Skip to main content

User Management: Roles and Permissions

Give employees access to only the features they need in the Fountain platform by utilizing roles and permissions

Updated this week

The Fountain platform contains a variety of features and a breadth of information about your workers. The User Roles & Permissions settings page gives you the ability to create and customize roles with varying levels of access to different features across the platform.

Benefits:

  • Create custom roles based on specific job functions and/or responsibilities within your organization, with granular control over feature access

  • Update access levels per role as your organizational needs evolve

  • Assign a custom role to all existing and new users on the platform

  • Improved security with ensuring that users only have access to the features & information that they need to see

Important Note:
Development to restrict access to features and information based on locations is currently still in progress.

Viewing and Setting up Roles

Definitions

A permission is tied to a specific feature, product (e.g. Onboard), or part of the platform, and can be enabled (access is granted) or disabled (access is restricted).

A role is a collection of permissions. When assigned to a user, the permissions enabled within the role determine which features they can access.

To view all available roles and set up new ones, along with viewing all available permissions, go to:

  1. Click your company logo in the bottom left side panel and then Settings in the menu.

  2. Click the User Roles & Permissions setting.

Standard roles

By default, Fountain has created three uneditable roles to help you get started:

  1. An Administrator role with access to everything, including the ability to create & edit roles

  2. A Standard Role with access to view & edit most things, but restricted access to editing/creating roles, and deleting things

  3. A Restricted Role with access to view most things, but is restricted to viewing them within the location designated on their user profile

To see which permissions are enabled for each role, click on the permission grouping header (i.e. Settings, Onboard, etc.) to view a list of permissions related to that area of the platform.

Enabled permissions will have a ✅, while disabled ones will have a ❌. Permissions for these default roles cannot be edited.

If a permission is disabled, then any users with that role will not see the option to complete that feature or task.

See the bottom of this article for a full list of available permissions, and the corresponding feature that each permission grants or restricts access to.

Custom roles

In order to create an additional role where permissions can be edited, click the + Add Role button in the top right. A pop-up will appear, asking you to input the following:

  1. Role title – Give the role a title (such as "Regional Manager").

  2. Restrictions – Add restrictions to the role. There are two restriction options:

    1. Location: User will only be able to access worker data associated with the Locations that the User is assigned to.

    2. Security groups: User is unable to access worker data associated with Security groups that the User is assigned to.

    3. Jobs: Typically used for Fountain's Shift product, this will restrict users' ability to view Worker Profiles based on the worker's job assignment. Contact your Fountain Customer Success contact or support@fountain.com to enable this option in your company's account.

  3. Data Groups – Assign to a Data Group.

  4. Based on – Choose to replicate an existing role and its associated permissions.

    1. If selected, you can choose to toggle on Synchronize permissions with parent role. This will update the replicated role anytime changes are made to the existing role that was it was replicated from.

Once a new role has been created, you can click directly on the green check mark and red X icons to enable/disable each permission. Custom roles will be listed after the default roles.

Important Note:

Some permissions, such as creating a new role, are read-only and cannot be enabled.

Once you've configured the role to your liking, click the Save button in the top right.

If you ever need to edit the title of a role, or delete it completely, then hover over the name of the role in the header of the table, and click Edit or Delete:

Managing Fountain Hire Access (Unified Auth Accounts)

For accounts using Unified Authentication, administrators can manage Fountain Hire access and permissions directly from the Worker Experience Roles and Permissions page.

Hire Product Section

The Roles and Permissions page includes a dedicated Hire section that displays all available Hire-related permissions.

Selecting the Default Role

You can choose which of the standard or custom-created roles is set as the default when inviting new users. Although this will be selected as the default, it can be changed by the user when creating the invitation.

Simply hover over the name of the role and click the edit icon. Then click set as default.

Assigning Roles to Users

When inviting new users, you'll choose their user role at the time of invitation.

You can view which role each user is assigned to, and update the assigned role if needed, by:

  1. Going back to Settings

  2. Clicking on the Users setting.

  3. Find the team member whose role you would like to update and click the dropdown in the Role column (note that you cannot edit your own role):

4. Select the role you want to assign to that user, and it will be automatically assigned (no saving needed!)

That's it! The next time this user signs in, the settings of the assigned role will take effect.

Enabling/Disabling Product Access

Administrators can control whether users have access to other Fountain products through role configuration:

  1. Navigate to Settings > Roles & Permissions

  2. Select the role you want to modify (or create a new role)

  3. Locate the product sections (e.g., Hire, Onboard, Compliance, Shift)

  4. Toggle permissions on or off for that product using Can access [Product] permission

  5. Click Save

All Available Permissions

The Roles & Permissions page in your account settings is the most reliable reference for the full, up-to-date list of available permissions.

Permissions are organized into categories and products, each of which can be expanded using the caret dropdown to reveal the full list of permissions for that category. Roles are displayed as columns, with a or X indicating whether each permission is enabled or disabled for that role.

To learn what a specific permission does, hover over the ? icon next to the permission name to view an inline description. These descriptions explain exactly what access the permission grants or restricts, so you can make informed decisions when configuring roles.

Permissions are organized into the following categories:

Settings

The Settings category covers platform-wide configuration permissions. This includes controlling who can manage core account infrastructure such as company information, locations, location groups, jobs, brands, security groups, user roles, and system integrations.

It also governs access to automations, webhooks, worker and company attributes, SSO, SCIM provisioning, data pipelines, and team management — including the ability to create, update, or remove users and adjust their access.

Workers

Worker permissions control what users can do with worker profiles across the platform. This includes creating, viewing, updating, and deleting profiles, as well as accessing sensitive information such as protected worker data, custom attributes, and pay rates.

Permissions in this category also govern the ability to send messages directly to workers, impersonate workers, and view workers outside of a user's normal location access.

Segments

Segment permissions govern access to worker segments — saved filters used to group workers based on shared criteria. These permissions control who can create, view, update, and delete segments within the platform.

Scheduler

Scheduler permissions control access to calendar and scheduling functionality, including the ability to configure calendar integrations, manage calendar groups and availability, and view or update appointments.

This category also includes access to the I-9 Center calendar used for scheduling verification appointments.

Message Inbox

Message Inbox permissions control who can view and respond to inbound worker messages within the platform's shared inbox.

Platform

Platform permissions govern cross-product and administrative capabilities that span the broader Fountain ecosystem. This includes managing API keys, Hire integrations and webhooks, referrals, pool access, and analytics. It also controls access to Hire PAPI functionality, Source, and the ability to view product feature access for specific users.

Hire

Hire permissions cover the full range of functionality within Fountain Hire. This includes access to applicant management, openings, workflows, sourcing tools, messaging, secure data, and scheduling. Account-level permissions in this category govern integrations, message templates, custom fields, scorecards, and exports. Use these permissions to define exactly which hiring actions each role can perform within the Hire product.

Hire Go

Hire Go permissions control access to the Hire Go interface, which is designed for hiring managers. Permissions in this category govern who can access Hire Go and manage users within it.

Onboard

Onboard permissions determine what users can do within the onboarding product. This includes managing onboarding flows and tasks, document signing templates, and worker progress through assigned tasks. Permissions also cover partner task management and access to Yardstik background check packages.

Compliance

Compliance permissions govern access to the document compliance features of the platform. This includes managing and viewing compliance document types, templates, submissions, requirements, and worker compliance profiles. Use these permissions to control which roles can administer compliance programs and which can only view compliance status.

Pool

Pool permissions control access to talent pool management functionality. This covers audiences, campaigns, data sources, eligibility rules, match score weights, messaging rules, and talent profiles. Permissions in this category also govern access to Pool settings and the ability to manage jobs and Hire openings within Pool.

Referral

Referral permissions govern who can manage your organization's referral program. This includes creating and updating referral campaigns, incentives, applications, and metrics, as well as managing recurring reports and program settings.

I-9 Center

I-9 Center permissions control access to employment eligibility verification functionality. This includes managing I-9 and W-4 forms, initiating and viewing checks, accessing E-Verify profiles, managing global I-9 settings, and viewing related analytics and reports. Use these permissions to ensure that only authorized users can view or manage sensitive employment verification documents.

Shift

Shift permissions cover the full range of workforce scheduling and time tracking functionality. This includes managing shifts, timesheets, time-off requests, worker availability, attendance policies, and shift rules. Additional permissions govern access to settings such as geofencing, punch rules, holiday rules, automatic break configurations, kiosk mode, and custom reports within Shift.

Did this answer your question?