Introducing role-based permissions: Get complete control over the data and apps that your team can manage
Steven Cipolla, Software Engineer, Permissions — Jan 12, 2022
Ensuring you have the right permissions governing data and systems access for your employees is critical to building a secure and high-performing organization.
But, maintaining those permissions is a hard, and manual, task in most software systems.
You promote each user to admin status, in each system, one at a time. And when someone leaves, or their role changes in a way that requires that their permissions change, you have to make those updates manually as well.
This gets harder to manage when admin permissions aren’t binary, and require you to specify the scope of someone’s authority. For example, you might be an admin, but only for a certain part of the organization. Or you can make changes, but others need to sign off on them to take effect.
In systems where “approval” is required—whether it’s for a raise, an expense reimbursement, a new computer, or access to a system—that approval is always implicitly about “role” and each employee’s organizational “relationship” to others in the company. For example, you might need approval from your manager, your HR Business Partner, the VP of your department—but who each of these people are will change and evolve as your role within the company changes.
As your team grows, so does the effort required to maintain these permissions, and it’s inevitable that people won’t have the permissions they’re supposed to have.
Role-based permissions: a better way to control employee access
Role-based permissions let you ‘set and forget’ your policies for admin access, approvals, and change management—all from one place.
You select the criteria that govern:
- which employees get admin access to your systems based on high-level employee attributes (e.g. their department, level, team memberships, location, etc.)
- the subset of the organization their permissions apply to (e.g. only their department or direct reports)
- the types of data they can access and actions they can take (both in Rippling and your integrated business systems)
- when additional approval is required for attempted changes, and from whom (e.g. ‘their HR Business Partner’ or ‘their department’s VP').
For example, you could create a ‘Support Managers’ permission profile that applies only to Support managers Level 6 and above, and lets them access information only for their direct reports.
From there, Rippling identifies which employees match your criteria, and automatically grants them the right permissions.
We’ve written previously about why we think graph-based representations of employee information are going to transform HR, IT, Finance, and other functions.
Importantly, because Rippling’s role-based permissions are built on top of this employee graph, you can write out generic rules for these permissions without ever referring to any specific individual in your organization—only specifying characteristics from the Graph like levels, departments, reporting relationships, and more. This is powerful stuff—individuals come and go, their roles change over time. The logic you create for permissions in Rippling is evergreen.
What's the problem with how most HR and IT systems manage permissions?
The administrative busywork involved in assigning and maintaining permissions isn’t just time-consuming—it also leads to businesses encountering two big issues time and again:
Providing the wrong level of permissions.
When manual updates are involved, it increases the risk of someone accidentally giving someone more access than they should, or forgetting to update permissions when needed. That can lead to a whole host of problems, the most serious being that an employee’s sensitive data—like compensation or SSN—is exposed to someone who shouldn’t have access.
Inefficiencies from overly restricting permissions.
To avoid the problems above, most companies tend to overcorrect; granting permissions to only a few key administrators instead. And while that solves the maintenance problem to a certain extent, it introduces new inefficiencies instead.
Things like hiring, running headcount reports, or leveraging time-saving automation tools is then limited to a small pool of admins. Which means people managers—who should ideally have the power to take actions like submitting hiring requests for their own direct reports—must rely on admins to play telephone and do it for them. This increases the burden on already busy admins and creates bottlenecks. And it means these processes end up taking longer than they really should.
Why Rippling’s role-based permissions are better
The most flexible permissioning system on the market
Since role-based permissions are built on Rippling’s Employee Graph, you’re able to choose from literally hundreds of employee attributes—from compensation, to devices, certifications and more—to create exactly the right group of individuals to assign your permissions to.
For example, say you already have a set of permissions for your people managers, but want to offer more advanced permissions to those managers who have passed your in-house Managerial Certification course offered in your Learning Management System.
Because every manager's LMS results are housed in the Employee Graph, Rippling is able to identify which managers satisfy those conditions, and Rippling assigns those advanced permissions automatically.
And unlike other platforms, Rippling’s role-based permissions extend across the entire Rippling suite (e.g. Payroll and Time & Attendance) as well your third-party integrations (e.g. Jira and Zoom).
For example, you can allow Sales Managers to manage access to key apps like Gong and Zoom for their direct reports, view their sensitive employment-related information (e.g. compensation), and terminate their employment—all within a single permission profile.
Take the pain out of permissions management
Setting up admin profiles for new hires, and updating those permissions when responsibilities change, is manual work that takes time away from your more pressing responsibilities.
But as we mentioned above, with role-based permissions, you only need to set up your permissions profile once, and Rippling takes on the busywork of assigning and removing permissions based on the parameters you set.
What’s more, if you need to make a change to the scope of permissions you’ve set up, you only need to update the permission profile itself, and those changes are automatically reflected across all the members of that permission profile—saving you the effort of having to make multiple manual updates.
Give your team the power to do more, without sacrificing control
Providing your people managers the freedom to do things like run their own employee turnover reports, make hiring decisions, or create automated workflows that alert their team to important events, can help ensure they’re better positioned to understand and manage their team more effectively.
That’s why we built role-based permissions to extend across the entirety of the Rippling platform and your third party apps—so you can rest assured that whether your employees are building workflows or reviewing reports, they’ll only be able to see the data, and take the actions, that they’re limited to in their permissions profile.
On top of that, you’ll also be able to implement further guardrails when it comes to making important changes in your organization—for example, around hiring or compensation—by requiring such changes go through an additional layer of approvals from other admins or executives before they can go into effect.
When setting up the approvals process in your permissions profile, you’ll be able to define:
- who the approval requests should be routed to
- whether approval is needed from just one or multiple approvers
- whether a single or multi-step approval process is needed (e.g. the decision needs to be approved by both the employee’s manager, and the manager’s manager as well)
And because you can assign approvers based on the title they hold rather than their individual name (e.g. 'VP of Employee’s Department' vs. ‘Daniel Cornfield’) you don’t have to worry about updating your permissions if the person holding that role later changes.
It also means that your permissions profile can apply equally to someone in Sales or Marketing without issue—in the former situation, the approval request will go to the VP of Sales, while in the latter, it would go to your VP of Marketing instead. Which means you have the flexibility to assign permission profiles across teams and departments as well.
Permissions profiles to get you started
Trying to figure out the right permissions for your company can feel like a daunting task. That’s why we created a number of permission profile templates that you can customize or use as-is, like the following examples:
Enjoy pain-free permissions management with role-based permissions
With role-based permissions, you won’t have to sacrifice power for manageability anymore—simply create the permissions that fit your needs, and let Rippling take care of the busywork of assigning and maintaining those permissions across your organization.
Stay tuned for more Unity releases over the next few months, including Policies and Unified Analytics. Or secure a front row seat to our upcoming Masterclass Webinars, where we’ll be diving into how you can get the most out of your Rippling Unity features.
Want to see Unity in action? Schedule a demo with our team today.