Access Levels in HR Software: A Practical Guide for IT and HR Teams

According to a recent study by The Josh Bersin Company, 68% of HR organizations say they’re falling behind as their responsibilities significantly increased during the COVID-19 pandemic.

As an IT professional, you can lift some of the weight off your HR team’s shoulders by leveraging a key tool in your arsenal: access levels. Doing so allows you to protect sensitive company data while giving employees more autonomy over their personal information.

The alternative is leaving your HR team unnecessarily bogged down with manual data entry, error-fixing, and approval processes. On the employee side, people are more likely to feel frustrated with micromanaging procedures, which can contribute to lower satisfaction and engagement.

In this article, we’ll cover why access levels are a must when using HR software, different types of access control, and how to handle permissions requests at your company. With secure BambooHR® data and reporting features, you can manage sensitive information all in one database, whether you’re in the office or on the go.

What Does Access Control Mean in IT Security?

Access control is a software security measure that regulates which individuals or systems can view or use an organization’s information and resources. Setting different administrative privileges minimizes the risk to the business by protecting sensitive documents from unauthorized users and maintaining data confidentiality, integrity, and availability.

Here are the main stages of the access control process:

1. Authentication: Users must provide their unique credentials to verify their identity. Typically, they sign on with a username, email address, or employee ID along with a password, PIN, or biometric data (like a fingerprint).
2. Authorization: Many companies require users to provide two-factor authentication (2FA) or multi-factor authentication (MFA) for added security. For example, after someone enters the correct username and password combination, they may get a push notification from a mobile authenticator app to confirm the access attempt was legitimate.
3. Access: After their identity is verified, they’ll have limited or unlimited access to the resource, depending on their access level (more on that later).

Why You Need to Control User Access in HR Software

Controlling user access in your HRIS is a crucial balancing act between business security and efficiency.

Think of all the sensitive information that’s at risk in the event of a data breach: social security numbers, salary details, disciplinary records, legal documents, medical information, and the list goes on. Aside from complying with data protection regulations (e.g., HIPAA) and avoiding potential legal consequences, the proper safeguards are necessary to respect employee privacy and maintain trust within your organization.

As for efficiency, enabling employee self-service reduces the burden on HR teams. After all, think of how much time HR spends entering, fixing, checking, calculating, totaling, and approving employee hours. An access level policy shifts some of that responsibility to the employees themselves, allowing them to do things like:

1. Clock in and out or enter their total hours
2. Double-check their timesheets and fix mistakes
3. Review their current paid time off (PTO) balances
4. Calculate future PTO accruals
5. Request time off
6. Update their personal information (address, phone number, etc.)

And don’t forget about your managers. Updating their administrative access levels expedites logistical processes even further, allowing them to approve actions for their own teams, such as:

1. Timesheet submissions
2. Time-off requests
3. Information changes
4. Pay raises
5. Promotions

What’s more, you and HR can set up custom workflows that allow them to share the load more evenly with their managers. For instance, they could split different tasks related to new-hire onboarding, offboarding, and employee training.

The Top 5 Types of Access Control

While access control methods vary across industries and organizations, the most common types include:

Mandatory Access Control (MAC)

This is a strict model where access rights are determined by a central authority based on security policies, meaning users can’t set, revoke, or alter permissions. MAC is often used in government and military settings with security clearance systems.

Discretionary Access Control (DAC)

DAC allows users to control the privileges for their own resources. More specifically, owners determine who gets access and what level of access is granted. Once a user has permission to access the system, they can give access to other users as they see fit.

For example, Google Docs uses a DAC model. Document owners can specify which individuals or groups can view, edit, or comment on the file. And while those who received access can grant other people access, the owner can also modify or revoke permissions at any time.

Role-Based Access Control (RBAC)

Under an RBAC model, administrators assign access based on defined business functions (e.g., executive, manager, or employee level) as opposed to individual user identities. This means a person can only perform the actions required for their role at the company and can’t change their assigned permissions level.

Rule-Based Access Control (RuBAC)

With this method, a system administrator defines the rules governing corporate resource access. The rules are usually based on conditions, such as time of day or location. For instance, a US-based employee may be unable to access their work resources while vacationing abroad.

Attribute-Based Access Control (ABAC)

ABAC is a dynamic, context-based security model that uses attributes to grant access. It considers a broader range of characteristics related to the user, resource, and environment, such as job titles, device type, IP address, data sensitivity, and time of access.

This model grants permission based on a combination of attributes at the time of the request, allowing for more tailored control in complex scenarios. For example, an employee may have different access levels during regular working hours compared to after hours.

Example: Access Levels in BambooHR®

Maybe you’re worried about handing over all that private, sensitive information to your employees. That’s a good instinct. The good news is there are different access levels in BambooHR to limit what people can see and change:

• Full admin access level: This level gives you access to view and edit all fields for all employees, as well as all settings. In other words, this is top-level clearance, so you should strictly limit this kind of access.
• Manager access level: This level allows managers to view information about their direct and indirect reports. You can still hide fields, meaning you can select which details managers can see about their employees, and the only editing ability this access level provides is to edit notes.
• Employee access level: This level gives individual employees access to their own information only—you have complete power over what they can see or edit. You have the option to give them:
  • No access
  • View-only access
  • Edit access
  • Edit access with approval (meaning you or the person you set as the approver has to verify any changes an employee wants to make)
• Custom access level (Professional and Advantage Packages): If none of these options have what you need, you can make your own. This level can come in handy if you need to grant access to certain administrative tools or want to give someone the ability to edit employee information without giving them full admin access to BambooHR.

What Should You Do If a User Doesn't Have Access Privileges?

Here are some responsive measures you can take for instances when users are denied access to resources in your HRIS:

1. Request process: Clearly outline how users can request admin access, emphasizing the importance of providing detailed information to expedite the review process. For example, they may need to submit a permissions request through a designated system or contact the IT helpdesk.
2. Access review: Have IT, their manager, or a relevant department review the request and determine if it's appropriate for their role. Then, inform the user of the decision and any necessary next steps.
3. Appeal process: Create a user-friendly process for employees to appeal access denials. This might involve submitting additional information or justifying the need for specific access. IT or another relevant department can then review and reassess the request.

As for more proactive approaches, be sure to regularly review and update your HRIS access privileges. This helps ensure they align with your users’ current roles and responsibilities. Also, document your company's access control policies and encourage users to stay current. These strategies can help you identify and address software access issues before they escalate.

Set Yourself and Your Employees Free to Do Great Work

Granting other people access to your HR software may sound scary, but it doesn't have to be. With BambooHR, it’s a safe and easy process—and the best way to unlock tons of time-saving and paperwork-busting features. By empowering employees and managers, you can help your HR team shift their focus back to strategic planning and building a great workplace for all.