The Access Coins Payroll and Human Resources Modules offer various levels of security beyond functional security set up during implementation. Security is defined within payroll and HR and can:
Restrict or allow access to employee and/or personnel records
Allow access to employees and/or personnel but restrict views of salary related data
Restrict access to employees and/or personnel, but allow access to timesheet entry with or without access to rate fields
Allow access to employee and/or personnel records but restrict entry of timesheets or allow entry of timesheet but restrict access to rate fields.
Employee Security in OA uses Patterns, Can-Do Lists and Comma-Separated lists to specify the values included or excluded from view.
CAN-DO Lists
The fields in Payroll Employee Security allow you to enter a list of values that will be used to determine if a user has access to an employee. This list is called a Can-Do list. To use Employee Security, you must first understand how to create a Can-Do List.
A Can-Do list can be comprised of wildcards, multiple values (called a comma-separated list), and exceptions. Below is a list of characters that can be used to build a CAN-DO list anywhere in OA.
Character | What will it do? | Example |
Wildcard (*) | Represents "any character" or "any string of characters" | C*
-Will return a list of values that ends with the letter ‘C’
*C* -Will return a list with every value that contains the letter ‘C’ |
Commas (,) | Allows you to specify several items in a list. Do not use spaces. A Comma can be used to represent Blank Values in a list. | A1000,A1500,B1224
A1000,,A1500 -Will return A1000, Blank and A1500 |
Exclamation Mark (!) | Represents items you want to exclude from a list. When using Exclamation Mark, you must follow the excluded items in the list with Comma then Wildcard as shown in example | !C*,*
|
DOT (.) | Represents any single character. If you want to search for a dot (.) as a character within your list, then put a backslash (\) before it. The backslash is commonly used for general ledger searches. | C1.0 -Will return any value that is 4 characters in length begins with C1 and ends with 0.
!C1.0..0,C1.0… Will return any value that is 7 characters in length begins with C1, has 0 as the fourth character, and does NOT have 0 as the last character.
..\....\.1234 -Will return any value that begins with 2 characters followed by . followed by 3 characters followed by . followed by 1234, such as 00.000.1234 |
Employee Security
What is Employee Security?
Employee Security prevents users accessing the records in the employee file, from seeing an employee or employees in reports as well as other areas of payroll. Employee Security must be setup and maintained by Payroll Company.
📌Note: A user has access to all employees and related data unless security is in use.
Employee Security contains a Can-Do list of values that is applied to a user or user group to determine which groups or types of employees a user will have access to.
Employee Security is maintained in Payroll > Company Setup > Security and can be based upon Employee Department, Employee Location, or a field within one of the four available analysis fields used in Employee maintenance.
The security basis for Employee Security is determined by setting Global Payroll parameter ‘SECURITY’.
⚠️Important: Employee Security basis, by default, is Employee Department.
If you change the value of the parameter, you must run Regenerate Employee Security from the Payroll > Company Setup > Security Menu for the changes to take effect.
How is Employee Security Setup?
Employee Security is the ability to access or view employee data in Employee Maintenance and on reports and inquiries. The Security List and Code fields in Payroll > Company Setup > Security are used to configure security by user or user group.
The Security List field is populated with a Can-Do statement, as described above. The contents in the list corresponds to the field defined in the PR/SECURITY parameter and found in the Employee File.
In all cases, the first character in a Security List is always Pay Frequency. If Security is based on Department then the Can-Do list you enter will apply to the Pay Frequency Value followed by the Department.
Pay Frequency Values are as follows
Value | Pay Frequency |
0 | Weekly |
1 | Monthly |
2 | Two-Weekly |
3 | Four-Weekly |
4 | Twice-Monthly |
The Code in Employee Security can contain a list of Employee Numbers that a person has access to (or does not have access to) in addition to those allowed by the Security List.
Employee Security Examples
Access to weekly Employees Only
In this example we want user CARLUC to have access to ALL employees whose pay frequency is WEEKLY (0*) for any Department. If employees are on file for any other frequency, this user will not be able to see their records.
Access to all Weekly Employees EXCEPT for one other employee
In this example we want user CARLUC to have access to ALL weekly employees except employee with Employee Number LUCOLI.
Restrict Access based on Employee Pay Frequency and Department
In this example, PR/SECURITY is configured to use the Employee Department Therefore, the department codes are in the security query for users and/or user groups.
In this example we want User CARLUC to have access to ONLY weekly employees in the Mechanical Department (any Department that begins with the number 3) except employee with Employee Number LUCOLI.
“0” in the Security List is presented as the first character and represents the pay frequency. In this case, “WEEKLY employees only” are included. The remaining characters in the string “3*”, which follows the employee pay frequency, represents “Any Department that begins with 3”.
Access to all Frequencies for Mechanical Department
In this example we want User CARLUC to have access to ALL pay frequencies but ONLY employees that are in mechanical departments.
The can-do statement ".3*" means any employee in departments that begin with 3 for all pay frequencies
Access to All Employees except those in Department 100 and LUCOLI
In this example we want user CARLUC to have access to ALL employees EXCLUDING those in department 100
An Exclamation Mark is used prior to the first character in the security list and means to EXCLUDE everything that follows up to first comma.
To Set Up Employee Security based on Analysis Set
In Parameters, designate parameter SECURITY as an analysis set to be used specifically for Security. In our example, we are using Analysis Set 4.
Go to Payroll > Company Setup > Company Configuration and click the Employee Analysis Sets tab. Set the 4th analysis set (as defined in Payrol > Global Setup >Parameters) to SECURITY CONFIGURATION.
⚠️Important: A single Analysis Set is used for all pay frequencies when processing US Payroll.
Go to Analysis Sets. Select the Type named Security Level. Click Add (
).
Use the Code field to add codes representing Security Levels and Groups.
The Code field is an 8 character field. For the first character, enter the Security Level to be used in COINS US (Levels 1-7). For the remaining 7 characters, enter the Security Type to be used in COINS US.
The analysis codes listed below are only examples demonstrating how they may be structured. You may wish to set up your analysis code structure differently.
Examples
Analysis code 1FHou, where "1" would represent Security Level; "F" would mean FIELD; and "Hou" would represent Houston Based Employees.
Analysis code 1FHou, where "1" would represent Security Level; "F" would mean FIELD; and "Hou" would represent Houston Based Employees.
Analysis code 4EHou, which would represent Level 4 Executives in Houston.
Go to Employee Security to invoke security for a user, such as a Payroll Clerk. You may set the Employee Security as shown below.
If there are many field locations (such as Hou, FLO, etc.), you may request to be shown all Level 1 Field employees, except for those in Houston, and exclude all Level 4 employees.
📌Note: The Employee Security List is Company specific. You must repeat this process for each company where US Payroll is processed.
When defining security:
you may use a can-do list to represent a character group's pattern.
you may use exceptions (!) to exclude patterns.
Exclusions to a pattern must precede the most inclusive pattern (see example) and multiple entries in a pattern are separated with a comma.
Below is the pattern '!01FHOU,01F*,!*4*' for user shidun. It is interpreted as follows:
!01FHOU means Exclude (!) all Weekly (0) Level 1 (1) Field (f) from Houston area (HOU).
01F* means Include (no ! in pattern) all Weekly (0) Level 1 (1) Field (F) for all areas not previously excluded.
!*4* means Exclude (!) for all Payroll Intervals (*) for Level 4 (4) for all Execs/Field/Office (*) for all areas (included in previous *).
You may want to avoid mixing alpha and numeric values when defining a section within a pattern. In this example, the area (represented as HOU, FLO, SAN, ADM) uses alpha values only, thereby eliminating the possibility that the pattern '!*4*' will match anything other than Level 4 employees.
Extend Payroll Security to Job Status Reports & Inquiries.
Payroll Employee Security can be extended to certain Job Status Reports and Inquiries. Payroll Global Parameter JCSECUSR contains the list of users for whom payroll security will extend to Job Status. The default value of this parameter is ‘*’ or all users. If a user cannot see an employee in payroll, then the employee identifier, such as name or employee number, will be replaced with the phrase “Payroll Labor” when employee specific data is displayed.
Timesheet and Timesheet Rate Security
While payroll Employee Security prevents a user from seeing an employee anywhere in payroll and in certain areas of job status, Timesheet Security and Timesheet Rate Security is to control access to timecards and to restrict the view of rates on timecards and certain unposted payroll reports.
Timesheet Security will allow a user to enter a timesheet for a person that they do not have access to or prevents timesheet entry to a person they can see. Timesheet Rate Security suppresses rate information for persons that a user can enter time for.
To begin using Timesheet and Timesheet Rate Security, payroll Parameter TSSECURE must be set to yes as shown below
Users will define the security list or codes that will be used for both Timesheets and Timesheet Rates in Lookup Codes. Use the data selector at the bottom of the page to select Timesheet or Timesheet Rate Security List.
Lookup Codes for Timesheet Security Types
Lookup Codes for Timesheet Rate Security
Once PR/TSSECURE parameter is set to yes and Lookup Codes have been defined, you will populate the Employee File with the Timesheet & Timesheet Rate Security codes for each employee in Employee Maintenance
In Employee Security, enter the codes that a user does or does not have access to for Timesheet Entry and for Timesheet Rates.
Employee CARSTO was assigned Timesheet Group CORP. however, user CARLUC was restricted from entering payroll for any employees in the Timesheet Group CORP. The user gets a hard stop when attempting to enter or see timecards for the employee.
If an employee has access to enter timesheets for only certain groups (lookup codes) enter the excluded codes and then enter all others. The setup is the same for Timesheet Rate Security.
If the user has access to enter payroll for an employee but not see rates, the rates are suppressed in all Timesheet Entry functions, and the Timecard Report only.
Other reports, inquiries and functions are NOT included in security. Use functional security to restrict users from other reports and inquiries as needed.
Salary Security
Similar to Timesheet and Timesheet Rate Security, it may be necessary for users to have access to employees, but not see salary related information. This security setting is configured in payroll but shared with both the PR Employee File and the HR Personnel File but not Job Status. You must use PR Employee Security to extend payroll security to job status.
Salary Security is based on the same security parameter as Employee Security.
In the example below, user carluc does not have access to any employees in Department 100 nor does the user have access to employee LUCOLI; in addition, the user cannot see salary information for employees in any department in any pay frequency with begins with 3. To define salary security, !.3* is included in the Salary Security List.
Employee Earnings Category File with Salary Security in use
HR Salary History with Salary Security in use
The ability to run certain Reports will be restricted if salary security is in use.
Human Resources – Personnel Security
Employee Security in Payroll is NOT shared with Human Resources. Personnel Security must be maintained separately. Users have access to all Personnel Records unless HR Personnel Security is invoked.
Since HR Personnel Workbench is global, you can define HR Personnel Security to automatically recognize company security. HR Parameter COSECURE should be set to Y to restrict a user’s access to Personnel included in the user’s list of companies in User Maintenance.
Personnel Security uses security queries rather than Can-Do Lists. The Security Query may include any field or fields in the personnel table (pp_organisation) and is therefore very flexible. However, you may find it necessary to have consulting assistance when invoking HR Parameter security.
Example
Within this topic, under Employee Security, we described setting Employee Security by Payroll Department. Access was limited for user CARLUC to only employees whose Department began with 3 or anyone in the Mechanical Divisions. In addition, user CARLUC will not have access to employee LUCOLI.
The Security Query to use in HR Personnel Security would be:
Can-Do(“3*”,ppo_dept) and hrp_id <> 'LUCOLI'
Often, users will be limited to the employees they supervise. In the example below, the common security query could be applied to each user. The query gives users access to themselves and their direct reports.
CAN-DO(ppo_seq + ',' + ppo_superid + ',' + ppo_mgr, '{UserValue^getLinkHRKey}')
📌Note: The text within curly braces will be replaced with the unique sequence number of the current user's HR record, so this requires the user to be linked to a personnel record.
e.g. can-do("5",ppo_mgr) or can-do("5",ppo_superid)
Where 5 is the internal sequence number of the user
Functions included in Employee Security
GENERAL
Employees will be excluded from view
Employee File
Lookups functions for employees in Payroll functions, reports & inquiries
INPUT/PROCESSING
Employee security applies to all functions under input and processing of timecards. You will not see any employee’s timecards for whom access is restricted.
During input, if you attempt to enter a timecard for a person for whom access is restricted, you will receive the following error: “You do not have Payroll security permission for Employee XXXX (John Doe). [PR2]”.
REPORTS
Employees are omitted from the following reports:
Affirmative Action Report – Employees are omitted
Calculation Report – Employees are omitted
Certified Payroll Reports – Employees are omitted
Earnings Report – Employees are omitted
Starters & Terminated Employees Report – Employees are omitted
Employee Earnings Detail History – Employees are omitted
Employee Pay Calculation Analysis Report – Employees are omitted
Gross Payroll Register – Employees are omitted
Insurance Report – Employees are omitted
New Hire Report – Employees are omitted
Prevailing Wage Reconciliation Report – Employees are omitted
Selected Item Report – Employees are omitted
Tax Summary Report – Employees are omitted
Timecard Reports – Employees are omitted
Edit Detail – Employees are omitted
Edit Summary – Employees are omitted
Employees are included in the following reports
PL Analysis Report – All Employees are included in report.
Payroll Transactions in Job Status
Job Status Transactions Key and Composite Description are masked in the following reports and inquiries:
Cost Transaction Report
Cost Code Detail History Report
Job Status Inquiry
Single Job Inquiry
Multiple Job Detail Inquiry
Job Status (Cost Movement) Inquiry
Unit Job Cost & Variance Inquiry
Weekly Costs Inquiry
Job Status Transactions are omitted from the following reports:
Daily Labor Billing by Cost Code Report
Weekly Labor by Cost Code Report
Functions included in Salary Security (WIP)
(Refer to OA_CE-PR084 for more information)
INPUT/PROCESSING
Salary Masked
All Timesheet Entry functions
All Timesheet Inquiry functions
Employees Omitted
Timecard Report
Edit Detail
Restricted from Running Report
Tax Summary Report
Functions included in Timesheet and Timesheet Rate Security
INPUT
Timesheets
Timesheet by Job
Timesheet by Employee
Timesheet by Multiple Employee
Timesheets > Timesheet Detail (Inquiry)
UNPOSTED REPORTS & INQUIRIES
Timecard Report *
*If Timesheet Rate Security is in use, then rates are suppressed for all employees included on the report.
⚠️Important: Timesheet and Timesheet Rate Security ONLY applies to the functions listed above. It is imperative that Functional Security is carefully reviewed to prevent access to Rate information for those users who are restricted.