Permissions and roles
Introduction
FTE Tree uses access roles, department access rules, and approval roles to control what users can see and do in your organization.
Access roles control product access. Approval roles control workflow routing. Keeping these concepts separate helps administrators grant the right application access without changing who approves requests.
Access roles
Access roles are permission groups that can be assigned to users. Instead of maintaining a long permission list on each user, administrators assign users to one or more access roles.
New organizations start with standard access roles:
- Full admin: Full access to organization settings and operating workflows.
- Security admin: Security settings, identity provider setup, audit evidence, and session administration.
- Access admin: Access roles, role assignment, department access rules, external group mappings, access review evidence, and support access grants.
- Billing admin: Subscription and billing account administration.
- Billing viewer: Read-only billing visibility.
- Import admin: Import history, upload, validation, applying validated imports, file download, and batch import audit-event settings. Matching data permissions still apply.
- Import reverser: Import history, file download, and reversal access. Matching data permissions still apply.
- Staffing settings admin: Staffing setup such as departments, fields, job codes, pay grades, schedules, adjustments, approvals, scenarios, openings, and organization profile settings.
- HR operations: Employee maintenance and HR-controlled employee offboarding for assigned departments.
- Department manager: Day-to-day workforce, request, opening, employee, scenario, and report access for assigned departments. This role does not include employee offboarding.
- Viewer: View-only access to positions, requests, openings, employees, departments, scenarios, and reports.
Use these roles as starting points for common access patterns, then create additional access roles when your organization needs a better match for a job function, department boundary, or separation-of-duties rule.
Permissions
Permissions are the specific actions an access role can grant. They are evaluated independently. For example, View positions in Finance and Update positions in HR do not combine into update access for Finance or view access for HR.
Permissions authorize what a user can do. The Settings directory uses those permissions, along with organization feature settings, to decide which Settings links appear and which results show in settings search. Some permissions are used inside another page instead of opening a separate Settings page. For example, Deactivate users is used from an individual user record, Manage email policy controls fields inside organization general settings, and audit permissions are used inside audit workflows.
The Access roles page is the destination for several related administration tasks: viewing access roles, managing access roles, assigning user access, managing department access rules, and managing external group mappings. Scenario promotion access appears under Settings > Scenarios > Scenario promotions.
Current permission families include:
| Permission | What it controls | Limited by department |
|---|---|---|
| View positions | Position list and position details. | Yes |
| Create positions | Direct position creation. | Yes |
| Update positions | Direct updates to existing positions. | Yes |
| Deactivate positions | Position deactivation and reactivation. | Yes |
| Create position requests | Position change requests submitted through approval workflows. | Yes |
| View position requests | Position change request visibility. | Yes |
| View sensitive position data | Sensitive position fields. | Yes |
| Configure position settings | General position labels and calculation settings. | No |
| Manage job codes | Job code tree, job code fields, and job code settings. | No |
| Manage pay grades | Pay grades and wage-related position settings. | No |
| Manage position schedules | Schedules and weekly hours per FTE settings. | No |
| Manage position adjustments | Adjustment definitions used by positions and job codes. | No |
| Manage position attributes | Position custom fields, option sets, status values, and configurable field behavior. | No |
| View approval requests | Approval request visibility. | Yes |
| Act on approval requests | Approve, deny, or return assigned approval requests. | Yes |
| Override approval requests | Override, cancel, or reassign approval requests made by other users. Also allows eligible request creators to use Approve immediately for selected departments. | Yes |
| Manage approval workflows | Approval workflows, steps, levels, attachments, and workflow settings. | No |
| Manage approval delegations | Approval delegation rules. | No |
| View opening | Opening list and details. | Yes |
| Update opening | Opening updates. | Yes |
| Close opening | Opening close, cancel, and filled actions. | Yes |
| Configure opening | Opening settings. | No |
| View employees | Employee records. | Yes |
| Create employees | Employee creation. | Yes |
| Update employees | Employee updates. | Yes |
| Offboard employees | HR-controlled employee offboarding and Operating Budget incumbency vacancy updates. This permission is not included in the Department manager role. | Yes |
| Delete employees | Employee deletion. | Yes |
| View sensitive employee data | Sensitive employee fields. | Yes |
| Manage employee attributes | Employee custom fields, option sets, status values, and configurable field behavior. | No |
| View reports | Report lists and report history where available. | No |
| Run reports | On-demand report generation. | No |
| Export reports | Report output download or export actions where available. | No |
| Manage report templates | Manage shared report views. | No |
| View scenarios | Scenario list and scenario details. | No |
| Manage user scenarios | Create, update, share, and reset user scenarios. | No |
| Manage scenarios | Organization scenarios and assumptions. | No |
| Promote scenarios | Promote scenario data to the Operating Budget. | No |
| View departments | Department tree visibility. | No |
| Manage departments | Department tree and department fields. | No |
| Manage department GL | Department GL strings and segment values. | No |
| Manage department roles | Approval role definitions and department role membership. | No |
| Manage organization profile | Organization name, time zone, general settings, and related organization-level actions. | No |
| Security settings | Authentication methods, MFA, SSO, and security settings. | No |
| Manage email policy | Email recipient domains and delivery policy. | No |
| View audit events | Organization audit event visibility. | No |
| Export audit events | Download audit evidence for reviews and compliance requests. | No |
| Manage identity providers | Prepare and test organization single sign-on provider settings after FTE Tree enables Enterprise SSO. FTE Tree controls activation and enforcement. | No |
| View users | Organization user and invitation visibility. | No |
| Invite users | Invitations and invitation reminders. | No |
| Update users | Organization user records and user settings. | No |
| Deactivate users | Deactivate organization users. | No |
| View access roles | Access roles, role permissions, and reusable department access sets. | No |
| Manage access roles | Access role definitions and permission grants. | No |
| Assign user access | Add or remove access roles for users and invitations. | No |
| Manage external groups | Map single sign-on group values to local access roles. | No |
| View access reviews | View and export access review evidence. | No |
| Manage user sessions | Revoke organization user sessions when access changes or security policy requires it. | No |
| Manage department scope sets | Reusable department access rules used by access roles. | No |
| View data imports | Import history and status. | No |
| Manage support access | Customer-approved staff support access grants for support troubleshooting. | No |
| Create data imports | Upload import files, start validation, and download blank templates. Also requires the matching create or update permission for the imported data. | No |
| Execute data imports | Apply validated imports after review. Also requires the matching create or update permission for the imported data. | No |
| Download import files | Download submitted import files. Current values update templates also require Create data imports, View data imports, matching update permission, and matching read permission, including sensitive read permission where applicable. | No |
| Reverse data imports | Reverse completed imports when records can be safely deleted or restored from the import history. Also requires the matching create or update permission for the imported data. | No |
| Configure data imports | Configure batch import settings, including configurable audit notes for import confirmation. | No |
| View billing | Subscription and billing account visibility. | No |
| Manage billing | Subscription changes, billing account updates, and customer portal access. | No |
Department access sets
Department access sets are reusable department access rules. An access set can cover all departments or selected departments, and selected departments can include child departments in the department tree. For most organizations, one root department makes these access sets easier to reason about because an all-organization boundary can be represented by the root and inherited by every child department.
Use access sets when multiple roles need the same department boundary. For example, you can create a Finance departments access set once, then reuse it for viewer, manager, and requester roles without selecting the same departments on every permission.
A permission can use the access role's default department access or use a different department boundary when needed. This keeps day-to-day administration focused on roles instead of repeated setup.
Prebuilt role templates
Standard access roles are prebuilt templates for common administration and workflow patterns. They can be assigned to users like other roles.
Use access roles for normal administration. This is easier to review and maintain than giving each user a custom permission set.
Support access
Support access controls whether an organization user can approve FTE Tree staff access for a support case. Full admin, Security admin, and Access admin include this access by default. Billing, viewer, department manager, import, and staffing-only roles do not include it by default. Staff support permissions are separate internal Django permissions and do not make staff users organization users.
Report permissions
The Insights area requires report access for reports. The specific reports a user can see and run also depend on the type of data in the report:
| Report types | Required data access |
|---|---|
| Position plan comparison, GL plan comparison, Scenario variance bridge, Scenario portfolio summary, Budget load / ledger export, Position period detail extract, Calculation audit detail, Adjustment impact, Position movement, Schedule coverage, Schedule gap, Data quality / readiness, Position summary, GL summary, External ID coverage | View positions |
| Openings, Opening forecast | View opening |
| Employee roster | View employees |
| Approval workflow, Approval impact | View position requests |
| Self-approval activity | Override approval requests |
| Approval request statistics | Manage approval workflows |
When a report includes department-specific data, the report follows the user's department access. For example, position planning data follows View positions access. Report access does not broaden the departments included in the results.
Scenario comparison reports also require access to the selected scenarios. When a user runs a report, FTE Tree uses the user's access at that time; later access changes do not expand that report's results.
Reports are generated on demand. Users with Run reports can create and rerun personal saved report views. Manage report templates is reserved for shared report views.
External group mappings
If your organization uses enterprise single sign-on, external identity-provider groups can be mapped to local access roles. External groups map only to access roles, not directly to individual permissions. This keeps access easier to review inside FTE Tree while still allowing your identity provider to automate role membership.
Memberships can come from local administrator assignment or single sign-on group mapping. Administrators should review externally managed memberships before changing identity-provider group mappings.
Org chart access
The organization chart is accessible to authenticated organization users. The data shown from linked records still follows the user's organization access.
Approval roles
Approval roles are separate from access roles. Approval roles are used by approval workflows to dynamically assign approvers by department.
When creating an approval workflow for your organization, you may attach a specific user to a workflow step or attach an approval role. By mapping the role to a user in a department, the appropriate role user is added when an approval request is created.
Approval roles cascade down the department tree. For example, if you assign a CFO role at the top of your department tree and use that role in a workflow step, the CFO can be included for requests throughout the organization. You may also assign a director role in different departments so each branch routes to its own director.
Manage approval roles
We provide a list of roles that you may use or customize as needed:
- If you wish to delete a role, ensure it is not used elsewhere before deleting it.
- An availability flag allows roles to remain mapped to existing departments and approval workflows without being available for new assignments.
- Approval roles are optional, but they make department-based workflow routing easier to maintain.
Escalation roles
Each approval role can optionally specify an escalation role. When an approval request step has been pending beyond the escalation threshold, users assigned to the escalation role in the request's department or ancestor departments are added as backup approvers and notified by email.
The escalation role must be an available role within the same organization and cannot reference itself.
Future permission changes
As FTE Tree adds features, new permissions may be introduced so administrators can grant access deliberately. Review access roles after new permission-related features are released, especially roles used for administration, finance, security, imports, and reporting.
For long-term maintainability:
- Prefer role membership for all user access.
- Keep default role names broad and stable.
- Create custom roles for local job functions instead of changing every user's access individually.
- Review external group mappings when access roles change.
- Keep sensitive-data permissions separate from ordinary view access.
Best practices
- Manage users through access roles. Avoid one-off user access patterns unless the user truly needs a custom combination.
- Reuse department access sets. Create named access boundaries for stable business groups such as Finance, Operations, or All Departments.
- Grant override approvals sparingly. Override access can bypass normal workflow controls, including the Approve immediately action on request creation, and should be limited to trusted administrators.
- Review external group mappings. Confirm that identity-provider groups map to the intended local access roles and do not overgrant access.
- Split high-risk administrative work. Treat imports, billing, access role management, and department access management as separate duties when your organization needs separation of duties.
- Review self-approval activity periodically. Run the Self-approval activity report to monitor workflow auto-approvals, request overrides, direct field edits, and batch import bypasses.
- Configure escalation roles. Escalation roles provide backup approvers when the primary approver is unavailable or when requester-only workflow steps would otherwise auto-approve.
Need help?
If you have questions about setting up permissions or roles for your organization, please contact us or email us at support@ftetree.com.