Admin Roles and Permissions

The Admin privileges set-up at Small Improvements is very simple, there are merely 3 roles a user can have. We break certain abilities out for your convenience, and the specifics of which roles do what and how they overlap, is important to understand. Below is a quick primer on roles and permissions for Admins in your account. 

Article Quick Links

Overview

There are 3 possible roles any user can have, and these roles determine what administrative permission their users have access to:

  • Technical Administrator 
  • HR Administrator 
  • HR Assistant 

In short the Technical Admin role is used to configure the SI integrations, security settings, and use the user import tool. The HR admin roles are more for managing people and feedback within the platform. And the HR Assistant role is like HR Admin "lite" - able to help out with some administrative functions, but with no access to confidential information.

A user may have more than one role, and in that case the permissions simply add up. The original system evaluator starts out with both HR Admin and Technical Admin permissions - what we refer to as the account " Super User". 

Quick tip: Having the HR Admin  and the HR Assistant roles is redundant. An HR Admin can do everything and HR Assistant can do, plus more. 

HR Admin

This role is very powerful. It can be used to set up and manage review processes, to change the reporting structure, and it can be used to access confidential data like performance review content of almost every person in the company.

The key restriction is that even an HR Admin can't access confidential data of a person above them in their reporting hierarchy.

You should try to limit the HR Admin role to 2 or 3 people in a small company of up 100 staff, and maybe 5-6 in a company of 500 to 800 staff. There's no exact rule to determine the number. But the more people, the more to manage, so these considerations are important depending on your company's size 

One thing to consider: We recommend limiting the number of HR Admins and especially "Super Users" (HR + Tech Admin) as it is easier to identify who made  major changes. If you just need cycle help, consider the HR Assistant role, detailed in the next section. 

HR Assistant

While keeping the HR Admin role to only a handful people, the HR Assistant role can be assigned a bit more liberally. HR Assistants can create and edit review/360 cycles, add reviewees to them, see the status of reviews, and send reminders to those who are running late. So they can be in charge of the majority of the process, but they are not able to access any confidential data. (Note that editing 360 cycles includes the ability to change visibility of feedback in that cycle, so the HR Assistant role is still quite influential. I.e. don't assign it too liberally either.)

Important to remember that the HR Assistant cannot delete any review or objectives cycles, even if they created them. Since they cannot view what data may have been recorded by users, only HR Admins can undertake this action. The role does not initially give permission to change the reporting structure, to change email addresses, or to reset user's passwords. However, if you are looking for an Assistant to have this ability but still be blocked from accessing confidential review/360 content- There is a workaround: If you navigate the user settings in your admin overview, you can select the "Allow HR Assistant to pick a person's manager" option.  

Technical Admin

The Technical Admins is usually assigned to someone with a technical background. This person is comfortable setting up integrations with other products, or editing the company settings. This person will be able to help with many tasks in user management and overall configuration of the system, but a technical admin will not have access to confidential data. For this reason, the tech admin role (like the HR Assistant) cannot perform certain actions like setting passwords or changing the reporting structure.

While a Tech Admin can't abuse their powers as easily (no access to confidential data by default), there's still a risk of accidental misconfiguration of settings, for instance locking out the entire company by applying incorrect IP range restrictions or the like. Don't assign the Tech Admin role to too many people. Don't assign it to one person only either, since you wouldn't have anyone to help when that person goes on vacation or leaves the company.

Please note: A user (HR Admin or otherwise) must have Tech Admin privileges in order to use our "Import Users" tool. Usually the "Super User" is in charge of the import. 

Role Management

Combining roles

Any user may have a combination of roles, and by default the creator of the SI account has the HR Admin and the Technical Admin role. As mentioned above, the HR Assistant role is like a restricted HR Admin role, so there is no point to assign both to the same person- The HR Admin role is sufficient.

Assigning roles

HR Admins can appoint further HR Admins, and they can appoint HR Assistants. Technical Admins can only be appointed by users who are both HR Admin and Tech Admin already. So Assistants can't appoint further Assistants, and someone who is only a Tech Admin can't appoint further Tech Admins. A person may hold both the HR Admin and the Technical Admin role, and thus such a user can assign any role to anyone.

Roles can be revoked as well, but at any point in time there needs to be at least one "Super User" (HR Admin + Technical Admin) in the system. You can't revoke the last person's roles, nor can you lock that person. In the event that all Admins have left the company, please contact SI support.

Most of the time you'll be updating roles by navigating to your Company Directory and clicking on the downward facing arrow to the right of a user's name. That action menu contains many user actions an Admin can take, here is a quick animation of what it looks like:

Inaccessible features

In most cases we simply hide features that a specific role doesn't have access to. If you can't change someone's password, then the dropdown menu on the user-management screen will simply lack an entry that says "change password". We feel that less is more, at least on commonly used screens.

However, there is a major exception, and that's the administration overview screen. On that screen we always present all buttons, and the ones you can't access are greyed out. We do this to highlight that more options exist, even if you can't access them yet. We frequently encounter administrators who are unaware that SI is a very configurable system, since they simply didn't know about the options they were missing out on. We feel that the admin overview is one of those places where showing the limitations of your current role (if any) makes sense.

Permissions Cheat Sheet

Here's an overview of what permission is granted to each of the 3 roles.

User Management HR Admin HR Assistant Tech Admin
Invite users √ (csv import)
Import users    
Send password reset instructions
Deactivate/reactivate users  
Delete users    
Change passwords    
Change reporting structure (√ )  
Performance reviews HR Admin HR Assistant Tech Admin
Create and edit review cycles  
Track progress, send reminders  
Create reviews  
Delete reviews (√ )  
Delete review cycles    
Access review content    
Export review statistics to Excel  
360 degree reviews HR Admin HR Assistant Tech Admin
Create and edit review cycles  
Track progress, send reminders  
Create reviews  
Delete reviews (√ )  
Delete review cycles    
Access review content    
Export reviews to PDF    
Export review statistics to Excel  
Objectives HR Admin HR Assistant Tech Admin
Create and edit objective cycles  
Nudge objective owners and managers into action  
View objectives only shared with the manager    
Messages & Continuous Feedback HR Admin HR Assistant Tech Admin
Manage Platforms & Message defaults  
Configure Badges  
Edit and delete messages  
Unveil anonymous writer  
General administration HR Admin HR Assistant Tech Admin
Change feature selection    
License details  
Email template setup  
Design Editor  
Audit log access  
Date & Time settings    
Security settings    
Integrations     
Email bounce management    
Download XML    
User impersonation (only if also tech admin)    

Always keep in mind that a person may have two roles, then the permissions simply add up. So if you feel that the Tech Admin role alone isn't powerful enough, and envision your VP of Operations doing more than just setting up the integration, feel free to assign her also the HR Assistant or even HR Admin role.

Did this answer your question? Thanks for the feedback There was a problem submitting your feedback. Please try again later.

Still need help? Contact Us Contact Us