Introduction
FTE Tree uses access roles, capabilities, reusable department scope sets, and approval roles to control what users can see and do in your organization.
Access roles control product access. Approval roles control workflow routing. Keeping these concepts separate helps administrators grant the right application access without changing who approves requests.
Access Roles
Access roles are organization-managed role definitions that grant capabilities to users. Instead of maintaining a long permission list on each user, administrators assign users to one or more access roles.
Common access roles include:
- Full Admin: Full access to organization settings and operating workflows.
- Settings Admin: Configuration access without day-to-day position operations.
- Department Manager: Position, request, requisition, and report access for assigned departments.
- Viewer: View-only position and report access.
Your organization can customize these roles or create additional roles that match your internal job functions.
Capabilities
Capabilities are the specific actions an access role can grant. Examples include:
| Capability | Description | Department Scoped |
|---|---|---|
| View Positions | View positions and position details. | Yes |
| Update Positions | Create and update positions directly. | Yes |
| Deactivate Positions | Deactivate and reactivate positions. | Yes |
| Request Position Changes | Submit position changes through approval workflows. | Yes |
| Override Approvals | Override or cancel approval requests made by other users. | Yes |
| Manage Requisitions | View, create, and update requisitions and requisition settings. | Yes |
| Manage Employees | Create and update employees, employee attributes, and employee settings. | No |
| Run Reports | Access and run reports. Report data is filtered by the report's data capability. | No |
| Configure Position Settings | Manage position configuration, job codes, pay grades, schedules, summary groups, and attributes. | No |
| Manage Departments | Manage departments, department attributes, GL values, and workflow assignments. | No |
| Configure Approval Workflows | Manage workflows, steps, levels, attachments, delegation settings, and reassignment. | No |
| Manage Organization Settings | Manage organization general settings. | No |
| Manage Security Settings | Manage authentication, MFA, SSO, and security settings. | No |
| Manage Users | Manage organization users and invitations. | No |
| Manage Access Roles | Manage access roles, role capabilities, department scope sets, identity providers, and external group mappings. | No |
| Manage Data Imports | Import, confirm, and reverse batch data imports. | No |
| Manage Billing | Update subscription and billing account information. | No |
Capabilities are evaluated independently. For example, View Positions in Finance and Update Positions in HR do not combine into update access for Finance or view access for HR.
Department Scope Sets
Department scope sets are reusable department access definitions. A scope set can cover all departments or selected departments, and selected departments can include child departments in the department tree.
Use scope sets when multiple roles need the same department boundary. For example, you can create a Finance Departments scope set once, then reuse it for viewer, manager, and requester roles without selecting the same departments on every capability.
A role capability can use the access role's default scope set or override it for a specific capability. This keeps day-to-day administration focused on roles and scopes rather than repeated low-level configuration.
Report Permissions
The Reports capability grants access to the Reports module. The specific reports a user can see and run depend on their other capabilities:
| Report Types | Required Capability |
|---|---|
| Position Summary, GL Summary, Schedule Coverage, External ID Coverage | View Positions or Update Positions |
| Vacancy / Requisition | Manage Requisitions |
| Employee Roster | Manage Employees |
| Approval Workflow | Request Position Changes or Override Approvals |
| Self-Approval Activity | Override Approvals |
| Approval Statistics | Configure Approval Workflows |
When a report includes department-scoped data, the report uses one exact data capability for filtering. For example, position summary data is filtered by View Positions scope. Entry access to a report does not broaden the departments included in report results.
External Group Mappings
If your organization uses SSO or directory sync, external identity-provider group values can be mapped to local access roles. External groups map only to access roles, not directly to capabilities. This keeps authorization decisions local to FTE Tree while allowing identity-provider groups to automate membership.
Memberships can have different sources, such as local administrator assignment, OIDC, SCIM, or a future enterprise identity backend. Administrators should review externally managed memberships before changing identity-provider group mappings.
Org Chart Access
The organization chart is accessible to authenticated organization users. The data shown from linked records still follows the user's organization access.
Approval Roles
Approval roles are separate from access roles. Approval roles are used by approval workflows to dynamically assign approvers by department.
When creating an approval workflow for your organization, you may attach a specific user to a workflow step or attach an approval role. By mapping the role to a user in a department, the appropriate role user is added when an approval request is created.
Approval roles cascade down the department tree. For example, if you assign a CFO role at the top of your department tree and use that role in a workflow step, the CFO can be included for requests throughout the organization. You may also assign a director role at different departments so each branch routes to its own director.
Managing Approval Roles
We provide a list of roles that you may use or customize as needed:
- If you wish to delete a role, ensure it is not used elsewhere before deleting it.
- An availability flag allows roles to remain mapped to existing departments and approval workflows without being available for new assignments.
- Approval roles are optional, but they make department-based workflow routing easier to maintain.
Escalation Roles
Each approval role can optionally specify an escalation role. When an approval request step has been pending beyond the escalation threshold, users assigned to the escalation role in the request's department or ancestor departments are added as backup approvers and notified by email.
The escalation role must be an available role within the same organization and cannot reference itself.
Best Practices
- Manage users through access roles. Avoid one-off user access patterns unless the user truly needs a custom combination.
- Reuse department scope sets. Create named scope sets for stable business boundaries such as Finance, Operations, or All Departments.
- Grant Override Approvals sparingly. Override access can bypass normal workflow controls and should be limited to trusted administrators.
- Review external group mappings. Confirm that identity-provider groups map to the intended local access roles and do not overgrant access.
- Review self-approval activity periodically. Run the Self-Approval Activity report to monitor workflow auto-approvals, request overrides, direct attribute edits, and batch import bypasses.
- Configure escalation roles. Escalation roles provide backup approvers when the primary approver is unavailable or when requester-only workflow steps would otherwise auto-approve.
Need Help?
If you have questions about setting up permissions or roles for your organization, please contact us or email us at support@ftetree.com.