Permissions Editor
  • 13 Jul 2023
  • 7 Minutes to read
  • Dark
    Light

Permissions Editor

  • Dark
    Light

Article summary

The Permissions Editor is used to grant system roles permission to access specific pages in the system. Permissions can be defined for any page in Lanteria HR.

Permissions are granted based on the following criteria:

  • Module
  • Roles
  • Level
  • Special Level
  • Denied HR Groups

The permissions validation first checks if the user has access to the selected module (the modules authorized for the user are defined by the license and module permissions for the user's SharePoint security group), next if the user has the selected role and checks if the user belongs to one of the "denied" groups. For the item pages, the system defines the access level. If all the checks are successful, the access is granted.

To set up the permissions for a page, follow these steps:

  1. Go to Settings > Settings and Configuration > System Settings > Roles and Permissions and click Edit next to Permissions Editor setting name.
  2. This will open a list of folders where the forms necessary to run the system are located.
  3. To edit permissions for access to specific pages, click on the folder name.
  4. Click the Edit link for the specific page and select the relevant check boxes to define the permissions for this page.
  5. In the Modules section, select the module(s) whose users will be granted access to the page. The users whose license and SharePoint group settings allow access to the selected modules will get access to the page. Please note that if no modules are selected, the users with access to any module will be granted access to the page.
  6. Under Roles, select the users with which roles can access the page. The list of roles is built automatically based on the Lanteria HR Roles list.
  7. Next, for the item pages, define the level of access for the users. If the user's role is HR, he or she will be authorized to open a page for all the employees or org units (this can be changed with the help of the Denied HR Groups section). To define the level of access for the other roles selected in the Roles section, select the corresponding check boxes in the Level section.
    Note
    The Level and Special Level sections are valid only for the individual item pages (for example, Employee Salary Details, item display form), and not for the pages that display multiple items (for example, SalarySheet.aspx).
    With the help of the 
    Level section, the user can be authorized to view only his/her records, only team's records, records related to the user's org unit or employees/org units the user is responsible for as Local HR.
    Select among the following check boxes in the Level section. The check boxes in the Level section are split into the two groups, depending on the entity based on which the access will be granted - employee or org unit.
    Used with the employee:
    • My - the user will have access only to his/her records in the current form
    • My Team - the user will have access only to the records of his/her subordinates in the current form
    • My Department - the user will have access only to the records related to his/her org unit in the current form
    • My Local HR - the user will have access to the records of employees for whom the user is Local HR
    Used with the org unit:
    • Department Employee - the user will have access to the records related to his/her org unit
    • Department Manager - the user will have access to the records related to the org unit he or she is managing; if the user has any subordinate departments, their records will be also displayed
    • Department Local HR - the user will have access to the records related to the org unit where the user is Local HR
    The check boxes MyMy TeamMy Department and My Local HR are used with the employee. The check boxes Department EmployeeDepartment Manager and Department Local HR are used with the org unit. The entity being used depends on the settings in the following fields: ListEmployee FieldDepartment Field.
  8. In the List field, specify the internal name of the list the data for the current page is taken from. 
    Note
    If you are setting up permissions for a list item page (new, display, edit), in the List field, specify the internal name of this list. For a custom page, the list name, as well as values for Employee Field and Department Field, is to be specified by the developer who created the page and shouldn't be changed.
    If the permissions are granted based on employee (the check boxes 
    MyMy TeamMy Department and My Local HR are used), in the Employee Field, type the internal name of the field in the specified list that has lookup to a field in the Employees list. If the permissions are granted based on org unit (the check boxes Department EmployeeDepartment Manager and Department Local HR are used), in the Department Field, type the internal name of the field in the specified list that has lookup to a field in the Departments (Org Units) list.
    To locate the item the permissions are being checked for, the permission validation checks parameters in the following order: 
    • EntID
    • ID
    • PrID
    • EmplID
    • EmployeeID
    • InitID
    • DepID
    As soon as any parameter is found in the item's page url, the item is defined and the permission level validation is started. For example, the user is opening the Change Salary page for an employee John Smith. The url of this form is checked for the listed parameters to define the unique identifier of the record. In our case it will be EmployeeIDhttp://es2013roc:81/es/SitePages/CB/ChangeSalary.aspx?ucHideRibbon=true&EmployeeID=4&IsDlg=1
    As soon as the record ID is defined, the system checks the list the data is taken from (specified in the 
    List field) and locates an item with this ID. Next, the lookup field specified in the Employee Field or Department Field is checked to define an employee or org unit the record is related to. In our case, the record is for employee John Smith. If the check box My is selected, the permissions validator checks if the current user is John Smith and if yes, displays the record to the user. If the check box My Manager is selected, the system checks if the current user of the manager of John Smith and if yes, the access is granted. The other check boxes are checked in a similar way.
    The following table contains the options for the correct setup of the Level section along with the fields ListEmployee Field and Department Field. 
    Permissions set up forLevel check boxes that can be usedListEmployee FieldDepartment Field
    List formMy, My Team, My Department, My Local HRList the permissions are being set up forField in the specified list that has lookup to the Employees listLeave blank
    Department Employee, Department Manager, Department Local HRList the permissions are being set up forLeave blankField in the specified list that has lookup to the Org Units list
    Custom formMy, My Team, My Department, My Local HRDo not modifyDo not modifyDo not modify
    Department Employee, Department Manager, Department Local HRDo not modifyDo not modifyDo not modify
  9. Use the Special Level section to hide some records from the user. For example, you are setting up access for the Employee Salary Details list forms, and you don't want the Local HR to view the salaries of employees with the same job role. In this case, select My Local HR check box in the Level section and the Except My Job Role check box in the Special Level section. 
    You can define the following special levels:
    • Except Me - the user won't be able to view his or her own records
    • Except Manager - the user won't be able to view the records of his or her manager
    • Except Peers - the users won't be able to view the records of the employees who have the same manager
    • Except My Job Role - the user won't be able to view the records of the employees with the same job role
  10. Use the Denied HR Groups section when creating a custom HR role with no permissions to view the current page. For example, it can be HR Assistant who has all the HR permissions, but cannot change the salary. Generally, the users who belong to the SharePoint security groups with the HR role permissions, are authorized to view all the content in Lanteria HR. To deny access for the current page to any HR group, select it in the Denied HR Groups section.
    Note
    Please note that the list of groups in this section is built automatically based on the available SharePoint groups and thus, will contain not only HR groups. 
  11. Click the Save button.
Notes
  • If you allow a particular role to access "*" page, it means that this role automatically gains access to all pages within current folder except those that are listed. For the listed pages access permissions for the new role must be granted manually for each page.
  • For custom forms there can be cases where access permissions are granted at code level as a fail-safe, for example, for some reports with sensitive information. So, even if a custom role is added to the list of roles with access permissions to such a page, it will still get no access.
  • Permissions editor controls access to the specific pages in Lanteria HR, but doesn't influence the user interface. The menu sections and menu items to be displayed or hidden for the users can be set up under Settings > Settings and Configuration > System Settings > User Interface > Menu Sections or Menu Items, correspondingly. Use the ES Roles field to select roles for which the menu section/item will be displayed. The Hide for Users field will help you to hide a section/menu item for a specific user or user group. 

Was this article helpful?

What's Next