Abstract
There is often the request to restrict the permissions for showing historic employee data and to show only the actual data at the employee profile versus the request to report on employee data. This blogpost highlights the dilemma, provides some deeper insights and gives some recommendations.
Introduction
Story reports can currently only be executed if the permissions for "XXX Information Action" => "View History" (where xxx = Personal, Address, Compensation, Dependents, Job, Job Relationship) have been assigned. Figure 1 shows the settings from Admin Center -> Manage Permission Roles -> User Permissions -> Employee Central Effective Dated Entities.
Figure 1 – “View History” for Address, Dependents and Job Information Actions required to execute story reports
Multiple customers are not happy to provide report users the permission for “View History”; in particular if such report users should only execute simple operational reports which run just for “Today”. Examples of such simple operational reports are “Address lists”, stories about work permit details, compensation details and also simple headcount or FTE analyses for various dimensions (e.g. regular versus temporary employees, fulltime versus parttime employees, male versus female employees, age ranges or length of service ranges).
The "View History"-requirement is a kind of precautionary measure to avoid that data shown in the story reports are visible in the employee profile and vice versa. It is so-to-say a consequence of the fact that the permissions settings were originally built for the master data maintenance, i.e. the Employee Profile UI, and do not 100% "fit" for reporting. This is discussed and shown in the following in more details. Nevertheless, an approach is described how to restrict the data which are exposed to users and it is illustrated what this means for reporting.
Before a deeper dive in the reporting behaviour is given, it’s worth to remember how the Employee Profile UI behaves:
Figure 2 – Accessing the job information history details
Figure 3 – Behaviour if "Job information Action -> View History" is not assigned and "As of Today" is changed to any historic/future date
The following need to be kept in mind for reports. Reports....
Solution
In the following a permission configuration is presented which restricts the display of history details in the employee profile but in parallel allows the execution of simple reports for today. The downside of this approach is that more sophisticated reports which run for time ranges have to be considered with care.
It is suggested to use the following configuration (see Fig. 4): You can set the data blocking for “XXX Actions (View History)” from "Full Access" to "Restricted - 0 months" (where xxx = Personal Information, Address Information, Dependents, Job Information or Compensation Info).
Figure 4 – Setting up the data blocking for “Job Information Actions (View History)” to “Restricted – 0 months”
This means that
Figure 5 – Only current time slice is visible in Change History portlet
After this configuration the different time filters in reporting behave in the following way:
Most important to mention is the guiding principle that the described behaviour is 100% consistent with the employee UI behaviour: No data are shown in the report which are not exposed on the employee profile UI and vice versa.
Nevertheless, note that the described behavior can lead to some confusion with the story report output if the permission for the full history is not given. This can be illustrated by the following two examples:
Employee | Effective Start Date | Effective End Date | Event | |
Employee A | 01.03.2024 | 31.12.9999 | Data Change | |
Employee B | 01.03.2024 | 15.09.2024 | Data Change | |
Employee B | 16.09.2024 | 31.12.9999 | Pay Rate Change |
Employee | Effective Start Date | Effective End Date | Event | |
Employee C | 01.07.2024 | 31.12.9999 | Hire | |
Employee D | 01.07.2024 | 31.08.2024 | Hire | |
Employee D | 01.09.2024 | 31.12.9999 | Data Change |
Conclusion
These examples illustrate that the results of reports which are run for a date different than “today” or run for time ranges may appear as incomplete when they are executed with limited “View History”-permissions. Vice versa, the "data blocking = 0 months" – configuration, is only recommended for roles of report users which use stories that are executed for a particular day which is “Today”.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
User | Count |
---|---|
8 | |
7 | |
5 | |
3 | |
2 | |
2 | |
2 | |
2 | |
2 | |
1 |