Admin user permissions and restrictions

When setting up Admin Users on your platform, it's essential to have a clear understanding of the components that determine your users' access. This ensures a smooth transition when administrators leave and makes creating new ones simpler. 

Access is controlled through 2 main components, both of which require an option to be selected when creating a new admin. These are the:

• Permission group - These control what parts of the platform the user can access and which actions they can perform.
• Search Restriction group - These control the visibility of operations, employees, or specific rosters that the admin user can see and perform actions within.

Before setting up your new user, you will need to decide which Permission and Search Restriction groups they should be assigned to. Consider the following points before proceeding:

• Does this person need admin access? - If their daily tasks don't involve recruitment, employee management, rostering, attendance, payroll, or reporting data, they probably don't need back-end access. Be selective with who you provide this access to. 
• Have a plan, map out your permissions, and keep it simple - Try to limit the number of Permission and Search Restriction groups you create. While this is within reason, the more groups you have, the harder it will be to track who has access to what. 
• Communicate with your teams - Ensure you understand the core functions and operations of the different departments within your organisation. This will help you map out the access they will require to perform key tasks related to their roles. 
• Each user can only have one Permission and one Search Restriction assigned - Ensure your groups are set to cover everything your user requires. 
• Less is more! - You can always increase someone's access, but it is difficult to remove what they have already seen. Ensure you understand the Permissions or Restrictions you set up, so you only need to update someone's access and not revoke it. 

Permission groups help you control which parts of your platform Admin Users can access and manage.

For example, a Rostering Manager might need access to the Roster, Time Off, and Approve Shifts pages, but not the Payroll.

When setting up your permission groups, we recommend aligning them with your internal business structure. Organise and label each group based on user roles, for example: Rostering Manager, Payroll Officer, Recruiter, and so on.

When setting up a new permission group, you'll notice that each permission is sorted into a specific category based on the key areas of your platform, which can be found in your main menu.

Although it would be helpful to list each permission individually, we can't; there are quite a few of them! However, read ahead, and we'll provide you with a summary of what each category controls.

  Please note: Any permissions marked with a warning symbol will grant access to sensitive information, such as employee or operational personal or financial details, payroll data, or other areas that could significantly affect payroll processing.

Additionally, to access sensitive information, the 'View Employee Pay Rates' permission will need to be enabled. 
 

The User permission categories in your platform are:

• People - This section allows you to customise what your admins can view and action in the People pages and employee profiles, including adding positions to profiles and terminating employment, or the ability to impersonate an employee's view. 
• Operations - This section allows you to customise what your admins can view and action in the Operation pages, rate books, and operation profiles.
• Work - This section allows you to customise what actions your admins can take when working on rosters, including creating templates or bulk shift offers. 
• Time and Attendance - This section allows you to customise what actions your admins can take when managing shift times, leave and availability, including approving shift hours, and managing Time & Attendance settings. 
• Payroll - This section allows you to customise what actions your admins can take when managing payroll-related items or navigating the Payroll, Superannuation or Single Touch Payroll pages. 
• Invoicing (labour-hire only) - This section allows you to customise what actions your admins can take when navigating the Invoice pages. 
• Awards & Agreements - This section provides access to the Awards built into your platform and allows you to customise what actions your admins can take when navigating the Awards & Agreements pages, including Award Settings and Allowances.  
• CRM - This section allows you to customise what actions your admins can take when adding or viewing prospective clients or operations. The CRM tool can be used by both labour-hire and direct employer businesses. 
• Report - This section allows you to customise what type of reports your admins can access, including Financial, Workforce, or Business reporting. 
• Communication - This section provides access to communication tools your admins can access, including the ability to view all communications sent to employees across your platform and create or manage existing communication content.
• Platform Settings - This section allows you to customise what platform-specific settings your admins can access and manage, including creating and managing signable documents, enabling email and SMS notifications, and handling other admin user permissions and restrictions. 
• Payroll Settings - This section allows you to customise what payroll-specific settings your admin can access and manage, including managing cost codes/purchase orders, payroll ledger mapping, and using the rate rise tool. 
• Integrations - This section provides access to various parts of the Integration Centre, including the CSV Import/Export tool, which enables users to gather and bulk import external data into your platform. 

  Hot tip: If you're unsure about what a permission does, you can easily simulate your selections to see the access you've set up. Check out our section below on testing permissions to learn how to do this. 

By default, when your platform is created, it includes several pre-set User Permission groups, one of which is the Super User access. This is ideally assigned to the person within your organisation who should have the ability to view all information and data.

It is advised that there be at least one Super User per platform, as specific communications are sent to this user. 

The Super User is typically responsible for editing or creating additional Permission groups; however, this ability can also be granted to other users by enabling the 'Manage Users and Permissions' permission. 

 Warning: By granting someone this access, they can also edit, delete, and deactivate other Permission groups, Search Restriction groups, and user access, including their own. This permission is not something we recommend applying to every user in your platform. 
 

To create a new user Permission group:

1. First, navigate to your Users page from your main menu > Platform Settings > Users. Select the tab 'Permission Groups'. 

2. Select New Permission Group, and then ensure you have either 'Admin Permission' or 'Operation User Permission' highlighted.

   

     Please note: Operation Users is a legacy feature, currently only in use by older platforms. You can set up and manage any external users for your Operations by using Restriction Groups.

3. Assign a Label to your new permission, ensuring it is something easily recognisable for you and your team.
4. Select all the items your user should have access to. You can do this either individually or in bulk by selecting the section heading. You can also deselect items by doing this. 
   
     Hot tip: Hover over any permission to view additional details about what that option can do.
5. Select Save to add your new Permission Group.

  Hot tip: If you want to keep a record of your Permission groups and holds that are external to your platform, you can do so by selecting 'Export Permission Group users'.

In some cases, you may need to edit or delete an existing Permission group from your platform. In these scenarios, there is one key point to consider before making those actions, that is: 

• Does anyone currently have this Permission group assigned? - If yes, and you are:
  • Editing the group, ensure any additional permissions added are still within the scope of what these admins can have access to.
  • Deleting the group, ensure you have assigned a new Permission group to those admins, so as not to disrupt their access to your platform.

You can view the full list of users assigned to each Permission group by hovering over the number highlighted in the Users column. 

To edit or delete a Permission group:

1. From the Users page, navigate to the Permission Groups tab. 
2. Find or search for the group you are looking for and select either the bin icon to delete or the pencil icon to edit. If you are:
   • Editing the group, select or deselect any items as you require, then select Save at the bottom to update. 
   • Deleting the group, select Yes to continue this action and delete, or select Cancel to go back.
     
     
3. If you have selected to delete the Permission, and it currently has users assigned, you will be prompted to select a new Permission for those users.
   • Select the new group from the drop-down, then select Delete group and move users. 

  Please note: Once you have deleted a Permission group, there is no undo button. If you did not intend to do this action, you will need to create the group again from the start.

While Permission groups are used to grant access to certain areas of the platform, Search Restriction groups are used to limit what your users can see in those areas.

For example, a rostering manager might be able to view and add shifts to the rosters, but they have been restricted to only see the specific rosters and employees they manage.

Key use cases for Search Restrictions include: 

• Allowing external users to view only items related to their business operations (labour hire clients)
• Restricting managers from viewing other managers profiles
• Enabling admins to view only employees under their direct management

When setting up new Search Restriction groups, you will notice that the restrictions are broken down into three key areas:

• Employee Search Restrictions - Use these to restrict which employees your users can see when navigating the People pages.
• Operation Search Restrictions - Use these to restrict which operations your users can see when navigating the Operation pages. 
• Roster Search Restrictions - Use these to restrict which rosters your users can see when navigating the Roster, Approve Shifts & Clock Log pages. 

Each area provides multiple ways to restrict a user's visibility. We like to think of these as if you are applying a filter to your user's view. Read ahead through each tab for a breakdown on how these restrictions work. 

  Hot tip: Any Search Restrictions you have in place will be respected when your user views reports on your platform. 

When creating new Admin Users, remember that their access depends on the permissions and search restrictions assigned to them. You can apply the same Search Restriction to multiple users, even if their permission levels vary. 

  Hot tip: You can use our simulator tool to view and confirm if your Search Restriction group works as intended when combined with your users' Permission groups. Check out our section below to learn how to do this. 

Depending on the size of your business or how much you trust your admins, you might not need to set up restrictions for your administration team. In this case, their access will have Default Search Restrictions, meaning they have unrestricted access to any of the areas you've allowed them to view.

However, in some cases, if you do need to set up and assign search restrictions, you can do so from your Users page. The Super User in your organisation is typically responsible for editing or creating additional Search Restriction groups; however, this ability can also be granted to other users by enabling the 'Manage Users and Permissions' permission. 

  Warning: By giving someone this access, they can also edit, delete and deactivate other Permission groups, Search Restriction groups, and user access, even their own. This permission is not something we recommend applying to every user in your platform. 
 

To create a new user Search Restriction group:

1. First, navigate to your Users page from your main menu > Platform Settings > Users. Select the tab 'Search Restriction Groups'. 

2. Select Create Search Restriction Group, and then ensure you have either 'Admin' or 'Operation User' highlighted. 

   

     Please note: Operation Users is a legacy feature, currently only in use by older platforms. You can set up and manage any external users for your Operations by using Restriction Groups.

3. Assign a Label to your new restriction, ensuring it is something easily recognisable for you and your team.
4. Select into any of the relevant fields and add the items you want to filter to view.
5. Select Save to add your new Search Restriction group. 

  Hot tip: If you want to keep a record of your Search Restrictions externally from your platform, you can do so by selecting 'Export Search Restriction Group'.

In some cases, you may need to edit or delete an existing Search Restriction group from your platform. In these scenarios, there is one key point to consider before making those actions, that is: 

• Does anyone currently have this Search Restriction group assigned? - If yes, and you are:
  • Editing the group, ensure any additional filters added are still within the scope of what and who these admins can view.
  • Deleting the group, ensure you have assigned a new Search Restriction group to those admins, so as not to disrupt their access to your platform.

You can view the full list of users assigned to each Search Restriction group by hovering over the number highlighted in the Users column.

To edit or delete a Search Restriction group:

1. From the Users page, navigate to the Search Restriction Groups tab. 
2. Find or search for the group you are looking for and select either the bin icon to delete or the pencil icon to edit. If you are:
   • Editing the group, remove or add any filters as you require, then select Save at the bottom to update. 
   • Deleting the group, select Yes to continue this action, or select Cancel to go back.
     
     
3. If you have selected to delete the Search Restriction, and it currently has users assigned, you will be prompted to select a new Search Restriction for those users.
   • Select the new group from the drop-down, then select Delete group and move users. 

  Please note: Once you have deleted a Search Restriction group, there is no undo button. If you did not intend to do this action, you will need to create the group again from the start.

We understand that sometimes providing access to your platform to admins or external users can be a daunting thing. Your platform hosts a wide range of personal and sensitive information belonging to your employees. Because of this, we have some tips to help you when setting up your users and ensuring you are confident in their access. 

To assist you with this, you can:

• Create a test User - You can have unlimited Admin Users on your platform; it's free. While we don't recommend having too many users with access to sensitive areas of your organisation, we suggest creating at least one fake user to test different combinations of Permission and Search Restriction groups. 
  • When doing this, we suggest using fake contact details for your test user, and utilising our next tip to assist you.
• Simulate your setups - Easily see what your existing Admin Users can see once their profiles are set up, or test the view of individual Permission or Search Restriction groups to ensure your selections are working as intended. 

  Hot tip: If you're looking for the steps on how to create a new User, to test their access, you can find that in our section below, or check out our complete guide on how to Add or Deactivate Admin Users.
 

To simulate and test your individual user, permission, or restriction:

1. First, navigate to your Users page from your main menu > Platform Settings > Users. Depending on what you want to test, either stay on the Users tab or select the relevant tab to find the desired test. 
2. Find or search for the relevant User or Permission, or Search Restriction group that you want to test the view of, if you are testing a: 
   • Users access, select the ellipsis to the right of the User, from the drop-down select Simulate Restrictions.
   • Permission or Search Restriction group, select the computer screen icon to the right of the group.
3. This will open the filtered view in a new page of your browser. A bright orange warning banner will be highlighted at the top of your screen to notify you that you are simulating access. 
   
     Please note: If you take any action while simulating another access, this will still be highlighted or marked in your action log as your own. 
4. Once you have completed your review of the access, ensure you select Cancel from the orange banner at the top of your screen to exit and return to your Users page.

When a new admin joins your business, you need to set them up in your platform so they can use foundU for its admin functions. Likewise, when they leave, you need to deactivate their access to ensure it stops.

  Please note: If you're a new admin having trouble logging into the admin portal, first check that your organisation has set you up properly or that you're using the correct URL. The link for your organisation's Admin Portal should look like yourcompany.foundu.com.au/admin. 

When you bring a new admin user into your platform, the best practice is to:

• Ensure the new user is created by either your business's super user or a delegated user with the correct permissions enabled to perform this action. 
• Simulate the permissions and restrictions of the new users to ensure they have been configured correctly.
• Confirm that your new admin has received their welcome email and set a password. They now have access!

Additionally, when an admin leaves your business, you should deactivate them immediately to remove their access to your platform. 

Check out our guide on how to Add or Deactivate Admin Users for a complete and comprehensive view on how to action this!

What do the different colour badges mean on the Users page?

The coloured badges highlight what other access the admin has in the platform.

• Green = employee access
• Blue = admin access
  
• Purple = operation user access (If you are a new platform, you may not see Operation users, this is a legacy feature)

If an Admin User uses the same email for both their employee profile and admin access, both badges will be shown.

Can people who are not Employees be Admin Users?

Yes! As the Employee and Admin Portals have different URLs your admins don't need to be set up as employees in the platform to have Admin access.

What if I need my managers to see people across other rosters?

If you reqire your managers to be able to view if an employee already has a shift assigned on a Roster that they do not have access to, there are 2 ways you can resolve this.

1. Your manager can simply enable the 'Show external shifts' setting in their roster display settings. This will highlight any existing external shifts on the roster the manager is currently viewing.

2. You can modify your managers Search Restrictions to include the relevant rosters that the managers are required to view. In doing this however, the manager will then be able to action items like add, edit or delete shifts, and view shift costing on those rosters. 

Will terminating my admin's employee profile stop them from accessing the Admin Portal as well?

No, if an employee also has an Admin User account you will need to deactivate that account separately from termination.

Can I set up a fake Admin User for testing purposes?

Yes! Make sure to utilise the Simulate Admin User feature when testing.

How do I access the Admin Portal as an Admin?

You will access the Admin Portal via 'yourcompany.foundu.com.au/admin'

When I set up a new Admin User, will they be notified of the next steps?

Yes, when an Admin User is created they will be sent an email with a link to create their password along with some admin training material from our help centre.

Do I get charged per Admin User as part of my active user fee?

No, you can have as many Admin Users as required, however please note that you cannot delete Admin Users once they have been created. This is for auditing purposes, and you will only be able to deactive those admin profiles. 

Why can I update the email address used to log in for other Admin Users, but not my own?

For security purposes, Admin Users with access to create and manage the access of other users, cannot update their own email address used to log into the foundU platform. This is to ensure that the user cannot be accidentally or intentionally locked out of their own account. 

For this reason, we reccommend that there be a secondary Admin User with permission to manage user access, who you can reach out to update this for you.