Denying Access to a Specific Section, Card, or Screen
Issue: Users have permission to sections, cards or screens they should not be able to access.
Troubleshooting Tips:
The user may have inherited access to a screen through an organization unit role, or the user may have been assigned to the wrong role. The role itself can be modified to remove access to that specific screen.
Check the Employee record>TCS screen>Employee Authorization Information Card to view the policies assigned to an employee, and to determine the role granting access to that policy (screen).
The Employee Authorization Information card displays the policies and roles assigned to an employee. This card is found in the TCS screen in the employee record.
Note: If this card is not visible, it can be added to the TCS by going under the Preferences section>My Preferences card>Time Card Screen and dragging the Employee Authorization Information card to the Selected column.
- Deny or Delete the employee role that gives them access to the screen.
- If the role is assigned to the employee through the Organization Unit screen, the role must be added to the employee Role screen with the access set to Denied.
- If the role is assigned to the employee through the Roles screen, the existing role can be updated to be Denied.
- Be sure that the user will still be able to access required screens if the role is removed. Multiple screens and/or functions may be granted to users with a single role.
- The user can be assigned to another role with the required functionality access. More About Adding An Employee Role
- An existing non-standard role can be updated to remove access to the screen. More About Updating an Existing Role
- Remember that any changes to a role will update the access for ALL employees assigned to that same role.
- Standard roles cannot be edited--a new role must be created and modified.
- A new role can be created which has the required access and assigned to the user. More About Creating New Roles
New roles can be created by adding a role or by replicating an existing role that has most of the required attributes, and then modifying it to change the access.
- For more information on creating a new role, see Steps for Creating a New Role.
- A replicated role can also be replicated again, and modified to create another role with different attributes. For more information on replicated roles, see Steps for Replicating a Role.
Deny or Delete the employee role that gives them access to the screen:
If the role was assigned to the employee directly, it can be deleted or denied from the Roles screen.
Deleting the Role
- Search for the employee record and open the Roles screen.
- Check the box to the left of the role to select it.
- Click on the Delete Selected button in the Role Actions section in the left pane.
- The role is removed from the screen.
Denying the Role
- An alternative method is to open the record by clicking on the folder.
- Set the Denied field to Yes and Save the record.
- The role is still visible in the employee's Role screen. A check mark is displayed in the Is Denied column to indicate the role is not active for this employee.
If the role was assigned to the employee via the Organization Unit screen, it must be added to the employee record and denied there.
- Search for the employee record and open the Roles screen.
- Click on the Add button to add a new role.
- Search for and select the same inherited role that should be denied.
- Set the Denied field to Yes.
- The role is displayed in the employee Role screen. A check mark is displayed in the Is Denied column to indicate the role is not active for this employee.
Update an existing role to remove access to the screen:
- From the Configuration section>System card, open the Roles screen.
- Search for and open the role.
- In the Authorization Policy Hierarchy in the left pane, navigate to the parent level of the policy that needs to be modified. Click on the Remove button to remove the policy from the role. The button changes to Add.