15min

User roles and permissions

You can control access to your organization's data by assigning user roles. Most members of the organization should be granted the employee role.

Assigning roles to the members of your organization should be a thoughtful process and follow the principle of granting users only the permissions they need and no more than that. For a number of roles, including members of HR, recruiting, finance, IT, and more, additional permissions may be appropriate, depending on the needs of your organization.

For example, a department head will have access to sensitive data, such as compensation, for all of their reports, and their reports, all the way down the tree -- but would not receive access to peers or those in other departments.

ChartHop Premium customers can work with their ChartHop representative to further customize the permissions associated with roles as necessary. Users of ChartHop Basic and ChartHop Standard can only use the default roles that ChartHop provides.

  • ChartHop Basic customers can assign only two roles within their organization: employee and owner.
  • The following roles were deprecated. For users who have already been assigned these roles, admins do not need to take any action. Access will remain unchanged for users who have been already been assigned these roles.
    • Time Off Viewer
    • Personal Contact Viewer

Built-in user roles

Role

Description

Employee

Allowed to see their own personal information and the sensitive information of anyone in their reporting line. This is the default access level, appropriate for most members of the organization.

Employee (no comp data)

The same access as an employee but without permission to view compensation data.

Compensation viewer

Same as an employee but can also see compensation data.

Guest

Can view org public data. Recommended for users outside the organization. Users who are org members can also see their own personal data, but not the sensitive data of individuals in their reporting line.

Org editor

Access to all sensitive data including compensation, with the ability to edit and make permanent changes to the primary environment. Does not have admin capabilities such as the ability to install applications or change organization-wide settings.

Owner

Allowed full access to everything, including the ability to change user permissions, configure integrations, and alter organization-wide settings. Because of the scope involved, this access should be tightly restricted.

Recruiting Editor

Same as an employee and can view and edit open jobs and merge scenarios.

Recruiter

Allowed to view sensitive information about open jobs only, including target compensation levels and viewing all sensitive data. Not allowed to make changes to the primary timeline, or access sensitive information about current employees other than those they manage.

Sensitive data viewer

Same as an employee but can also see all sensitive data, including for those outside of their reporting line.

Technical owner

Allowed to manage user permissions, configure apps and integrations, update custom fields, and alter organization-wide settings. However, they do not receive direct access to sensitive people data in the application. Because of the ability to configure data access and API keys, a Technical Owner could indirectly establish access to sensitive data (although such activity would be auditable), so this role should be granted with care to appropriate IT staff.



Built-in permissions

The following permissions are associated with each built-in role. Customers who have ChartHop Premium can work with ChartHop technical support to customize roles for their organization.

Permission

Description

Associated with role

Standard access



All roles

Hide compensation

Cannot view any compensation data.

Employee (no comp data)

Hide all sensitive data

Can't view any sensitive data. Sensitive data includes: compensation, personal contact, and so on.



View time off

Can view time off information for all employees.



View personal contacts

Can view personal information for all employees.



View cash compensation

Can view cash compensation for all employees.

Compensation viewer

View equity compensation

Can view equity compensation for all employees.

Compensation viewer

View all open jobs

Can see all open jobs.

Recruiter

View and edit all open jobs

Can view and edit all open jobs.

Recuiting editor

View all sensitive data

Can view all sensitive data for all employees.

  • Org editor
  • Owner

Manage fields

Can add, edit, delete and organize fields.

Technical owner

Manage apps

Can install, configure and uninstall apps.

Technical owner

Manage forms

Can add, edit, and delete forms.

Technical owner

Manage users

Can add, edit, and delete users.

  • Org editor
  • Technical owner

Manage groups

Can add, edit, and delete groups.

  • Org editor
  • Technical owner

View and edit all org data

Can view and edit all org data for all employees.

Owner

Merge scenarios

Can merge scenarios.

Recruiting editor

Administrator

No restrictions.

Owner

Department Limited Access

Sometimes some of the above permissions may need to be limited to a certain department or set of departments. For example, a recruiter who focuses on sales roles may not need to access compensation for all open roles; they might only need access to the Sales department.

Mark the Department Limited option in the user access dialog to add this restriction, and select the departments that the special access should be limited to. For roles in other departments, the user will have Member View.

Custom Filter Limited Access

If you have more complex rules for access than restricting by a particular department, you can check Custom Filter Limited and create a filter.

For example, if you want a People Partner to have sensitive access to everyone in the New York office, but exclude executives and members of the Human Resources department, you could use the filter:

location:"new york" !team:executives !department:"human resources"

Be sure to test filters to ensure that the permissions line up as you expect. You can click the Test button to retrieve a list of people and jobs matching the filter.



Updated 04 May 2022
Did this page help?
Yes
No