Overview

Permissions determine what a user can do in FTE Tree. Roles group permissions into reusable job functions, and department scopes limit where department-sensitive permissions apply.

Use focused roles for real responsibilities, such as access administration, reporting, approval workflow setup, position maintenance, or department management. Avoid giving users broad permissions when they only need one workflow.

Access needed

Activity Access needed
View access roles View access roles
Create or update access roles Manage access roles
Assign roles to users Assign user access
Manage department access rules Manage department access rules
Access setup See Permissions and roles.

Standard role set

New organizations include a focused role set that can be edited or replaced:

  • Access admin: Invitations, user access assignment, access roles, and department access rules.
  • Security admin: Security settings, identity providers, sessions, and security-related account support.
  • Billing admin: Plans and usage, invoices, and billing portal access.
  • Billing viewer: Billing read-only access.
  • Import admin: Import upload, validation, execution, and file access where data permissions also allow it.
  • Import reverser: Import reversal review and reversal execution where data permissions also allow it.
  • Staffing settings admin: Departments, job codes, position settings, detail settings, compensation setup, adjustments, and approval workflow setup.
  • HR operations: Employee, assignment, and position maintenance where department access allows it.
  • Reporting admin: Report execution and export access.
  • Sensitive data admin: Wage and other sensitive detail access.
  • Collaboration admin: Comment and notification settings.
  • Department manager: Day-to-day position, request, employee, assignment, and report access for assigned departments.
  • Viewer: View-only access to positions, requests, employees, departments, and reports where department access allows it.

Department scopes

Department scopes limit where department-sensitive permissions apply. For example, a user might have View positions only for a single department branch, while a finance user might have report access across all departments.

Department scopes are reusable. Create stable scopes for boundaries such as All departments, Finance, Operations, or a specific division, then attach those scopes to role assignments.

Permission groups

Position control

Common position-control permissions include:

Permission area What it controls Department-scoped?
View positions Position lists, position details, department totals, and org chart visibility. Yes
Create positions New position creation. Yes
Update positions Position detail updates and direct maintenance where allowed. Yes
Create position requests Proposed position changes and approval request submission. Yes
View position requests Approval request lists and details. Yes
Manage position assignments Assignment create, update, end, vacancy, and assignment imports. Yes
View sensitive position data Wage and other sensitive position details. Yes

Setup

Setup permissions include organization profile, departments, job codes, compensation settings, adjustments, detail settings, approval workflows, funding values, and GL setup. Grant these to users responsible for maintaining the configuration, not ordinary reviewers.

Approvals

Approval permissions cover creating requests, viewing requests, responding to assigned tasks, managing workflows, assigning approval roles, reassigning approval tasks, and approving on behalf when your governance permits it.

Reassignment and approve-on-behalf actions are sensitive because they affect approval history. Grant them only to trusted approval managers.

Imports and exports

Import permissions control upload, validation, execution, raw-file downloads, row-detail downloads, and reversals. They do not replace the data-specific permission for the records being imported. For example, a position import still needs the relevant position permission and department access.

Report permissions control report generation and report downloads. Reports that include wage, employee, or approval data can require additional data access.

Security and user administration

Security permissions control MFA requirements, sign-in settings, identity providers, account recovery, sessions, and user access. Keep security administration separate from ordinary position maintenance when your team needs separation of duties.

Approval roles

Approval roles are different from access roles. Access roles grant permissions to users. Approval roles identify who should approve a request for a department.

For example, a workflow step can require the Finance reviewer approval role. FTE Tree then resolves the user assigned to that role for the request department or an inherited parent department.

Best practices

  • Start with the standard roles, then narrow or split them only when a real responsibility needs separation.
  • Keep sensitive wage access separate from ordinary position view access.
  • Use department scopes for managers and local HR users.
  • Give approval workflow setup to a small group.
  • Give reassignment and approve-on-behalf authority only to trusted approval managers.
  • Review access regularly using the Access review report.
  • Remove access promptly when a user changes responsibilities or leaves the organization.