FAQ

Universal

How do permissions work?

paiyroll® checks permissions using the following steps:

1. Authentication. Most access requires users to be logged in. A logged-in user will either be an Employee or an Administrator. Depending on context, Employees may have the role of:

   • An employee working on their own behalf.

   • A manager of a Department to which other employees can belong.

   Each Administrator is assigned roles with names like Payroll Approver and HR Administrator. You can view the available roles and who has them. These settings can be changed (subject to permission!).

2. Role-Based Access Control (RBAC). The first level of permission checking is based on the roles that a logged-in user has, the type of object being accessed, and the kind of action being attempted.

   Examples of types of object are Company, Employee and Pay Run. The kinds of actions are:

   Create (C)

   For example, adding a new Employee.

   Read (R)

   For example, viewing a list of Companies.

   Update (U)

   For example, updating the address of a Company.

   Delete (D)

   For example, deleting a Pay Definition.

   Upload (+)

   For example, uploading Employees from a CSV file.

   You can view a summary of the RBAC settings. These settings cannot be changed.

3. Object-level access control. After RBAC, a second level of permission checking is based on the user’s identity and the object’s identity. For example, an Employee can Create, Read and Update their own Holiday booking but must not be able to look at those of another Employee.

   In addition to the identity-based checks, permissions may be further restricted based on object state. For example:

   • Once a Timesheet has been approved and then processed in a Pay Run, it cannot be deleted.

   • Once approved, no Administrator can delete a Pay Run.

4. Task-based access control. After object-level access control on workflows, each task in a workflow requires a third level of permission checking also based on role. For example, only an Administrator with role Payroll Approver can approve a Pay Run.

   You can view which role can perform which task by looking at the annotation on the Swim Lane containing the task on the BPMN diagram for the workflow.

Re-employing workers

If you re-employ anyone, follow the administrative tasks for returning workers.

GB-specific

Paid irregularly

If an employee is not paid for a period (e.g. 3-months or 3 pay cycles), HMRC will automatically cease their employee record, effectively making the employee a leaver. If you have employees that may be affected, then set the Paid irregularly option in Update Employee. This will send the Irregular Employment indicator to HMRC and stop the automatic cessation.

More information