Creating Custom Access Levels and Use Cases

How do I create a custom access level?

Purpose: This guide explains how to create a custom access level from scratch in BambooHR. Custom access levels are best for users such as department managers, HR assistants, IT, and your executive team. Creating a custom access level allows you to grant specific access to individuals based on which employees they should be able to see and what information they should have access to. This guide also provides use cases you can use as templates, giving you an idea of the permissions admins typically grant for each role.

Custom access level settings are divided into three parts: Basic Info, What this Access Level Can Do, and What this Access Level Can See. For in-depth setup instructions, please refer to the following help guides. 

Table of Contents:

Adding basic information

To begin creating a custom access level, navigate to Settings > Access Levels. Click on the add icon next to "Levels" and select Custom Access Level.

  1. Access Level Name: Add a unique name to help you identify which users this access is for.
  2. Description: Although optional, we recommend to providing a detailed description to remember why the level was created. This section can note the specific actions or areas of BambooHR that a user can access, or what they are specifically not allowed to do.

Once this information is added, click Next Step.

Finalize custom access level settings

After all permissions have been granted, click Save & Finish at the bottom of the page to finalize your selections. The custom access level will now be available for selection when enabling access for a user to BambooHR.

Duplicating a custom access level

If you need to create another custom access level similar to one you've already made, you can duplicate it. Navigate to the custom access level you want to copy under Settings > Access Levels. Then, under the action menu, select Duplicate Access Level. This creates a new level with all the same settings, allowing you to quickly make small changes.

Use cases for custom access levels

The use cases are intended only as starting points. BambooHR is not responsible for any unintended information sharing caused by incorrect access level assignments. Always preview each access level before assigning it to employees to ensure they cannot see information they shouldn’t have access to.

For more information about creating custom access levels, check out our BambooHR Learning Course!

Benefits Administrator

The recommendations below outline the minimum permissions required for users to complete the common tasks for this role.

You can grant additional access beyond these recommendations, and doing so will not affect the user's ability to complete the actions described. If you are not sure what granting additional permissions will do, refer to this help guide.

Access level description: Can view pertinent account information, but has limited editing capabilities related to benefits only.

Benefits Administrator: What this Access Level Can Do

Company Files:

  • Upload Files
  • Request E-Signatures and Set Up Templates
  • Allow access to these Folders in Company Files
    • You must enable Edit access to at least one folder for the user to upload files in your account.

For more information about what granting these permissions allows, click here.

Reports:

  • Create New Reports

For more information about what granting these permissions allows, click here.

Company Files:

  • Upload Files
  • Request E-Signatures and Set Up Templates
  • Allow access to these Folders in Company Files
    • You must enable Edit access to at least one folder for the user to upload files in your account.

For more information about what granting these permissions allows, click here.

Reports:

  • Create New Reports

For more information about what granting these permissions allows, click here.

Settings:

  • Benefits

For more information about what granting these permissions allows, click here.

Benefits Administrator: What this Access Level Can See

See About Other Employees

For this access, most customers grant Benefits Administrators the following access for all employees:

  • Personal Tab: View Only access to the fields they need access to for performing their tasks.
  • Documents Tab: Edit access to benefits-related folders.
  • Benefits Tab: Edit access.

When it comes to the Benefits Administrator access level, we suggest you only grant access to information you know the employee will need to access. If you are not sure that the employee will need the information you are considering sharing with them, leave it as No Access. You can always come back and change the permissions later.

See About Themselves

Since a Benefits Administrator is a regular employee, they likely need to see their own information (meaning they have access to their own My Info tab). When determining which access level should apply, we usually recommend choosing an employee access level.

If you choose the Equal Access option, it would grant the user the same visibility and editing capabilities on their own profile that they have for others. This means that if you granted them Equal Access and also granted them Edit access to the Benefits tab, the user in this access level would be able to edit their own Benefits tab.

See on Home

Since the permissions on the See on Home tab determine what the user will see on their own homepage, we recommend matching the custom access level's See on Home permissions with the See on Home permissions you have determined for your employee access levels. Since the Announcements and Links widgets are not usually managed by a benefits administrator, those are usually set to View Only.

Executive Team

The recommendations below outline the minimum permissions required for users to complete the common tasks for this role.

You can grant additional access beyond these recommendations, and doing so will not affect the user's ability to complete the actions described. If you are not sure what granting additional permissions will do, refer to this help guide.

Access level description: Can view all account information, but has limited editing capabilities.

Executive Team: What this Access Level Can Do

Company Files:

  • Upload Files
  • Request E-Signatures and Set Up Templates
  • Allow access to these Folders in Company Files
    • You must enable Edit access to at least one folder for the user to upload files in your account.

For more information about what granting these permissions allows, click here.

Reports:

  • Create New Reports
  • View Payroll Reports

For more information about what granting these permissions allows, click here.

Executive Team: What this Access Level Can See

See About Other Employees

For this access, we recommend granting View Only access to each tab on the employee profile for all employees. This ensures the user can see all information on employee profiles but does not have edit access to any information.

If there is sensitive information that an executive does not need to see, such as Social Security numbers, you could limit access to those fields, if needed.

See About Themselves

Typically, the executive needs to see their own information (meaning they have access to their own My Info tab). When determining which access level should apply, we usually recommend choosing an employee access level.

If you choose the Equal Access option, it would grant the user the same visibility into their own profile that they have for others. This means that if you granted them Equal Access and also granted them Edit access to the Onboarding tab, the user in this access level would be able to edit their own Onboarding tab.

See on Home

Since the executive team typically has access to all the information in an account, we recommend granting access to all the widgets on the See on Home tab. If your executive team should also be able to send announcements to employees, make sure to choose Edit access.

HR Assistant

The recommendations below outline the minimum permissions required for users to complete the common tasks for this role.

You can grant additional access beyond these recommendations, and doing so will not affect the user's ability to complete the actions described. If you are not sure what granting additional permissions will do, refer to this help guide.

Access level description: Can view all account information (except compensation), and can edit non-essential information.

The HR Assistant role can differ significantly from company to company. Although this use case only grants the minimum permissions needed to complete common tasks for this role, please make sure you refer to this help guide to ensure you are granting them the proper permissions.

HR Assistant: What this Access Level Can Do

Company Files:

  • Upload Files
  • Allow access to these Folders in Company Files
    • You must enable Edit access to at least one folder for the user to upload files in your account.

For more information about what granting these permissions allows, click here.

Employees:

  • Power Edit Employees
  • Change Employee Photos

For more information about what granting these permissions allows, click here.

Reports:

  • Create New Reports

For more information about what granting these permissions allows, click here.

Security:

  • Manage Employee Access Levels
  • Reset User Passwords
  • Reset User 2-Step Login

For more information about what granting these permissions allows, click here.

Access to Training on the Settings tab may also be a helpful permission if the HR admin will be responsible for adding trainings to BambooHR.

HR Assistant: What this Access Level Can See

See About Other Employees

For this access, most customers grant HR admins View Only access to all tabs with the following exceptions:

  • Job Tab > Compensation Table: No access.
  • Pay Info Tab: No access (BambooHR Payroll customers only).
  • Documents Tab: Edit access to necessary folders.
  • Performance Tab: May contain sensitive information, limit access as necessary.
  • Notes Tab: May contain sensitive information, limit access as necessary.
  • Onboarding: Edit access if they are responsible for managing tasks for new hires.
  • Offboarding: Edit access if they are responsible for managing tasks for terminated employees.

When it comes to the HR Assistant access level, we suggest you only grant access to information you know the employee will need to access. If you are not sure that the employee will need the information you are considering sharing with them, leave it as No Access. You can always come back and change the permissions later.

See About Themselves

Since an HR assistant is a regular employee, they likely need to see their own information (meaning they have access to their own My Info tab). When determining which access level should apply, we usually recommend choosing an employee access level.

If you choose the Equal Access option, it would grant the user the same visibility and editing capabilities on their own profile that they have for others. This means that if you granted them Equal Access and also granted them Edit access to the Notes tab, the user in this access level would be able to edit their own Notes tab.

See on Home

Since the permissions on the See on Home tab determine what the user will see on their own homepage, we recommend matching the custom access level's See on Home permissions with the See on Home permissions you have determined for your employee access levels.

If the HR admin should have the ability to send announcements or edit the company links available on all employees' homepage, you can grant them Edit access to those widgets.

IT Team

The recommendations below outline the minimum permissions required for users to complete the common tasks for this role.

You can grant additional access beyond these recommendations, and doing so will not affect the user's ability to complete the actions described. If you are not sure what granting additional permissions will do, refer to this help guide.

Access level description: Can view some employee data, edit work email address field and all fields on the Asset tab.

IT Team: What this Access Level Can Do

Typically, an IT team member does not need to perform actions on behalf of employees in BambooHR. With this in mind, you can click Next Step without assigning any permissions.

IT Team: What this Access Level Can See

See About Other Employees

For this access level, when determining whose profiles they should have access to, we recommend using the All Employees option or the Only Some Employees option to choose specific groups based on our standard filters (e.g., if the IT team is not responsible for tracking asset information for executives).

We recommend granting them View Only access to the basic information on the employee profile (e.g. First Name, Last Name, Job Title) that would tell the user which assets to assign, Edit access to any information IT would assign to new hires (e.g. work email address), and Edit to the Assets tab if they are in charge of tracking asset assignment.

If you have not added the Assets tab and corresponding table to your account, you can do so using our standard fields library.

See About Themselves

As the IT team is made up of regular employees, they typically need to see their own information (meaning they have access to their own My Info tab). When determining which access level should apply, choose an employee access level.

If you choose the Equal Access option, it would grant the user the same visibility and editing capabilities on their own profile that they have for others. This means that if you granted them Equal Access and also granted them Edit access to the Assets tab, the user in this access level would be able to edit their own Assets table.

See on Home

Since the permissions on the See on Home tab determine what the user will see on their own homepage, we recommend matching the custom access level's See on Home permissions with the See on Home permissions you have determined for your employee access levels. Since the Announcements and Links widgets are not usually managed by the IT team, those are usually set to View Only.

Time Tracking Manager (Full Access to Time Tracking)

The recommendations below outline the minimum permissions required for users to complete the common tasks for this role.

You can grant additional access beyond these recommendations, and doing so will not affect the user's ability to complete the actions described. If you are not sure what granting additional permissions will do, refer to this help guide.

Access level description: Can add and assign project tracking and shift differentials, and has view access to timesheets.

Time Tracking Manager: What this Access Level Can Do

Time Tracking tab:

  • Approve Timesheets
  • Enable/Disable Time Tracking for all Employees
  • Manage Hour Imports
  • Manage Project Tracking
    • Permission automatically granted when access is granted to Time Tracking in Settings
  • Manage Shift Differentials
    • Permission automatically granted when access is granted to Time Tracking in Settings

Settings tab:

  • Time Tracking

For more information about what granting these permissions allows, click here.

Do I need to grant them access to the Time Tracking tab in Settings?

If you grant the Manage Project Tracking and Manage Shift Differentials permissions, the users will see and be able to edit both the Project Tracking and Shift Differentials tabs in Settings > Time Tracking (see image above).

If you grant them access to all permissions in the Time Tracking tab and Time Tracking in the Settings tab (described in the recommendation above), the users will be able to perform all actions in Time Tracking settings, enable/disable Time Tracking for employees, set up the Time Kiosk app, and manage hours imports.

If you grant them access to Time Tracking on the Settings tab, the user will be see and edit the Project Tracking, Shift Differentials, and Settings tabs, but will only have View access to the Employees and Devices tabs (see image below).

Time Tracking Manager: What this Access Level Can See

See About Other Employees

Usually, a Time Tracking manager needs Edit access to an employee's Timesheet tab so they can rectify any mistakes on behalf the employee. If you are tracking multiple pay rates with the Project Pay Rates table, you may grant Edit access to that table as well.

If you have not added the Project Pay Rates table to your account, you can do so using our standard Fields library.

See About Themselves

Typically, a Time Tracking manager needs to see their own information (meaning they have access to their own My Info tab). When determining which access level should apply, we recommend choosing an employee access level.

If you follow the recommendations above and choose the Equal Access option, it would allow the user to edit their own timesheet. If they should not have that permission, make sure to choose an employee access level with View Only permission for the Timesheet tab.

See on Home

Since the permissions on the See on Home tab determine what the user will see on their own homepage, we recommend matching the custom access level's See on Home permissions with the See on Home permissions you have determined for your employee access levels. Since the Announcements and Links widgets are not related to Time Tracking permissions, those are set to View Only.

Recruiter/Hiring Manager

The recommendations below outline the minimum permissions required for users to complete the common tasks for this role.

You can grant additional access beyond these recommendations, and doing so will not affect the user's ability to complete the actions described. If you are not sure what granting additional permissions will do, refer to this help guide.

Access level description: Access to manage job openings, send offer letters, and manage hiring settings. No access to current employee data.

Recruiter: What this Access Level Can Do

Hiring tab:

  • Manage Job Openings, Talent Pools, and Candidates
    • Send and Manage Offer Letters

For more information about what granting these permissions allows, click here.

Do I need to grant my recruiter access to the Hiring tab in Settings?

Granting recruiters access to Hiring in Settings would allow them to edit information on the Hiring tab, including candidate statuses, candidate sources, and email templates.

If you want the user to be able to edit information in the offer templates, interview templates, and calendar and video access Files, you must grant them both permissions of Manage Job Openings,Talent Pools and Candidates and Send and Manage Offer Letters mentioned above.

Recruiter: What this Access Level Can See

See About Other Employees

Typically, the recruiter does not need access to view any information on an employee profile. If the recruiter has a hand in monitoring the onboarding process, you could grant them View Only or Edit access to the Onboarding tab.

See About Themselves

Typically, the recruiter needs to see their own information (meaning they have access to their own My Info tab). When determining which access level should apply, we usually recommend choosing an employee access level.

If you choose the Equal Access option, it would grant the user the same visibility into their own profile that they have for others. This means that if you granted Equal Access and also granted Edit access to the Onboarding tab, the user in this access level would be able to edit their own Onboarding tab.

See on Home

Since the permissions on the See on Home tab determine what the user will see on their own homepage, we recommend matching the custom access level's See on Home permissions with the See on Home permissions you have determined for your employee access levels. Since the Announcements and Links widgets are not usually managed by recruiters, those are usually set to View Only.

Time Off Approver (outside the regular workflow)

The recommendations below outline the minimum permissions required for users to complete the common tasks for this role.

You can grant additional access beyond these recommendations, and doing so will not affect the user's ability to complete the actions described. If you are not sure what granting additional permissions will do, refer to this help guide.

Access level description: Can approve time off outside the regular workflow.

Users with this access level will not automatically receive time off approval notifications. If you want these users to be notified of pending time off requests, consider setting up this email alert.

Time Off Approver: What this Access Level Can Do

Since an employee who is approving time off requests outside the standard workflow is not managing any time off policies, balances, or accruals, they usually do not need to perform actions on behalf of employees in BambooHR. With this in mind, you can click Next Step without assigning any permissions.

Time Off Approver: What this Access Level Can See

See About Other Employees

A user who can approve time off outside the regular workflow needs Edit access to the time off categories they should be able to approve time off requests for. Frequently, this access level is assigned to a manager who should approve time off requests for those who report to their direct report (also known as the user's indirect reports) in case the direct report is out of the office. If this how you would like this access level to function, make sure to choose Direct and Indirect Reports next to "This Access Level can access the information below for." However, if you want one person to be able to approve any time off requests for anyone in the company, you could choose the All Employees option.

For more information about this workflow, click here.

See About Themselves

Since, the user in this access level is typically a regular employee, they need to see their own information (meaning they have access to their own My Info tab). When determining which access level should apply, we recommend choosing an employee access level.

If you choose the Equal Access option, it would grant the user the same visibility into their own profile that they have for others. This means that if you granted Equal Access and also granted Edit access to the Bereavement time off category on the Time Off tab, the user in this access level would be able to approve their own bereavement time off requests.

See on Home

Since the permissions on the See on Home tab determine what the user will see on their own homepage, we recommend matching the custom access level's See on Home permissions with the See on Home permissions you have determined for your employee access levels. Since the Announcements and Links widgets are not related to time off permissions, those are set to View Only.

Timesheet Approver (outside the regular workflow)

The recommendations below outline the minimum permissions required for users to complete the common tasks for this role, but in many circumstances, users in this access level are also expected to manage and edit all time tracking settings. In this case, each of the permissions listed for a timesheet approver are included in the Time Tracking Manager use case.

You can grant additional access beyond these recommendations, and doing so will not affect the user's ability to complete the actions described. If you are not sure what granting additional permissions will do, refer to this help guide.

Access level description: Can approve timesheets outside the regular workflow.

Timesheet Approver: What this Access Level Can Do

Time Tracking tab:

  • Approve Timesheets
    • Granting a user permission to approve timesheets allows them to approve their own. However, their regular approver will remain the primary timesheet approver. If you do not want the user to approve their own timesheets, let them know that their primary approver is still responsible for their timesheet approval.

For more information about what granting this permission allows, click here.

Timesheet Approver: What this Access Level Can See

See About Other Employees

A timesheet approver needs View Only (or Edit) access to an employee's Timesheet tab. Frequently, this access level is assigned to employees who have direct and indirect reports, so they can approve their indirect reports' timesheets while one of their direct reports is out of the office. However, if you want one person to be able to approve any timesheet, you could choose the All Employees option.

In the example above, the user only has access to view the timesheets of their direct and indirect reports. Since the permission in the What Can this Access Level Can Do section states that they can approve timesheets they are able to view, users in this access level will only be able to approve timesheets for their direct and indirect reports.

See About Themselves

Since, a timesheet approver is typically a regular employee, they need to see their own information (meaning they have access to their own My Info tab). When determining which access level should apply, we recommend choosing an employee access level.

See on Home

Since the permissions on the See on Home tab determine what the user will see on their own homepage, we recommend matching the custom access level See on Home permissions with the See on Home permissions you have determined for your employee access levels. Since the Announcements and Links widgets are not related to Time Tracking permissions, those are set to View Only.