they manage. This permission is generally intended for Recruiting roles or those managing the ATS.
- users are allowed to view sensitive information about open jobs only, including target compensation levels and viewing all sensitive jobs. They are not allowed to make changes to the primary timeline, or access sensitive information about current employees other than those they manage.
- users are allowed to view all forms of compensation, both cash and equity, across the organization.
- users are allowed to view all cash compensation, but not equity compensation, across the organization.
- users are allowed to view equity compensation, but not cash compensation, across the organization. This role is appropriate for stock administrators.
- users are allowed to view personal contact information, such as home email, home address, and home phone number.
- users are allowed to view all time off information.
- users are allowed to see their own personal information, and the sensitive information of anyone who currently reports up to them. This is the default access level, appropriate for most members of the organization.
- users are allowed to see their own personal information, including compensation, and sensitive information for people who report up to them, except for compensation. This access level is intended for people managers who do not have access to see their team’s compensation.
- users are not allowed to see any sensitive or personal information of any kind.
Department Limited Access
Sometimes some of the above permissions may need to be limited to a certain department or set of departments. For example, a recruiter who focuses on sales roles may not need to access compensation for all open roles; they might only need access to the Sales department.
Mark the option in the user access dialog to add this restriction, and select the departments that the special access should be limited to. For roles in other departments, the user will have Member View.
Custom Filter Limited Access
If you have more complex rules for access than restricting by a particular department, you can check and create a filter.
For example, if you want a People Partner to have sensitive access to everyone in the New York office, but exclude executives and members of the Human Resources department, you could use the filter:
location:"new york" !team:executives !department:"human resources"
Be sure to test filters to ensure that the permissions line up as you expect. You can click the button to retrieve a list of people and jobs matching the filter.
If you have specific access-level needs not met by the above, email us at .