Skip to main content

Assigning Roles and Permissions

Ryan Bickham avatar
Written by Ryan Bickham
Updated this week

Your organization can now control who sees what information on employee profiles through our new roles and permissions system. This gives you the flexibility to keep sensitive information secure while maintaining transparency where it matters most.

What are Roles and Permissions?

A role is a group of users that are granted specific permissions. A user may belong to multiple roles. To assign users to a role, you may either add them explicitly one by one, or you can utilize the power of Sift's search and use a Dynamic Filter to define membership. For example, you could have a "Human Resources" role that would be defined by a query of department="Human Resources". Then, any time someone is added or removed from this department, they will be added or removed the role accordingly.

A permission grants access to perform a specific action. The permission also includes a scope, which can limit which resources the permission applies to. For example, you could grant your "Human Resources" role access to View Restricted Attributes for only users in the "Detroit" location. Similarily to role members, scope can be defined by adding people one by one, or by using a dynamic filter.

Permission Types

We currently support three different permission types that may be assigned to each role:

  • View Person - Users with this permission can view employee profiles/org chart cards for all people in the permission scope.

  • Edit Profile - Users with this permission can edit all of the profiles in the permission scope.

  • View Restricted Attributes - Users with this permission can view restricted attributes for each person in the permission scope.

Default Roles and Permissions

Sift comes with 3 precreated roles that give your organization a baseline experience that will work for many use cases. You may not need to change these roles, or add any new roles, if the defaults are all your organization needs.

  1. The All Users role includes every user in your organization. This role gives each user permission to view and edit their own profile page. You may not update this role or its permissions.

  2. The Manager role includes every user who has any direct reports according to the org chart. You may not change the members of this role, but you can change the permissions this role grants. This role grants all managers permission to:

    1. View restricted attributes for their direct and indirect reports

    2. Edit the profile of all of their direct and indirect reports.

  3. The Person Viewer role includes every user in your organization. This role gives every user permission to view every other person in the Directory and Org Chart. You may change the members of this role, and can also change the permissions this role grants. You may want to change this role, for example, if you want to limit the scope of people that your users can view.

Creating and Managing Roles

If you'd like to assign roles beyond the default roles, you can create a custom role by clicking the "Create Role" button on the "Roles/Permissions" page. You can then assign the role members, then assign different permissions and define their scope.

Relative Filters for Permission Scope

One powerful feature of assigning permission scope is that you can use Relative Filters. As explained above, the permission scope defines which people that the permission applies to for the role's members. Using relative filters, you can define the scope as something relative to the person performing the action.

For example, say that you wanted to grant every user access to view restricted attributes for people on their "Team". You would:

  1. Create a new role

  2. Assign "Everyone" (all users) as the members of the role

  3. Add the "View Restricted Attributes" permission

  4. For the permission scope, use a realtive filter of "Same Attribute -> Team"

Now, when any user goes to use Sift, restricted attribute values will only be visible for people who share the same "Team" attribute value as them. Ex: if I'm on a team called "Technology Rockstars", I'd be able to view restricted attributes for any person that also has that "Team".

Getting Started

The roles and permissions feature puts you in complete control of your organization's profile visibility. Start by thinking about what information different groups of people need access to, then build your roles around those needs. Remember, you can always adjust and refine as you go!

Did this answer your question?