Overview of the Security Module
In the HRPlus Security Module comprehensive features are available to allow/restrict user access to specific HRplus modules, modes of operation (e.g. update, inquiry), levels with the Company (e.g. Company, Division, Department), Pay Groups, position views and report processing options.
The application supports two (2) levels of security:
1. Front end security which controls access to all menu items and, therefore, all access to windows and reports, and
2. Back end security which, through ANSI SQL compliance, supports control of all Select, Insert, Update and Delete permissions on all columns, tables and views of the database. This security is further enhanced by access being restricted through stored procedures and database triggers. Full transaction processing is implemented on all multi-table updates and referential integrity is enforced throughout the system.
Cascading updates and deletes are implemented for easy management of linked tables. It is possible to cascade employee, department, and other Id changes through the application. All inserts, updates, and deletes to the database are done via stored procedures and triggers for blazing speed and superior security controls, and are designed for use in a true open systems environment. The database is encrypted and online or off-line Incremental or full Back-up and Restore facilities are available.
Access to HRplus is restricted by means of password control. Each user is required to log on to the system via a user Id and a password. The application then tracks the user via the user Id. All permissions to all areas of the application both on the front end and the back end are based on the user Id. For easy administration of many users, the application uses the concept of user groups whereby a person being made a member of a user group is granted all the permissions of that group. Database Administrators can define the configuration of passwords, track user logon times and set restrictions on user logon access to the database.
Due to the complex nature of the HRplus Security Module, it is strongly advised that a detailed plan be constructed before security implementation in the application is undertaken. An examination of the Security module prior to security implementation will assist in the construction of the security plan and ensure its effectiveness.
The Database Administrator should enlist the assistance of those individuals e.g. HR Manager, Payroll Manager who may be more familiar with the structure and security requirements of the HR and Payroll divisions of the organization.
The Security Module contains sub-menu options or functions within which we can work. They are:
A Guide to using the Security Module
A Brief description of the menu options are given below:
Steps |
Description |
Step 1 |
Security Settings: |
|
Security>>Security Settings>>Password Configuration Security>>Security Settings>>Oauth Settings |
|
Password Configuration |
This option allows you to configure the security settings including Password Configuration. |
|
Oauth Settings |
This option allows you to configure Oauth settings for secure authentication (Single Sign On (SSO)). |
Step 2 |
New User: |
|
Security>>New User>>Create Single User Security>>New User>>Create Batch Users |
|
Create Single User |
This screen allows the client to add a new individual user. |
|
Create Batch User |
This screen allows the client the client to add multiple users at once |
Step 3 |
User Administration: |
|
Security>>User Administration |
|
User Administration |
This screen allows you to manage user accounts and permissions. |
Step 4 |
Module Audit: |
|
Security>>Module Audit |
|
Module Audit |
This feature allows the user to track and audit module usage and changes. |
Step 5 |
Login Activities: |
|
Security>>Login Activities |
|
Login Activities |
This option allows you to view the login and logout activity of the end users including their IP address. |
A
Access Control: Measures that ensure only authorized users can access certain resources.
Authentication: The process of verifying the identity of a user or system.
Authorization: The process of determining what resources a user is permitted to access.
B
Batch User: An employee user account created in bulk with other employee users, processed in one transaction using the batch user feature.
C
Cipher: An algorithm for performing encryption or decryption.
Changing Passwords: The process of updating a user’s password to maintain security.
Core User: A primary user who has extensive access and responsibilities within the system, particularly to the HRplus core modules such as Personnel, Payroll, Benefits, etc. D
Data Encryption: The process of converting plain text into a coded format to prevent unauthorized access.
E
Encryption Key: A piece of information, in a form of a string of characters, used by an encryption algorithm to transform plain text into ciphertext or vice versa.
F
Firewall: A network security system that monitors and controls incoming and outgoing network traffic.
G
Global ID: A unique identifier assigned to a user that can be used across multiple systems.
Grant/Revoke Company Access: The process of allowing or denying a user the ability to access company resources. L
Login Activity: The tracking and monitoring of user login attempts and sessions.
M
Mail Server: A server that handles and delivers email over a network.
Mail Server IP Address: The specific IP address assigned to a mail server for communication purposes.
Malware: Malicious software designed to harm, exploit, or otherwise compromise a computer system.
Make Duplicate User IDs Unique: The process of ensuring each user ID within a system is distinct to prevent conflicts and ensure proper identification.
Module Audit: The process of reviewing and ensuring that a security module is functioning correctly and securely.
Multi-Factor Authentication (MFA): A security system that requires more than one method of authentication from independent categories of credentials.
N
New User: An individual who has recently been granted access to a system and has a newly created account.
P
Pay Group Access: Permissions granted to a user to access specific payroll groups within HRplus.
R
Restrict Position Access: Limiting a user's ability to view or interact with sensitive data, based on their job role or position within the organization.
Random Password: A system-generated password with a random sequence of characters, sent to batch users via email to ensure unique and secure initial access.
Reset Password: The process of changing a user’s password, typically when it is forgotten or compromised.
Restrict User Reports: The process of limiting a user’s ability to access certain reports within a specific HRplus module.
S
Self Service User: A user with permissions to manage their own information, such as viewing payslips, personal details, and password resets.
Single Sign-On (SSO): An authentication process that allows a user to access multiple applications with one set of login credentials.
Static Password: A password that is entered by the system administrator when creating batch users. The password is the same for all users, and two-factor authentication must be enabled when this option is being used.
T
Two-Factor Authentication (2FA): A method of confirming a user's claimed identity by utilizing a combination of two different factors: something they know, something they have, or something they are.
U
Unlink Employee Profile: The process of disconnecting an employee’s profile from a user account.
User Database: A central repository of user information, including personal details, job history, and access permissions.
User Group: A collection of users with similar access rights and permissions to the same module or module features within HRplus.
User ID: A unique identifier assigned to a user for accessing a system.
User ID Protocol: The guidelines and rules for creating and managing user IDs within a system.
User Signature: A digital representation of a user's signature used for authentication and authorization.
V
Virtual Private Network (VPN): A service that encrypts your internet traffic and protects your online identity by hiding your IP address.
Vulnerability: A weakness in a system or its design that could be exploited by a threat to gain unauthorized access to or perform unauthorized actions on a computer system.
Security Module Updates: What's New?
This article provides a summary of recent updates to the HRplus Security module, focusing on key enhancements. These updates include new features, fixes and improvements designed to improve both user experience and the effectiveness of the module.
September 13th – November 1st, 2024
1. Password Length: New feature Password Length. Read more here: HRplus Learn.
June 26th – July 12th, 2024
1. User Administration Enhancements: Improvements to user management for easier administration of security roles. Read more here: HRplus Learn.
June 17th – June 26th, 2024
1. Additional User Administration Features: Expanded controls for managing users, including new tools for security administrators. Read more here: HRplus Learn.
April 8th – May 4th, 2024
1. Change Default Settings: Added configuration options allowing customization of default security settings for user roles. Read more here: HRplus Learn.
February 6th – March 1st, 2024
1. Account End Date: A new feature allowing administrators to specify account expiration dates to enhance security compliance. Read more here: HRplus Learn.
January 3rd – February 6th, 2024
1. Batch User Creation: Streamlined the process of creating multiple users at once, reducing the time required for large-scale onboarding. Read more here: HRplus Learn.
November 4th – December 12th, 2023
1. Batch User Creation Enhancements: Expanded on batch user functionality for smoother management of user accounts. Read more here: HRplus Learn.
October 8th – November 4th, 2023
1. Password Expiry Notifications: Introduced in-app pop-up reminders for password expirations to ensure timely updates by users. Read more here: HRplus Learn.
September 1st – October 8th, 2023
1. Forgot Password and User Management: Enhanced password recovery tools and made user administration more intuitive for security managers. Read more here: HRplus Learn.
August 15th – September 1st, 2023
1. User Groups and IDs: Improved organization of user groups and the management of user IDs, allowing more precise access control. Read more here: HRplus Learn.
July 27th – August 15th, 2023
1. Time Zone Settings: Added time zone configuration to synchronize system events across different regions. Read more here: HRplus Learn.
June 2nd – July 3rd, 2023
1. Single Sign-On (SSO): Enhanced support for Single Sign-On, improving cross-platform access with a unified login. Read more here: HRplus Learn.
April 17th – May 5th, 2023
1. Password Configuration Updates: Added new options for customizing password security policies, improving overall security control. Read more here: HRplus Learn.
February 28th – April 2nd, 2023
1. User Groups and Access Settings: Refined tools for managing access rights, improving control over company and departmental permissions. Read more here: HRplus Learn.
January 9th – February 28th, 2023
1. Single Sign-On Integration: Introduced SSO, allowing users to access multiple systems securely with one login. Read more here: HRplus Learn.
How to set up Password Configurations
|
Security>>Security Settings>>Password Configuration |
Access to HRplus is restricted through password control. Each user logs in with a user ID and password, which the application tracks. The strength and complexity of passwords are user-defined and affect the security level required for accessing HRplus.
Password Configuration Management: Setup, view, edit, and delete password configurations. This is the responsibility of the Database Administrator or Master User, who should:
• Plan and align security measures with company policies and goals.
• Implement policies to ensure all passwords are kept private.
Best Practices for Password Security:
• Passwords should never be written down or shared.
• Use random, non-common information (avoid using names, dates of birth, etc.).
• Passwords should ideally contain at least one special character, one capital letter, one number, and be at least 8 characters long.
Capital letter required: Select Yes if the password is required to contain a minimum of 1 upper case letter (A-Z). Otherwise, select No. Change Default Password: Select Yes if the user is required to change their default password. Common Letter required: Select Yes if the password is required to contain a minimum of 1 lower case letter (a-z). Otherwise, select No. Number required: Select Yes if the password is required to contain a minimum of 1 numeric character (0-9). Otherwise, select No. Password Expiry Date: ▪ If ‘Yes’ is selected, enter the number of days after which the Password will expire in the value field.
▪ If ‘No’ is selected, then the password will not expire i.e. it can be used as long as an employee remains a valid user. Password Expiry In-App Popup Notifications: Select Yes if a pop-up message is required to prompt the user, on logon, to change his/her password. The message is displayed based on the number of days in the Value field. Password Expiry Reminder: |
▪ If ‘Yes’ is selected, enter the number of days in advance you wish the reminder to be sent to HRplus users in the value field. The reminder will be sent to the users’ email address. ▪ If ‘Yes’ is selected and no value is entered then, by default, the reminder will be sent via email 5 days before the password expiry date. ▪ If ‘No’ is selected, then no reminder will be sent to users. On the password expiry date, users will be prompted to enter a new password. Password Length: Select Yes if the password must be by default 8 characters in length, but can be much longer. Otherwise, select No. Password Reuse: ▪ If ‘Yes’ is selected, then users will not be able to reuse (re-enter) old (passwords that have been used before) or existing passwords. ▪ If ‘No’ is selected, then a user’s previous and current passwords can be reused any number of times. Special Character Required: Select Yes if the user is required to contain a minimum of 1 special character. E.g. ~`!@#$%^&*()-_+={}[]|\;:"<>,./?. Otherwise, select No. Two Step Verification: ▪ If ‘Yes’ is selected then: ▪ Enter the number of minutes after which the Two factor Token will expire, if the user does not login within this time. ▪ In addition to entering a password on the login screen, users will also be sent, via email, a PIN which is also to be entered . In the example below, 10 minutes is entered. The first time a user logs in with their username and password, they will be prompted to enter the PIN sent via email. ▪ If the user does not enter this pin within 10 minutes from when it was sent, then a new pin will be required. ▪ If the user logs in successfully and then logs out, if they decide to log back in within the 10 minute period after the pin was sent, then they will not be asked to enter a new pin. ▪ If the user logs in successfully and then logs out, if they decide to log back in after the 10 minute period, then a new pin will be sent to their email address. Once you have entered your chosen configuration options, click on the Submit button to save. The HRplus app will be updated to always reflect the options that have been enabled (those for which Yes is selected). |
Two-Step Verification
What is Two-Step Verification?
Two Step Verification (2SV) works by adding an additional layer of security to your HRplus Software accounts. It requires an additional login credential – beyond just the username and password – to gain account access. 2SV helps protect you by making it more difficult for someone else to sign in to your account. Even if someone else finds your password, they'll be stopped if they don't have access to your email info. This is also why it's important to use different passwords for all your accounts. Cons vs. Pros Cons: Increased login time – Users must go through an extra step to login into an application, adding time to the login process. Pros: Improved security – 2SV reinforces security by making it more difficult for intruders to gain unauthorized access, even if a perpetrator gets past the first authentication step. Increased productivity & flexibility – enables businesses and public institutions to be more productive and efficient, allowing employees to perform remote tasks with far less security concerns. |
Recommendations: 1. Email used should be company emails. 2. Set up a short expiry time for token to ensure that the token is required at every login. 3. Individual email addresses should be used instead of group email addresses. This is to ensure that only the specific user will receive the secret key. |
How to Setup 2SV in HRplus?
Two Step Verification can be turned on via Security>>Password Config however, there are a few prerequisites which must be conducted prior to turning on 2SV.
Step 1: Ensure email server is setup
Step 2: Users are required to have an email address associated with their User ID
Step 3: Toggle 2SV On
|
Navigation: System Configurations>>Company Parameters>> System Constants>>Mail Server |
The following connection details can be used to configure the email server.
If you have your own mail server information complete the form below and save the record with the saved icon.
If you are required to use our mail server settings, please contact us at helpdesk@hrplus.net.
After the configuration is complete, it is important to test that the users can receive emails. Enter an email address in the section "Test Email Address" and select the option "Send Test Email". You will get a prompt indicating that an email was successfully sent. Check your inbox to confirm that the test email was received. |
|
Navigation: Security>>User Administration>>Search for User ID |
|
Ensure that all employees have a valid email address. |
The user Email address is extremely important as turning 2SV on will prompt a PIN to be sent to the user’s email address. Failing to include the user’s email address will lock the user out of the
application as there will be no way for the user to receive the PIN.
|
Navigation: Security>>Password Config>>Two Factor Authentication |
The System Admin is the only user with access to the
Security Module and they are responsible for turning 2SV on. To do so, the
‘yes’ toggle must be selected, then submit the form to save the changes. The
value can also be changed to the number of minutes a user will be able to log
back into the application without requiring a PIN.
You can turn off this option by simply selecting the option "No" in the configuration
|
For additional information on how to log in using this feature, please consult the article How to Login Using 2 Factor Authentication? |
How to enable/disable password expiry notifications?
|
Security>>Security Setting>>Password Config>>Password Expiry In-App Popup Notification/ Password Expiry Reminder |
The following two (2)
features allows user's to enable/disable password expiry notifications:
1. Password Expiry In-App Popup Notifications (Days in Advance): once enabled, this feature triggers a pop-up message that prompts the user, on logon, to change his/her password. The message is displayed based on the number of days in the Value field.
2. Password Expiry Reminder: when enabled, reminders (up to 3) are sent to alert users of impending password expiry. The reminders are sent, in advance, based on the number of days in the Value field. Up to three (3) reminders can be set up, with the values (days in advance) entered in the Second Reminder and Third Reminder fields.
Value: Number of days in advance for, password reset notification prompt.
Second Reminder: Number of days in advance for, second password
reset notification prompt.
Enabled: Select "Yes" if the Password Expiry feature is to be used . Select "No" if this feature is not being used.
|
Home |
|
Home>>Notifications |
|
User Email Account>>Password Expiration Notification |
|
Security>>New User |
A User ID and password allows the end user to log into the HRplus Application. This permission must be created for new employees or anyone who is required to use the HRplus application. Note that when the new user logs in for the first time, they are prompted to change their password.
This process requires three primary steps:
Step 1 - Create A New User
Step 2 - Granting of Permissions
Step 3 - Granting Company and Pay Group Access
Creating a new User ID in the application is a two-part process. To begin, enter the following: 1. Enter a User ID - User IDs are the identification by which the application recognizes each employee who is required to log into the application and must be unique for each employee. The IDs can be mapped based on the employee's name, can be alphanumeric and contain a special character such as an apostrophe (’). 2. Enter an Email Address - Enter a valid email address for the user account. This email address would be used to facilitate the password reset feature and any other communication within the app to the user's email. 3. Password - Enter a generic or specific password for the user account. The password entered should meet the password requirements as set up in the password configuration screen. 4. Select a Language - Please select English. 5. Timezone (Optional) - Select the employee's timezone. 6. Observe daylight savings? - Enable or Disable daylight savings which is from second Sunday in March to first Sunday in November. 7. Finally, link the user to his/her employee profile. If the employee’s name is not visible, please ensure that the employee’s personnel information has been entered into the application. 8. Use employee position to determine Timezone? - Select "Yes" if the employee's position is used to determine the timezone. Select "No" if this option is not being used. |
The application will not allow you to create a User ID that already exists OR to link a new User ID to an employee who is already linked to another User ID. Hovering your mouse over the icon allows you to view the message. |
1. Select the permissions needed by the user 2. Click the Submit button to save or the Reset button to reset the form (clear changes) If you wish to return to the 1st step, click on the Previous button. N.B. When a new user is created and the user logs in, they get a prompt to change the default password. Note that in this example, the user is given the permissions to access the following modules: 1. HRplus Time Module 2. Employee Self Service (ESS) |
3. Manager Self Service (MSS) 4. Timekeeper Self Service (TKSS). 5. Single Instance is given so that the employee can access Reports within the HRplus Time module. For a more detailed explanation of these permissions, click on the link below: |
1. Enter the User ID in the Search bar (or use the alpha-search) and click on the Search button.
2. Click on the Plus sign to the left to expand the record.
3. Unique database ID: This is the Database ID that is generated by the application once an employee is created within the Personnel or POWER Pay modules of HRplus. It is linked to the employee’s name and will auto-populate once the name is chosen.
4. Account End Date: This field can be used in the case of an employee to whom you wish to grant temporary access to modules within HRplus. Once the date has passed, the employee will no longer be able to login to the application. For long-term users, you can leave this field blank.
Upon expanding the record, there is a listing of tabs
within which we can enable more features. The
user must be given company and paygroup access (if applicable) in order to
be able to log in successfully without seeing any error messages.
All tabs are listed below. Click on any of them for the user guide showing how to use the feature:
5. Changing Passwords
9. Time Zone
How to create Batch Users
|
Security>>New User>>Create Batch Users |
This feature allows you to Create users/employees in batches for the Self Service modules (i.e. access to the Manager, Employee, Timekeeper Self Service Modules, etc.). This is useful if you wish to create users for a whole department or for a group of employees with the same User Group and Database permissions.
User IDs are created by the system based on a configuration of employees’ first and last names. Batch users will use the same password as specified here for first time login to the HRplus application.
Steps to set up Batch Users are as follows:
STEP 1 : Creating User ID and Password Setup
STEP 2 : Select Application Permission
STEP 3 : Select Users to create based on Department and Employee name
STEP 4 : Employees receive User Credentials via email
Random Password: Select Yes or No if you wish to use a random password for the batch users being created. • If 'Yes' is selected, then Static Password can be left blank. When the batch users are created, a random password will be generated by the HRplus application and this will be sent to the employee's email for them to be able to login to HRplus. • If No is selected, then you must enter a static password which would allow all users to log in using the same password. Static Password: If you selected ''No'' for the Random Password option, then you must enter a (user-generated) static password here. e.g. P@ssword123. The password entered must meet the criteria setup in Security Settings >> Password Configurations for the users to be able to log into HRplus successfully. This can be later changed by the user Via the Change Password icon (accessible to all HRplus Users). If this option is being used then it is strongly recommended that the Two Factor Authentication be enabled to ensure that there is a second layer of security to access user accounts. |
Language: Select one of the language options available. All users created in this batch will view HRplus in the selected language. Set user email using: The email address entered here determines the address to which work-related messages are sent to employees. • Primary Email: employee's main email address. • Work Email: employee's work email address. Use employee position to determine Timezone?: Select "Yes" if the employee's position is used to determine the timezone. Select "No" if this option is not being used. Observe daylight savings?: Enable or Disable daylight savings which is from second Sunday in March to first Sunday in November. Use Email as User ID: Select "Yes" if the user's email address is to be used as their user ID to log into HRPlus. Select "No" if this option is not being used. Use Global ID as User ID: Select "Yes" if the user's Global ID is to be used as their user ID to log into HRPlus. Select "No" if this option is not being used. Derive IDs Using: User names can be derived from First Name, Last Name or First and Last Name. You may choose to generate user names using the first 3, 4, 5, 10 etc. characters of the employee’s First Name, Last Name or First and Last Name. If you choose the First and Last Name option, specify the number of characters from the First Name and also Last Name. Action for same User Ids: In using the name combinations, some users may have the same user ID. To avoid this, select one of the action options below: • Make unique: the system will add numeric character/s to the User Id so that there will be no duplicates. The system will create as many unique User Ids as possible e.g. if you choose 10 characters and the system has to create 105 user accounts with, say, the name‘Kevin’ the system will only be able to create 99 unique user names (Kevin01, Kevin02, Kevin03...Kevin09). • Do not create - the system will not create users with the same name. |
Application Permissions - Check the required option based on the employees or group of employees Self Serve Employee – An employee is allowed to update his/her profile, view his/her payslip, request leave view balances etc… |
Self Serve Leave – An employee would be allowed to view how much leave they have and to request leave .
Payroll – Persons that are running payroll will get this access
Self Serve Payslip – An employee would be able to view and print his/her payslip
Self Serve TimeKeeper – is responsible for scheduling shifts, keeping all attendance logs up to date, and ensuring time sheets are current.
Self Serve Manager – is responsible for all approval requests that are submitted to them Then select Next.
There are two (2) ways to select employees: 1. By Department Click the department/s and the system will display the departments’ employees. Select the employee/ s. User IDs will be created for all selected employees (for whom accounts do not already exist) in the selected department/s. 2. By Employee |
• Select the employee/s. User IDs will be created for all selected employees (for whom accounts do not already exist). • Click on the Submit button to generate the User IDs. |
The user will receive an email in his/her inbox.
How to Unlink an employee profile from a User ID/ Account?
|
Security>>User Administration |
To unlink an employee from an existing user ID due to reasons such as an incorrect user ID, follow these steps:
1. Search for the employee by User ID, Badge Number, Last Name, or First Name, and click "Search."
2. Select the appropriate employee record from the search results.
3. Click the "Unlink Employee" button.
After selecting the search button, the employee profile will appear on your screen.
Account End Date: Click on the Calendar tab under Account End Date and enter the employee last working day and select Submit. This will prevent the employee from having access to his user account when he/she leaves. Unlink Employee: Click on either the Unlink Employee button to remove the employee from the company. |
How can I deactivate/reactivate a user's account?
|
Security>>User Administration>>[Select User]>>[Deactivate Account Button]: |
A user's account on HRPlus may need to be deactivated for reasons such as termination of employment, extended leave of absence, retirement, or security concerns. Deactivation ensures that the account is no longer accessible and helps maintain system security and data integrity.
User accounts can successfully be deactivated and reactivated if necessary.
|
Security>>User Administration>>[Search for Employee] |
Deleted user accounts can be recreated. After deleting a user, click the Refresh Memberships button to update the screen.
Use the Refresh Memberships button before recreating a deleted User Account.
Note: The error message "UserId already exists" would appear if you try to recreate the user account without first clicking Refresh Membership.
|
Security>>User Administration (Expand User record by clicking on the + sign) |
The Company Access permission allows the system administrator to grant the end user permission to the Company-Division-Department views within HRplus. Once granted, they can now view all employee data for the respective department(s) within the modules that they have access to.
Permissions can be either be granted for ALL Companies on the database or only for Specific CompaniesDepartment combinations. This permission is required for the end user to be able to see theirs, as well as other employee personnel information stored on HRplus.
How to Grant Access to a Specific Company?
|
Security>>User Administration (Expand User record by clicking on the + sign) |
Grant Access to Specific Companies, Divisions and Departments: By selecting this option, you can select the combination of the Company, Division and Departments that the user has to be granted permissions for. This can be for access to ALL departments within a single company or multiple departments within a company. |
There are two ways in which Company Access can be revoked as follows:
1. Delete Company Access
2. Revoke Granted Permissions
1 . Filter by any of the headers (Company Code, Company Name, Division Code, Division Name, Department Code, Department Name). Records will be displayed depending on the user’s permissions. 2. Select the number of Records per page e.g. 100 (maximum). 3. Check the Delete button. All records will be selected. 4. Click the Submit button. 5. Repeat to delete additional records. |
How to Grant Pay Group Access
|
Security>>User Administration>>[+]>>Pay Group Access |
Pay Groups, in HRplus, are linked to Positions and employees are, in turn, hired into these positions.Pay Group Access is required for those users who need to insert/edit/delete/view records or information related to the employee's linked to the pay groups. This includes but is not limited to entering employee salaries, creating pay cycles and new pay groups, viewing employees pay profiles, viewing payroll related timesheet information, etc. Payroll, HR and HRplus Time Users will need access to Pay Groups.
To give a User access to all Pay Groups, click on the Grant Access To All Pay Groups button. |
Alternatively, if the user is to have access to only certain Pay Groups, click on the drop box to manually select each pay group individually.
Click on the Submit button to Save.
If a user is not given Pay Group Access, s/he will not be able to see information pertaining to the Pay Groups within the various modules. Note that in the event that there is a restructuring exercise taking place within the company and a new Pay Group is created, existing and new payroll users will have to be given permission to new paygroup in order to be able to view it. |
How do I Restrict Position Access?
|
Security>>User Administration>>Restrict Position Access |
The Restrict Position Access feature allows the system administrator the restrict the positions that the end user is able to view. When the position is saved here, then end user will not be able to find any details about the position or the employee in the position. this can be useful in a scenario where a users is not permitted to see the personnel data for executives or other high-level employees.
How does it work?
1. Select the position that the user should NOT have access to.
2. Save the record.
3. Repeat to add more restricted positions.
|
Security>>User Administration>>Restrict User Reports |
Some users may not be permitted to have access to certain reports that may carry confidential information. This screen allows you to block certain reports from being viewed by the HRplus user you are setting up.
• Click on New Record. Next, click on the icon to select from the Reporting Area, the Reporting Group and Report No. within the company, for the person whose information you wish to hide. • Click on the diskette icon to save. • Repeat to add more restricted reports. |
|
Security>>User Administration>>Edit User Groups |
This tab allows you to view the the groups/permissions to which the HRplus user was granted access via the New User tab. You can delete or add more permissions here.
Once the relevant permissions is given based on the employees roles, you then select Submit changes
For more details on Application Permissions, click on the link below:
Description of User Groups and Permissions
• Select the check box of module permission that you wish to grant or revoke access for the user.
• Click Submit Changes to save the record. • If there is a check on the box, this means the user has access to that module. • If the check box is blank, this means the user does NOT have access to the module. • The user will be granted Application and Database (DB) Permissions. |
Description of Modules/User Groups and Database
(DB) Permissions
In HRplus Security Module, you can grant or revoke a user's access to specific functions and data in the application through the User Groups.
Module/ User Group |
User Group Description |
Synced Database Permission |
System/Security: 1. Administrators
|
Allows access to the Security module. These users manage permissions for all end users of HRplus OR In a multi company environment, they manage user permissions for each company administrator. Administrators have access to the following menu options: 1. Security 2. System Configurations
These users are referred to as Database Administrators/Master Users and they can perform the following tasks: 1. create new users 2. grant/revoke permissions/access to companies, pay groups, positions, HR modules, reports, database membership. 3. Change user passwords. 4. Create batch users.
|
SYSTEM_ADMIN |
System/Security: 2. Company Administrators |
Allows access to the Security module. Manage user permissions for their respective company ONLY, in a multi company environment. Administrators have access to the following menu options: 1. Security 2. System Configurations
These users are referred to as Database Administrators/Master Users and they can perform the following tasks: 1. create new users 2. grant/revoke permissions/access to companies, pay groups, positions, HR modules, reports, database membership. 3. Change user passwords. 4. Create batch users.
|
SYSTEM_ADMIN |
Personnel • HR Personnel
|
Allows access to the Personnel module, Personnel, Employees, Company Assets and Event Reminders. |
N/A |
Personnel • HR Manager
|
Allows access to approve HR functions. |
HR_MANAGER |
Personnel • HR Users
|
Grants a user the ability to add, edit, delete, post or manage various transactions within the HR aspect of the application. These employees/users have access to View/Insert/Update/Delete HR functions – they do the processing in the HR Modules – enter data, make changes – keep the application up to date re employee data processing. HR Users have access to: 1. Personnel>>Personnel>>Employees 2. Personnel>>Personnel>>Search Employees 3. User Self Service>>HR>>Self-Serve Entries
|
HR_USER |
Personnel
• HR Setup
|
Allows access to the Setup screens in the Personnel module.
|
HR_SETUP
|
Recruitment • HR Recruitment
|
Allows access to the Recruitment module. |
HR_RECRUITMENT |
Talent • HR Performance
|
Allows access to Talent Management comprising Goals, Appraisals, 360 Multi-Rater, Training and Succession. |
|
Talent • 360 Multi-Rater
|
Access to the 360 Multi Rater module |
HR_360 Module |
Talent • HR Appraisals
|
Access the Appraisals Module |
HR_Performance |
Talent • HR Events
|
Access the HR Events screens which allows the user to generate an Appraisal or 360 Multi-Rater |
|
Talent • HR Goals
|
Access the Goals Module |
HR_USER |
Talent • HR Succession
|
Allows access to the Succession Module |
HR_USER |
Talent • HR Training
|
Access the Training Module |
HR_USER |
Relations • HR Relations
|
Allows access to Employee Relations comprising Industrial Relations and Health and Safety. |
HR_RELATIONS |
Relations • HR Health & Safety
|
Allows access to Health and Safety Module.
|
|
Relations • HR Industrial Relations
|
Allows access to Industrial Relations Module.
|
|
Company Assets |
Allows access to the Company Assets module. |
HR_COMPANY_ASSETS |
Payroll • Pay Supervisor
|
Allows access to a user who has the authority to approve, run and reverse the payroll. The employee who is designated a Payroll Supervisor is usually a manager who has access to approve/reverse the payroll. On completion of data entry of cycle changes, the payroll supervisor will logon to the application, view the Cycle Changes report and give approval to run the payroll. If the payroll has to be reversed, the cycle of approval is repeated as many times as required until the payroll is finalized. Payroll Supervisors have access to the following menu options: 1. Process Payroll 2. Payroll Reports 3. Employees 4. Pay Cycles 5. Business Rules 6. Maintenance 7. Year-End Close 8. Self-Serve Entries
|
PAY_SUPERVISOR |
Payroll • Payroll HR Users
|
Allows access to both Payroll and Human Resources functions. These employees have access to both Payroll and HR functions – View/Insert/Update/Delete employee data in those HR modules to which they have access; make transactional changes (salary changes, promotions, position changes etc.); maintain and update employee data in the application. The menu options are: 1. Process Payroll 2. Payroll Reports 3. Employees 4. Pay Cycles 5. Business Rules 6. Maintenance 7. Year-End Close 8. Self-Serve Entries 9. POWERpay>>Process Payroll>>Employee Transactions 10. POWERpay>>Maintenance>>System Defaults>>Setup Wizards 11. POWERpay>>Maintenance>>System Defaults>>Structure 12. POWERpay>>Maintenance>>System Defaults>>General Codes
|
|
Payroll • Payroll Leave
|
Allows access to the POWERpay module including Leave processing. The Leave module has been included in the POWERpay Payroll menu for those companies that wish to process both Leave and Payroll. The Leave module allows you to quickly and easily calculate and recalculate leave balances. One-time setup is based on unlimited user-defined leave types and leave rules that can easily be modified to cater to changing policies. Recalculation of leave can be done to date or projected to a future date, providing drill-down capability to both a summary and detailed history of employee leave taken and leave balances. Leave can be processed – entered, approved, updated, posted and deleted – with leave balances automatically updated with each transaction thus offering both flexibility and ease of use to the user.
|
|
Payroll • Payroll Setup
|
Allows access to the Payroll Setup menu option which includes the setup of Earnings, Deductions, Allowances, Other Income, Pay Groups, Pay Cycles, Banking and Other Payees and other base tables in the POWERpay module. Employees can View/Insert/Update/Delete only those options on the Payroll Setup menu - the core payroll setup that form the foundation of the payroll and is usually one-time setup. These include the setup of: 1. Earnings 2. Deductions 3. Allowances 4. Other Income 5. Pay Groups 6. Pay Group Company Link 7. Benefit Types 8. Benefit Plans 9. Banking and Other Payees 10. Void Cheque Reasons 11. Multi-Currency 12. Payroll Document Types 13. Invalid Table Codes
|
N/A |
Payroll • Union Rules
|
Allows access to the Business Rules menu option in the POWERpay and Personnel modules located in the General Codes tab. This feature allows a user to set up unions and bargaining units for the organization. |
N/A |
Benefits • HR Benefits
|
Allows access to the Benefits. |
HR_BENEFITS |
Benefits • HR Leave
|
Allows access to the Leave Module. |
HR_BENEFITS |
Benefits • HR Health Plan
|
Allows access to Health Plan. |
HR_HEALTH_PLAN |
Benefits • HR Medical
|
Allows access to Medical. |
HR_MEDICAL |
Benefits • HR Compensation
|
Salary Survey. Future Release |
HR_COMPENSATION |
Benefits • HR Pension
|
Allows access to the Pension module. |
HR_PENSION |
Benefits • HR Education Support
|
Allows access to Education Support. |
HR_EDUCATION_SUPPORT |
Self Service • Self Serve
|
Allows access to User Self Service. Used in conjunction with any other self-serve options depending on the level of access. |
N/A |
Self Service • Self Serve Administrator
|
Allows access to departmental administrators who are responsible for leave approvals, time sheet entries and any other employee-related issues. |
SELF_SERVE_ADMINISTRATOR |
Self Service • Self Serve Employee
|
Allows access to User Self Service – Employee. An employee is allowed to update his/her profile, view his/her payslip, request leave, view balances etc. |
SELF_SERVICE_EMPLOYEE |
Self Service • Self Serve Manager
|
Allows access to User Self Service – Manager. A self serve manager is responsible for all approval requests that are submitted to them from their direct reports. |
SELF_SERVICE_MANAGER |
Self Service • Self Serve Payslip
|
Allows the end user to be able to: 1. View payslips uploaded to HRplus via the self service module. Payslips generated by HRplus are NOT visible in this screen. 2. ONLY view the payslip and not any other self service features. 3. Not have access to view the payslip if this permission is not granted.
|
|
Self Service • Self Serve Timekeeper
|
Allows access to User Self Service – Timekeeper. The self serve timekeeper is responsible for scheduling shifts, keeping all attendance logs up to date, and ensuring timesheets are current. |
HR_TIME |
Self Service • Self Serve Time user
|
Allows users to be able to see the virtual clock on the dashboard upon login, and therefore they can punch in for work using that clock. |
|
Self Service • 360 Team Leader
|
Gives access to employees involved in a 360 MultiRater/Feedback |
SELF_SERVICE_TEAM_LEADER |
HRplus TIME • Time and Attendance
|
Allows access to HRplus Time – the time and attendance module of HRplus. |
HR_TIME |
HRplus TIME • Time and Attendance HR
|
Allows the end user access to HRplus Time – the time and attendance module of HRplus with some of the Personnel Module functions |
|
HRplus TIME • Time and Attendance Leave |
Allows the end user access to HRplus Time – the time and attendance module of HRplus with some of the Leave module functions included. |
|
Reporting • End User Reporting
|
Permission to this option allows the end user access to all reports (e.g. Personnel, Payroll, Benefits, Leave based on the modules to which you have access) to be accessed from one place – there is no need to navigate to the respective module to view the report. It is used in conjunction with Multi-Instance Web Server to which permission must also be granted: • Check Multi-Instance Web Server and End-User Reporting to access all the reports from one place. • Check Single-Instance to access Reports in the respective module.
When you click on the menu item HR Payroll Reports you will be redirected to a new page in your browser in which the reports will be displayed. This feature enables greater speed of access for longer reports (e.g. payroll reports) and helps in balancing the processing load of the server/s. |
N/A |
Reporting • Single Instance
|
Allows access to the Reports menu in the module to which permission is granted. If permission is granted to both End User Reporting and Single Instance then the user will be able to view the Reports menu under the respective module and the DBXtra Reports under the End User Reporting menu. |
N/A |
Reporting • Old Pivots
|
Allows users to be able to view older versions of the pivots available in HRplus via the payroll module. |
|
Add Ons • Add Ons
|
Comprises Fringe, Hotel, Backpay and Advance Payments. Permission allows access to these options. |
|
Add Ons • Advanced Payments
|
Allows access to Advance Payments as a stand-alone module. Permission must also be granted to the Add-Ons option as well |
N/A |
Add Ons • Auditor
|
Persons can view other user activities on specific screens. All actions such as delete, insert and edit are recorded and can be reviewed by the 'auditor' when required. |
AUDITOR |
Add Ons • View Only
|
Users with this permission are only able to view data in the modules they have access to and they will not be able to make any update/insert/edit/delete transactions. This permission is usually granted to audit users.
|
|
Add Ons • Backpay
|
Allows access to Backpay as a stand-alone module. Permission must also be granted to the Add-Ons option. |
N/A |
Add Ons • Client Company
|
Allows the end user to access reports via End User Reporting and view ONLY reports which have been configured for them to access. These reports are configured via End User Reporting >> Web Reports Setup and can be setup by company and country. This feature can be used by: 1. Clients using HRplus as a BPO tool for their clients. This way their clients can log onto HRplus and run the required reports for their company directly from the system without accessing anything else. 2. Clients wishing to setup a user who can only view and run certain reports without accessing any other data.
|
N/A |
Add Ons • Company Imports
|
(Future Feature) Allows the user to access a toll for custom built imports to HRplus. |
|
Add Ons • Fringe
|
Allows access to Fringe Processing (hotel industry). Permission must also be granted to the Add-Ons option. |
N/A |
Add Ons • Hotel
|
Allows access to Hotel (Tronc, Tips). Permission must also be granted to the Add-Ons option. |
N/A |
Add Ons • Other Timesheet
|
Allows the end user access to view the old manual time sheets ( no longer in use) within the department administrator module. This has since been replaced by the time sheets generated by HRplus TIME. |
N/A |
Add Ons • Onboarding
|
Allows the end user to be access the Onboarding/Offboarding functionality within the Personnel, Recruitment and Self Service Modules. |
|
Add Ons • Message Author
|
Allows the end user to be able to create/add/edit a company notification for the message board in HRplus. The message will be pending approval before it can be seen by employees. |
|
Add Ons • Message Administrator
|
Allows the end user to be able to approve a company notification so that it can be posted to the message board in HRplus. These messages are seen by everyone in the company once they log into HRplus. |
|
Add Ons • Multi-Company
|
Allows access to multiple companies within an organization. The employees who have access to the Multi-Company function has access to View/Insert/Update/Delete data with regard to all the companies in the database whereas Single-Company access only allows you to View/Insert/Update/Delete data re the specified company only |
N/A |
Add Ons • Multi-Currency
|
Allows the user access to multiple currencies utilized within an organization. Note that: 1. The employees who have access to the Multi-Currency function will be able to View/Insert/Update/Delete data for all the currencies in use on the database. 2. Single-Currency access only allows you to View/Insert/Update/Delete data that one specified currency which is linked to the company.
|
N/A |
Add Ons • HRplus BI
|
Allows the user to open the link for the HRPlus BI Reports, however this tool must be setup by version control before it is available for use. |
|
Add Ons
• HRplus Support
|
This enables functionality for HRPlus support personnel ONLY. Not for client use. |
|
|
Security>>User Administration>>User DB Permissions |
When a user's access is granted or revoked for the User Group or Application permission, the Database Permissions will be automatically updated to reflect the changes.
This screen must NOT be edited by the system administrator as it will already be reflecting the correct permissions for the user. It is primarily used by HRPlus support personnel to be able to manually adjust user permissions in the rare occasion that this is required.
How do I set up a User's Signature?
|
Security>>User Administration>>[+]>>User Signature |
This feature is used to insert signatures into documents on HRPlus. E.g. On the letter templates a manager's signature can be inserted into the relevant letters. Additionally, it can be used where signatures are required on certain statutory reports.
To upload a signature, you must have an electronic signature or you can scan a signature and save it as a JPEG or PNG.
• Click Upload Images. • Select the signature file from where it is saved on your machine. Click Upload. |
• Once you are okay with the signature, select Submit and the record will be saved. • To delete the record, check the delete box and click Submit. • You may re-upload another file as required. |
How to change my password
|
Security>>User Administration>>Change User Password |
1. Via the Change Password icon (accessible to all HRplus Users)
2. Via the Forgot Password button on the login screen (accessible to all HRplus Users)
3. Via Security Module - Option 1(accessible only to System/Company Administrators)
4. Via Security Module - Option 2(accessible only to System/Company Administrators)
User Login>>[Forgot Password]
Once you click the Reset Password Tab a screen will open for you to enter your new password Please note that the link is only valid for 15 minutes! This is to prevent employees from using the link to reset their password more than once. |
▪ In the Change My Password box, Type in a new password and confirm as prompted. ▪ Use the Submit button to save or the Reset button to start over.
How do I use the Auditing feature?
|
Security>>Module Audit |
The Auditing feature in HRplus is available for ALL modules and:
• Allows for an inspection of Insert/Update/Delete functions that are performed by users of HRplus.
• Maintains a history of these functions.
• Enables system administrators to establish controls to ensure the integrity of the data.
• Is available on all screens of HRplus.
• can only be viewed by users to whom Auditing privileges have been granted.
• can be turned off or time-restricted if necessary.
The System Administrator has the required permission and responsibility to enable/disable these tables as required.
Step 1 |
Identify Modules to be Audited |
|
Based on the HRplus modules purchased and your company's policy, determine the modules/features to be audited. Decide whether the modules/features should be audited: • Always; OR • For a specific time frame |
Step 2 |
Grant User Audit Privileges |
|
Security >>User Administration >> (Search for user) >> Expand user record >> Edit User Groups Identify and decide on the Users to whom audit privileges should be granted. (e.g. HR users). For each identified user, grant Application Permissions to: Auditor (Edit User Groups>>Addons>>Auditor) |
Step 3 |
Enable Module Auditing |
|
Note that the Auditing feature is active, by default for all HRplus modules/features. However, via this option you may: 1. Limit auditing of an HRPlus module/feature to a specific time frame OR 2. Completely cease auditing of an HRplus module/feature. |
Step 4 |
View Audit |
|
The Audit button is available on almost every screen in the HRplus Application. Only users who have Auditor privileges can view the Audit transactions - unauthorized users will not be able to see any data if they click the Audit button. Audit transactions captured are Insert, Update, Delete. |
In accordance with your company’s policy, designated users must be given Auditor privileges in order to view the Audit data. To do so, privileges MUST be granted as shown below: Edit User Groups Security>>User Administration>>[Search for user]>>[expand user record]>>Edit User Groups: |
Search for the Module for which the Auditing feature should be enabled. All HRplus modules will be displayed in alphabetical order in the drop down list. Scroll to view/select. By Default, the Auditing feature is turned ON. The Table Name, Audit Module and Navigation will be displayed as shown below. Complete the following fields and click the Submit button when done. Repeat for each module/table that should be audited! • Always Audit: check this box to continuously audit the table without any end date. • Audit Flag: if you wish to only enable auditing for a particular period then check this box and enter the date range in the Date From/Date To fields. This is checked by default. • Navigation: The navigation to the various screens where data is stored in the corresponding Table name will be displayed. This enables the user to match the database table to the equivalent screen in the front end of the HRplus application. |
The Audit button is displayed on all screens of the HRPlus application. However, only users to whom Audit privileges are granted will actually be able to view the Audit data (users setup in Step 1).
|
Security>>Security Settings>>Oauth Settings |
SSO login attempts are recorded and a log can be exported to Excel via the Export SSO Log button. The old log text file can also be downloaded via the Download Log File (Legacy) button.
How to view Log In Activities
|
Security >> Log In Activity |
• The search option allows you to search for login/logout history by username (login name), Action ( Login or logout) and by date range.
• You may also sort the data on the page by clicking on the column headers (Action, Time, Log expires, Log IP, Error message)
• Data on this screen may also be downloaded to excel by clicking on the X excel icon.
|
Security>>User Administration>>[Select Employee]>>[+]>>Time Zone |
On HRPlus, users are categorized into different roles to ensure that they have the appropriate access levels to perform their duties and responsibilities effectively.
Here are the key differences between core users, self-service users, manager self-service users, and department admin users:.
User Access |
HRplus Access Level |
Who are these Users? |
Responsibilities |
Core User |
Broad access to the system, including administrative and management functions. |
Typically includes HR staff and system administrators. |
Managing employee records, processing payroll, and generating reports. |
Self-Service User |
Limited access focused on personal information and basic functions. |
Regular employees who manage their own HR-related tasks. |
Viewing and updating personal details, accessing pay slips, submitting leave requests, and viewing benefits information. |
Manager Self-Service User |
Manages information for their direct reports. |
Managers and supervisors responsible for overseeing their team members. |
Reviewing and approving leave requests, managing performance evaluations, and accessing team-related reports. |
Department Admin User |
Manages information for the reports within their assigned departments. |
Departmental administrators who support HR functions within their departments. |
Acting as an intermediary between HR and employees, updating departmental records, assisting with department-specific queries. |
|
User Login>>Single Sign On |
This is an authentication process that allows a user to access multiple applications with one set of login credentials. When selecting the SINGLE SIGN ON button, users will authenticate using Microsoft Active Directory and will be signed into the corresponding user within the HRplus application.
Entering the username and password on the HRplus login screen is NOT required.
The generated password meets the complexity requirements of the system when the SSO option is used. Single Sign On can also work with standalone mobile applications.
Contact our support team at HRplus to have this feature enabled for your organisation.
The user is automatically logged into HRplus, without the need to enter a password.
|
Security>>Login Activities |
|
Security>>Security Settings>>Oauth Settings |
|
SSO login attempts are recorded and a log can be exported to Excel via the Export SSO Log button. The old log text file can also be downloaded via the Download Log File (Legacy) button. |
You can change your HRplus password in three ways:
1. Using the 'Forgot Password' button on the login screen (for all HRplus users):
• Enter your User ID and click 'Forgot Password'.
• You'll receive an email with a password reset link, valid for 15 minutes.
• Click the link, enter a new password, and select 'Login'.
2. Using the 'Change Password' icon (for all HRplus users):
• click the 'Change Password' icon.
• Enter and confirm your new password.
• Click 'Submit' to save.
3. Through the Security Module (for System/Company Administrators only):
• System/Company Administrators have two methods to change user passwords within the Security Module.
How can I deactivate or reactivate a user's account?
To deactivate or reactivate a user account in HRplus, follow these steps:
1. Navigate to 'Security' -> 'User Administration'.
2. Search for the specific user and click on their record.
3. Click the 'Deactivate' button to deactivate the account, or the 'Reactivate' button to reactivate it.
Note: The Account End Date automatically populates
when an account is deactivated, including when an employee is separated from
the company.
How do I grant company access to a user in HRplus?
You can grant company access to users in two ways:
1. Grant access to all companies, divisions, and departments:
• This option grants the user access to all data across the entire HRplus database. It's typically used for System Administrators.
1. Grant access to specific companies, divisions, and departments:
• This option allows you to select
specific company hierarchies for user access, granting them permission to view
employee data only within those chosen areas.
What are the different user roles in HRplus and their access levels?
HRplus has distinct user roles, each with specific access levels to manage information and perform tasks:
• Core Users: HR staff and system administrators with broad access to administrative and management functions, including employee records, payroll, and reporting.
• Self-Service Users: Regular employees with limited access to their personal information and basic HR tasks, such as updating personal details, accessing payslips, and submitting leave requests.
• Manager Self-Service Users: Managers and supervisors with access to information related to their direct reports, enabling them to approve leave requests, manage performance evaluations, and access team reports.
• Department Admin Users: Departmental administrators responsible for managing
information and supporting HR functions within their departments. They act as
intermediaries between HR and employees, updating records and assisting with
departmental queries.
How can I restrict access to specific reports in HRplus?
To restrict user access to certain reports:
1. Go to 'Security' -> 'User Administration'.
2. Select the user and click the '+' sign to expand their record.
3. Navigate to the 'Restrict User Reports' tab.
4. Click 'New Record' and choose the specific report to restrict by selecting its Reporting Area, Reporting Group, and Report Number.
5. Click the save icon and repeat for
each report you want to restrict.
What are the benefits of Two-Factor Authentication (2FA) in HRplus?
Two-Factor Authentication (2FA) enhances security by requiring users to provide two forms of authentication:
something they know (password) and something they have (typically a unique code from a mobile app or hardware token).
Benefits of enabling 2FA in HRplus include:
• Stronger Security: Makes it significantly harder for unauthorized users to access accounts, even if they obtain a password.
• Protection Against Phishing: Reduces the risk of compromised accounts through phishing attacks.
• Data Protection: Safeguards sensitive employee data from unauthorized access.
• Compliance: Helps meet regulatory requirements for data security and privacy.