Permissions for Cornerstone HR
This page contains permissions that may apply to organizations using the Cornerstone HR solution.
Benchmark Permissions
| PERMISSION NAME | PERMISSION DESCRIPTION | CATEGORY |
| Benchmark Total Access | This permission provides total access to the Benchmark metrics and functionality. | Benchmark - Administration |
Core Permissions
| PERMISSION NAME | PERMISSION DESCRIPTION | CATEGORY |
| Access FTP Account - View | Grants access to the FTP account landing page where the available accounts are displayed. Currently, this permission cannot be constrained. | Core Administration |
| Access Partner Authorization - Manage | Grants ability to manage partner authorized access to portal via Partner Access Administration. This permission cannot be constrained. This is an administrator permission. | Core Administration |
| Announcements - View | Grants ability to view announcements created by others, via the Welcome Page Inbox widget or the Announcements page. This is an end user permission. | Core |
| Available Languages - Modify | Grants access to choose what languages to which learning objects may be associated when users search for training. This is an administrator permission. | Core Administration |
| Badge & Point Preferences - Manage | Enables user to access and edit preferences on the Badge & Point Preferences page. The availability of this permission is controlled by a backend setting. This permission can be constrained by OU and User's OU. This is an administrator permission. | Core Administration. |
| Batch Edit Users | Grants ability to modify user records in bulk. This permission cannot be constrained. This is an administrator permission. | Core Administration |
| Capabilities - Capability Models Library - Manage | Grants ability to access the Capability Models Library and create, edit, and deactivate Capability Models. This permission cannot be constrained. This is an administrator permission. | Core Administration |
| Capabilities - Skills Library Builder | Grants ability to import relevant Cornerstone Skills Graph skills based on user profile data and generate skill suggestions via the Skills Library Builder page. This permission cannot be constrained. This is an administrator permission. | Core Administration |
| Capabilities - Skills Profile - View |
Grants the ability to view an employee Skills Profile. Users with this permission may view the Skills Profile for anyone in the organization. However, individual ratings have privacy settings that control visibility within the Skills Profile. This permission cannot be constrained. This is an end user permission. |
Core Administration |
| Capabilities - Skills Quick Start Wizard - Manage | Grants access to the Skills Quick Start Wizard administrator experience, which helps administrators configure and deploy skills within their organization. This permission cannot be constrained. This is an administrator permission. | Core Administration |
| Capability Categories | Grants access to the Capability Categories functionality, where administrators can create and manage capability categories. This permission cannot be constrained. This is an administrator permission. | Core Administration |
| Capability Library - Edit | Grants the ability to create, edit, and copy capabilities via the Capability Library. Administrators with this permission cannot delete capabilities or change the status of a capability. This permission cannot be constrained. This is an administrator permission. | Core Administration |
| Capability Library - Manage | Grants the ability to create, edit, copy, delete, import, and approve capabilities via the Capability Library. This permission cannot be constrained. This is an administrator permission. | Core Administration |
| Capability Preferences - Manage | Grants the ability to create and edit expertise levels and rating scales for capabilities via Capabilities Preferences. This permission cannot be constrained. This is an administrator permission. | Core Administration |
| Change User Passwords - Administrator | Grants ability to change the portal password of another user. This permission works in conjunction with the Users - View permission. This permission can be constrained by User's Corporation, OU, User's OU, User's Self and Subordinates, and User. This is an administrator permission. | Core Administration |
| Copy Down - Cancel | Allows administrator to access the Copy Down tool, view and cancel copy downs, and subscribe or unsubscribe to email notifications. This permission cannot be constrained. This is an administrator permission. | Core Administration |
| Core Features Activation | Grants ability to manage Core Feature Activation Preferences in which administrators can enable and disable certain features. This permission cannot be constrained. This is an administrator permission. | Core Administration |
| Corporate Logo List - View | Grants access to select header logo from the corporate list of images. User must also have Display Preference permission. This is an administrator permission. | Core Administration |
| Corporate Preferences - Manage | Grants the ability to manage Corporate Preferences, which includes several portal-wide settings. This is an administrator permission. | Core Administration |
| Corporate Preferences: Lockout Preferences - Manage | Grants ability to configure the Lockout Preferences on the Corporate Preferences page. This permission cannot be constrained. This is an administrator permission. | Core Administration |
| Custom Login Page - Manage | Grants the ability to create and edit custom login pages for the portal. Administrators with this permission can also enable or disable a custom login page and identify the default login page. This permission cannot be constrained. This is an administrator permission. | Core Administration |
| Custom Pages - Manage | Grants access to create and edit custom pages for the portal. This permission cannot be constrained. This is an administrator permission. | Core Administration |
| Deep Link: Base URL Control | Allows administrator to define the Base URL for all SSO module links. This is an administrator permission. | Core Administration |
| Deep Link: Base URL Control | Allows administrator to define the Base URL for all SSO module links. This permission cannot be constrained. This is an administrator permission. | Core Administration |
| Deep Link: View Modules | Allows administrator to view the deep links URLs. This is an administrator permission. | Core Administration |
| Define Fiscal Year | Grants ability to set the fiscal year for aggregating annual training hours completed by users for display on the transcript page. This is an administrator permission. | Core Administration |
| Display Preferences - Manage | Grants ability to configure Display Preferences, including Navigation Tab theme and settings and header logo displayed to end users. This is an administrator permission. | Core Administration |
| Display Preferences - Upload Logo | Grants access to upload an image on the Display Preference Page. User must also have Display Preference permission. This is an administrator permission. | Core Administration |
| Duplicate User Management Preferences - Manage | Grants ability to access and configure management of duplicate records, including parameters used to prevent duplicates. This permission cannot be constrained. This is an administrator permission. | Core Administration |
| Email Preferences - Manage | Grants ability to manage Email Preferences, which includes defining end users' ability to change their email address and the associated email notifications when emails are changed. This is an administrator permission. | Core Administration |
| Employee Recognition Preferences - Manage | Grants ability to create and edit employee recognition awards for use by end users. This is an administrator permission. | Core Administration |
| Global Email Administration - Manage | Grants ability to manage email trigger templates across all active modules in the portal. Enables creating, editing and deleting email message templates for various system actions and workflows. This permission can be constrained by OU, User's OU, User Self and Subordinates, and User. This is an administrator permission. | Core Administration |
| Global Email Administration - View | Grants view only access to email templates/triggers and email logs at the global level for the portal. This permission can be constrained by OU, User's OU, User Self and Subordinates, and User. This is an administrator permission. | Core Administration |
| Global Search Preferences - Manage | Grants ability to configure Global Search Preferences. This is an administrator permission. The availability of this permission is controlled by a backend setting. This permission can be constrained by OU and User's OU. By default, this permission is constrained to the organization. | Core Administration |
| Grant Employee Recognition | Enables users to grant recognition awards to others, using a predefined list of awards created by administrators. This is an end user permission. | Core |
| Group Preferences - Manage | Grants the ability to access and modify the Group Preferences page. This permission cannot be constrained. This is an administrator permission. | Core Administration |
| Help Link - Manager | Provides access to view the User and Manager topics in online help. This is a manager permission. | Core |
| Help Link - System Administrator | Provides access to view the User, Manager and System Administrator topics in online help. This is an administrator permission. | Core |
| Help Link - User | Provides access to view the End User topics in online help. This is an end user permission. | Core |
| Insights Dashboard | Allows user to access Insights Dashboard. This permission cannot be constrained. | Core |
| Language Preferences - Manage | Grants ability to set default language for portal/OU and set whether end users may adjust their own portal display language. This is an administrator permission. | Core Administration |
| Log In Message - Manage | Grants access to create a message that appears upon portal login to all users or a selected group/subset of users. This is an administrator permission. This permission can be constrained by OU and User's OU. | Core Administration |
| Marketing Emails - Manage | Grants ability to create and send ad hoc emails to populations of users based on their assigned org units, groups, or by user name. This is an administrator permission. | Core Administration |
| MFA - Admin - User Device - Manage | Grants the ability to manage the user device information for Multi-factor Authentication. This permission works with the MFA - Admin - User Device - View permission. Administrators can delete devices for user records within their constraints. This permission can be constrained by OU, User's OU, User's Self, User Self and Subordinates, and User. This is an administrator permission. | Core Administration |
| MFA - Admin - User Device - View | Grants the ability to view the user device information for Multi-factor Authentication. Administrators can view the page for user records within their Users - View permission constraints, and additional constraints can be added to this permission. This permission can be constrained by OU, User's OU, User's Self, User Self and Subordinates, and User. This is an administrator permission. | Core Administration |
| MFA - Administration - Manage | Grants the ability to view and configure Multi-factor Authentication (MFA). This permission cannot be constrained. This is an administrator permission. | Core Administration |
| MFA - Administration - View | Grants the ability to view the Multi-factor Authentication (MFA) configuration. This permission cannot be constrained. This is an administrator permission. | Core Administration |
| My Account Devices - Manage | Manage device registrations from My Account. This permission cannot be constrained. This is an end user permission. | Core |
| My Account Social - Manage | Grants ability to view and manage third party profile connections on the Social page in My Account. This is an end user permission. | Core |
| MyTeam Comments - Manage | Grants ability for manager (or others depending on constraints) to view Comments previously entered about their direct and indirect reports and also create new comments as well as attach files to comments. This permission can be constrained by OU, User's OU, User's Direct Reports, User, and User Self and Subordinates. The permission constraints determine for which users the Comments tab is available when viewing a user in My Team. Note: By design, for any My Team permission that is included in the Manager default security role, all of the manager's direct and indirect reports are included in the constraints, even if they are not selected in the permission constraints for the role. Note: If the user's permission is also constrained by User Self and Subordinates, then this overrides the User's Direct Reports constraint. | Core |
| MyTeam Search by OU | Grants ability to allow users to search by division and position when viewing MyTeam. The constraints upon this permission determine the OUs that are available within the search. Note: By design, for any My Team permission that is included in the Manager default security role, all of the manager's direct and indirect reports are included in the constraints, even if they are not selected in the permission constraints for the role. | Core |
| My Team/Talent Profile Preferences | Grants ability to set display preferences for the My Team and Talent Profile screens. This permission cannot be constrained. This is an administrator permission. | Core Administration |
| Navigation Tabs and Links - Manage | Grants ability to manage Navigation Tabs and Links for the portal. This permission can be constrained by OU, User's OU, and User's Corporation. This is an administrator permission. | Core Administration |
| Organizational Unit Custom Fields - Manage | Grant Access to create and edit custom fields for Org Units. This is an administrator permission. | Core Administration |
| Org Chart - Preferences |
Grants access to the Org Chart Preferences page. This permission cannot be constrained. |
Core |
| Org Chart by Organization - View |
Grants access to the Organization tab on the new Org Chart page. This permission cannot be constrained. This permission works in conjunction with the Org Chart - View permission. For users who do not have this permission, the Organization tab will not be available. Note: This permission pertains to the new Org Chart functionality that is released with the February '17 release. The new Org Chart functionality is only available for organizations with Cornerstone HR, Succession, or View. |
Core |
| OU Group - Update | Grants access to edit existing custom groups of users. This permission can be constrained by OU, User's OU, and Provider. This is an administrator permission. | Core Administration |
| OU Group - View | Grants access to view existing custom groups. This permission can be constrained by OU. This is an administrator permission. | Core Administration |
| OU Hierarchy - Manage | Grants ability to create and update/edit organizational units. This permission grants access to all OU types, both standard and custom. This permission can be constrained by OU and User's OU. This is an administrator permission. | Core Administration |
| Password Preferences - Manage | Grants ability to manage Password Preferences, which includes specifying the settings for users to change their own password, or for the system to generate an anonymous password, set the specific password requirements and allowing users to reset password by answering security questions. This permission can be constrained by OU and User's OU. This is an administrator permission. | Core Administration |
| People Matrix | Grants access to the People Matrix functionality. This permission can be constrained to User, OU, User's OU, User Self and Subordinates, and User's Direct Subordinates. The constraints on this permission determine which users are available in the People Matrix. This is a manager permission. | Core Administration |
| People Matrix - Manage Preferences | This grants the ability to manage the People Matrix Settings. This permission cannot be constrained. This is an administrator permission. | Core Administration |
| Prevent Duplicate Users - Reconcile | Grants ability to view user accounts that have been identified as potential duplicates. Administrators can only view pending user records that were created by administrators who are within the constraints on this permission. This permission can be constrained by OU and User's OU. This is an administrator permission. | Core Administration |
| Reset Password and Public Keys - Manage | Grants ability to manage FTP account login password and public keys when applicable. Currently, this permission cannot be constrained. | Core Administration |
| Security Administration - General Constraints | Grants access to apply general constraints to permissions when creating/editing a security role. This permission works in conjunction with the Security Administration - Manager permission. This is an administrator permission. | Core Administration |
| Security Administration - Manage | Grants ability to create, modify and constrain security roles within the portal, and assign users to those security roles. This permission can be constrained by OU, User's OU, User, and User Self and Subordinates. This is an administrator permission. | Core Administration |
| Security Health Check - Edit Security Issues | Grants ability to edit security issue settings in the Security Health Check tool and set them to Cornerstone's recommended value. This permission cannot be constrained. This is an administrator permission. | Core Administration |
| Security Health Check - View | Grants ability to view the Security Health Check tool. This permission cannot be constrained. This is an administrator permission. | Core Administration |
| Self-Registration and User Record Custom Fields - Manage | Grants access to manage custom fields for user Self Registration and the user record in Custom Field Administration. This permission can be constrained by OU and User's OU. This is an administrator permission. | Core Administration |
| Share Manager/Approver Permissions | Enables managers and approvers to delegate certain types of approvals and MyTeam viewing permissions to others. This permission is only relevant to managers and approvers. | Core |
| Single Sign On - CSOD Certificate | Grants ability to view, manage, and upgrade SSO certificates and configurations. This is an administrator permission. This permission cannot be constrained. | Core Administration |
| Skills Profile - Critical Skills - View |
Grants the ability to view the Critical Skills table for any user. This permission cannot be constrained. This is an administrator permission. Administrators must also have permission to access the user's Skills Profile. |
Core Administration |
| SSO Link to Cornerstone Success Center | Grants access to an in-portal link to the Cornerstone Success Center sign in page. This is an administrator permission that should be limited to authorized client users of the Cornerstone Success Center. | Core Administration |
| Support Information - Manage | Grants ability to manage Support Information, which includes specifying an email address and phone number for end users to contact for portal support. This permission works in conjunction with the Corporate Preferences permission. This is an administrator permission. | Core Administration |
| Task - View | Grants ability to view assigned tasks via Scheduled Tasks screen and Welcome Page My Tasks widget. This is an end user permission. | Core |
| Time Zone Preferences - Manage | Grants ability to set default time zone for portal/OU and set whether end users may adjust their own portal time zone. This is an administrator permission. | Core Administration |
| Training Data Merge - View | Grants ability to view past training record merges. The availability of this permission is controlled by a backend setting. This permission can be constrained by OU, User's OU, User Self and Subordinates, and Users. Which records are displayed in the History section is dependent on creator constraints. This is an administrator permission. | Core Administration |
| Universal Profile - User Record - Create Users | Grants ability to access the User Record Administration page and to create new users in the system. When creating a new user, this permission grants the ability to add general information, which includes first name, last name, username, assigned OUs, and custom relationships. The administrator must have additional permissions to add any additional fields. This permission can be constrained by OU, User's OU, User's Self, User Self and Subordinates, and User. This is an administrator permission. | Core Administration |
| Universal Profile - User Record - Edit Users | Grants ability to edit user records in the system. The administrator must have additional permissions to edit specific fields on the user record. This permission can be constrained by OU, User's OU, User's Self, User Self and Subordinates, and User. This is an administrator permission. Note: This permission DOES NOT grant the ability to view user records in the system. Administrators must have the Universal Profile - User Record - View Users permission in order to view user records. | Core Administration |
| Universal Profile - User Record - View Users | Grants ability to view user records in the system. Administrators can view the Modification History page for user records within their constraints. The administrator must have additional permissions to view specific fields on the user record. This permission can be constrained by OU, User's OU, User's Self, User Self and Subordinates, and User. This is an administrator permission. | Core Administration |
| User - Edit Absent Status on My Account Page | Allows user to change absent status on My Account page. This is an end user permission. | Core |
| User Permission and Constraint Details - View | Grants ability to access the Permissions Constraints Details page for a user. This permission also grants ability to see the Permissions Constraints Details link on the Permissions page. This permission can be constrained by OU, User's OU, User, and User Self and Subordinates. This is an administrator permission. | Core Administration |
| User Preferences - Core Information: View | Grants ability to view the User Preferences administrator page. This permission does not allow administrators to modify the preferences. This permission cannot be constrained. This is an administrator permission. | Core Administration |
| User Preferences - Leave Types: Manage | Grants ability to manage Leave Types on the User Preferences administrator page. Administrators must also have the User Preferences - Core Information: View permission to access the User Preferences page. This permission cannot be constrained. This is an administrator permission. | Core Administration |
| User Preferences - Reasons for Change: Manage |
Grants ability to define and configure Reasons for Change on the User Preferences administrator page, which may be used when modifying the user record. The administrator must also have the User Preferences - Core Information: View permission to access the User Preferences page. This permission is also required to view and set the Reason for Change field when editing a user record. This permission cannot be constrained. This is an administrator permission. |
Core Administration |
| User Preferences - Termination Reasons: Manage | Grants ability to manage Termination Reasons on the User Preferences administrator page. Administrators must also have the User Preferences - Core Information: View permission to access the User Preferences page. This permission cannot be constrained. This is an administrator permission. | Core Administration |
| User Preferences - User Statuses: Manage | Grants ability to manage User Statuses on the User Preferences administrator page. Administrators must also have the User Preferences - Core Information: View permission to access the User Preferences page. This permission cannot be constrained. This is an administrator permission. | Core Administration |
| User Preferences - User Types and Subtypes: Manage | Grants ability to manage User Types and Subtypes on the User Preferences administrator page. Administrators must also have the User Preferences - Core Information: View permission to access the User Preferences page. This permission cannot be constrained. This is an administrator permission. | Core Administration |
| User Rating Templates - Manage |
Grants ability to manage feedback templates for capabilities. This permission cannot be constrained. This is an administrator permission. This permission only works when used in conjunction with the User Rating permission. |
Core Administration |
| User Ratings - Feedback on specific person |
Grants ability to request 360 feedback about a specific user. This permission is intended for administrators, managers, or other leadership roles. This permission can be constrained to User, OU, User's OU, User Self and Subordinates, and User's Direct Subordinates. It is recommended to constrain this permission. Managers should be constrained to "User's Direct Reports." Administrators can constrain themselves or others to a diverse pool of potential raters. |
Core Administration |
| User Ratings - View All Shared Ratings | Grants the ability to view all ratings shared with others in addition to the rater. This permission applies anywhere the ratings are displayed, such as the People Matrix and Skills Profile. This permission is intended for indirect managers or non-managers to view rating data for users over whom they have no oversight. This permission grants access to all OU types, both standard and custom. This permission can be constrained to User, OU, User's OU, User Self and Subordinates, and User's Direct Subordinates. The constraints on this permission determine whose shared ratings the person can view. This is a manager permission. | Core Administration |
| User Ratings - View Ratings and Feedback about Other User |
Grants ability to view ratings history and rating details about other people regardless of the visibility settings on the ratings. Grants ability to view the My Feedback Requests page. Administrators with this permission can view all ratings and feedback about all other users, regardless of the visibility settings of the ratings. This permission cannot be constrained. This permission does not bypass visibility ratings about yourself, which means users cannot use this permission to view ratings provided about themselves that are otherwise not visible to them. This permission is intended for an administrator or talent partner who needs broad access to all ratings occurring within the portal. |
Core Administration |
| User Ratings | For end users, this permission grants the ability to perform ratings and view ratings. For administrators, this permission is required, along with the specific user rating administration permissions to edit rating scales or templates. This permission cannot be constrained. | Core Administration |
| User Record Custom Field Configurable Validations - Manage | Grants ability to manage the configurable validations for user record custom fields within Custom Field Administration. This permission cannot be constrained. This is an administrator permission. This permission is only available to organizations that are using Cornerstone HR. | Core Administration |
| User Upload Photo | Enables users to upload their photo to their user record, via the My Account screen. This is an end user permission. | Core |
| Users - Edit Bypass User Purging | Grants ability to set individual users to bypass user purging on the Edit Users page. This permission only works when used in conjunction with the Users - View and Users - Edit permissions. This permission cannot be constrained. This is an administrator permission. The availability of this permission is controlled by a backend setting. To enable this functionality, contact Global Customer Support. | Core Administration |
| Users - Edit Core Information |
Grants ability to add users and edit core information on a user record, including first name, last name, username, assigned OUs, and custom relationships. This permission works in conjunction with the Users - View and Users - View Core and Edit Custom Fields permissions. This permission cannot be constrained. This is an administrator permission. Note: When the User Record Redesign is enabled in a portal, this permission is disabled. Administrators who previously had this permission are automatically assigned the following permissions:
This permission is obsolete following the retirement of the legacy User Record in the May '17 release. |
Core Administration |
| Users – Edit Custom Field Information | Grants ability to view and edit the custom fields on a user record. Administrators are only able to edit a custom field on a user's user record if the user is within their permission constraints and the administrator is within the availability of the custom field. This permission works in conjunction with the Users - View permission. This permission can be constrained by OU, User's OU, User's Self, User Self and Subordinates, and User. This is an administrator permission. | Core Administration |
| Users – Edit General Information | Grants ability to edit the general fields on a user record, including first name, last name, username, assigned OUs, and custom relationships. This permission works in conjunction with the Users - View permission. This permission can be constrained by OU, User's OU, User's Self, User Self and Subordinates, and User. This is an administrator permission. | Core Administration |
| Users - Edit Local System ID | Enables administrator to modify the Local System ID for a user via the admin/users screen. This permission only works when used in conjunction with the Users - View and Users - Edit permissions. This permission cannot be constrained. This is an administrator permission. | Core Administration |
| Users - Edit Middle Name | Grants ability to modify the middle name for a user via the admin/users screen. This permission only works when used in conjunction with the Users - View permission. This is an administrator permission. | Core Administration |
| Users - Edit Personal Email Address |
Enables administrator to edit the Personal Email Address for a user via the admin/users screen. This permission cannot be constrained. This is an administrator permission. By default, this permission is included in the System Administrator security role and parent roles of System Administrator. |
Core Administration |
| Users - Edit Prefix | Grants ability to modify the prefix for a user's name via the admin/users screen. This permission only works when used in conjunction with the Users - View permission. This is an administrator permission. | Core Administration |
| Users - Edit Secure User Custom Fields - Unmasked | Grants the ability to edit secure user custom field info unmasked. This permission can be constrained by OU, Restrict to User's OU, User Self and Subordinates, User, User's Self, User's Manager, User's Superiors, User's Subordinates, User's Direct Reports, Employee Relationship. This is an administrator permission. | Core Administration |
| Users - Manage OU Based Applicability | Grants access to manage OU-based Applicability for user record custom fields. This permission cannot be restrained. This is an administrator permission. | Core Administration |
| Users - Manage Secure User Custom Fields | Grants the ability to manage the setting secure user custom fields. This permission can be restrained by OU, User's OU, User Self and Subordinates, User, User's Self, User's Manager, User's Superiors, User's Subordinates, User's Direct Reports, Employee Relationship. This is an administrator permission. | Core Administration |
| Users - View Secure User Custom Fields - Masked | Grants the ability to view secure user custom field info masked. This permission can be constrained by OU, User's OU, User Self and Subordinates, User, User's Self, User's Manager, User's Superiors, User's Subordinates, User's Direct Reports, Employee Relationship. This is an administrator permission. | Core Administration |
| Users - Edit Sensitive Information: Unmasked | Grants ability to view and edit unmasked Sensitive Personally Identifiable Information (SPII) fields on the user record. Administrators with this permission have the option to view and edit the actual data on the user record. This permission can be constrained by OU, User's OU, User's Self, User's Subordinates, User's Direct Subordinates, User, and Employee Relationship. This is an administrator permission. | Core Administration |
| Users - Edit Signature | Grants ability to modify the signature font for a user via the admin/users screen. This permission only works when used in conjunction with the Users - View permission. This is an administrator permission. | Core Administration |
| Users - Edit Suffix | Grants ability to modify the suffix for a user's name via the admin/users screen. This permission only works when used in conjunction with the Users - View permission. This is an administrator permission. | Core Administration |
| Users - Edit User ID | Enables administrator to modify the User ID for a user via the admin/users screen. This permission only works when used in conjunction with the Users - View permission. | Core Administration |
| Users - Edit Users Absent Status | Enables administrator to modify the Absent status for a user via the admin/users screen. This permission only works when used in conjunction with the Users - View permission. | Core Administration |
| Users - Edit Users Active Status | Enables administrator to modify the Active status for a user via the admin/users screen. This permission only works when used in conjunction with the Users - View permission. | Core Administration |
| Users - Edit Users Address | Enables administrator to modify the address for a user via the admin/users screen. This permission only works when used in conjunction with the Users - View permission. | Core Administration |
| Users - Edit Users Approver | Enables administrator to modify the specified Approver for a user via the admin/users screen. This permission only works when used in conjunction with the Users - View permission. | Core Administration |
| Users - Edit Users Email | Enables administrator to modify the Email Address for a user via the admin/users screen. This permission only works when used in conjunction with the Users - View permission. | Core Administration |
| Users - Edit Users Fax | Enables administrator to modify the Fax number for a user via the admin/users screen. This permission only works when used in conjunction with the Users - View permission. | Core Administration |
| Users - Edit Users Language | Enables administrator to modify the portal display language for a user via the admin/users screen. This permission only works when used in conjunction with the Users - View permission. | Core Administration |
| Users - Edit Users Last Hire Date | Enables administrator to modify the Last Hire Date for a user via the admin/users screen. This permission only works when used in conjunction with the Users - View permission. | Core Administration |
| Users - Edit Users Manager | Enables administrator to modify the assigned Manager for a user via the admin/users screen. This permission only works when used in conjunction with the Users - View permission. | Core Administration |
| Users - Edit Users Original Hire Date | Enables administrator to modify the Original Hire Date for a user via the admin/users screen. This permission only works when used in conjunction with the Users - View permission. | Core Administration |
| Users - Edit Users Phone | Enables administrator to modify the Phone number for a user via the admin/users screen. This permission only works when used in conjunction with the Users - View permission. | Core Administration |
| Users - Edit Users Photo | Enables administrator to upload a photo for a user via the admin/users screen. This permission only works when used in conjunction with the Users - View permission. | Core Administration |
| Users - Edit Users Reconciliation | Enables administrator to modify the Reconciliation status for a user via the admin/users screen. This permission only works when used in conjunction with the Users - View permission. | Core Administration |
| Users - Edit Users Required Approvals | Enables administrator to modify the number of required training approvals for a user via the admin/users screen. This permission only works when used in conjunction with the Users - View permission. | Core Administration |
| Users - Edit Users Time Zone | Enables administrator to modify the portal time zone for a user via the admin/users screen. This permission only works when used in conjunction with the Users - View permission. | Core Administration |
| Users - Edit Users Type and Status | Enables administrator to view and modify the type and status information for a user via the User Record. This permission only works when used in conjunction with the Users - View permission. | Core Administration |
| Users - Manage OU Based Regex | Grants access to manage OU-based Regex patterns for user custom fields. This permission cannot be restrained. This is an administrator permission. | Core Administration |
| Users - Unlock Accounts | Grants ability to unlock user accounts that are currently locked. This permission can be constrained by OU, User's OU, User's Subordinates, and User. This is an administrator permission. | Core Administration |
| Users - View Approver Search | Enables those who can search for and view users via the Admin/User screen to search by users' assigned approver. This permission only works when assigned in conjunction with the Users - View permission. | Core Administration |
| Users - View Core and Edit Custom Fields |
Grants ability to view core information on a user record, including first name, last name, username, assigned OUs, custom relationships, and custom fields. This permission also includes the ability to edit any custom fields that are visible to the administrator. This permission works in conjunction with the Users - View permission. This permission can be constrained by OU, User's OU, User Self and Subordinates, and User. This is an administrator permission. Note: When the User Record Redesign is enabled in a portal, this permission is disabled. Administrators who previously had this permission are automatically assigned the following permissions:
This permission is obsolete following the retirement of the legacy User Record in the May '17 release. |
Core Administration |
| Users - View Criteria Search | Enables those who can search for and view users via the Admin/User screen to search by OU and Group criteria. This permission only works when assigned in conjunction with the Users - View permission. | Core Administration |
| Users – View Custom Field Information | Grants ability to view the custom fields on a user record. Administrators are only able to view a custom field on a user's user record if the user is within their permission constraints and the administrator is within the availability of the custom field. This permission works in conjunction with the Users - View permission. This permission can be constrained by OU, User's OU, User's Self, User Self and Subordinates, and User. This is an administrator permission. | Core Administration |
| Users – View General Information | Grants ability to view the general fields on a user record, including first name, last name, username, assigned OUs, and custom relationships. This permission works in conjunction with the Universal Profile - User Record - View Users permission. This permission can be constrained by OU, User's OU, User's Self, User Self and Subordinates, and User. This is an administrator permission. | Core Administration |
| Users - View Local System ID | Enables administrator to view the Local System ID for a user via the admin/users screen. This permission only works when used in conjunction with the Users - View and Users - Edit permissions. This permission cannot be constrained. This is an administrator permission. | Core Administration |
| Users - View Manager Search | Enables those who can search for and view users via the Admin/User screen to search by users' assigned manager. This permission only works when assigned in conjunction with the Users - View permission. | Core Administration |
| Users - View Middle Name | Grants ability to view the middle name for a user via the Admin/Users screen. This permission only works when used in conjunction with the Universal Profile - User Record - View Users and Users - View General Information permissions. This is an administrator permission. | Core Administration |
| Users - View Mobile Phone | Grants ability to view the Mobile Phone number for a user via the Admin/Users screen. The availability of this permission is controlled by a backend setting. This permission only works when used in conjunction with the Users - View permission. | Core Administration |
| Users - View Personal Email Address | Enables administrator to view the Personal Email Address for a user via the admin/users screen. This permission cannot be constrained. This is an administrator permission. By default, this permission is included in the System Administrator security role and parent roles of System Administrator. | Core Administration |
| Users - View Prefix | Grants ability to view the prefix for a user's name via the Admin/User screen. This permission only works when used in conjunction with the Universal Profile - User Record - View Users and Users - View General Information permissions. This is an administrator permission. | Core Administration |
| Users - View Sensitive Information: Masked | Grants ability to view masked Sensitive Personally Identifiable Information (SPII) fields on the user record. Administrators with this permission cannot view the actual data. This permission can be constrained by OU, User's OU, User's Self, User's Subordinates, User's Direct Subordinates, User, and Employee Relationship. This is an administrator permission. | Core Administration |
| Users - View Sensitive Information: Unmasked | Grants ability to view unmasked Sensitive Personally Identifiable Information (SPII) fields on the user record. Administrators with this permission have the option to view the actual data on the user record. This permission can be constrained by OU, User's OU, User's Self, User's Subordinates, User's Direct Subordinates, User, and Employee Relationship. This is an administrator permission. | Core Administration |
| Users - View Signature | Grants ability to view the signature font for a user via the Admin/Users screen. This permission only works when used in conjunction with the Universal Profile - User Record - View Users permission. This is an administrator permission. | Core Administration |
| Users - View Suffix | Grants ability to view the suffix for a user's name via the Admin/Users screen. This permission only works when used in conjunction with the Universal Profile - User Record - View Users permission. | Core Administration |
| Users - View User ID | Enables administrator to view the User ID for a user via the Admin/Users screen. This permission only works when used in conjunction with the Universal Profile - User Record - View Users permission. | Core Administration |
| Users - View Users Absent Status | Enables administrator to view the Absent status for a user via the Admin/Users screen. This permission only works when used in conjunction with the Universal Profile - User Record - View Users permission. | Core Administration |
| Users - View Users Active Status | Enables administrator to view the Active status for a user via the Admin/Users screen. This permission only works when used in conjunction with the Universal Profile - User Record - View Users permission. | Core Administration |
| Users - View Users Address | Enables administrator to view the address for a user via the Admin/Users screen. This permission only works when used in conjunction with the Universal Profile - User Record - View Users permission. | Core Administration |
| Users - View Users Approver | Enables administrator to view the specified Approver for a user via the Admin/Users screen. This permission only works when used in conjunction with the Universal Profile - User Record - View Users permission. | Core Administration |
| Users - View Users Email | Enables administrator to view the Email Address for a user via the Admin/Users screen. This permission only works when used in conjunction with the Universal Profile - User Record - View Users permission. | Core Administration |
| Users - View Users Fax | Enables administrator to view the Fax number for a user via the Admin/Users screen. This permission only works when used in conjunction with the Universal Profile - User Record - View Users permission. | Core Administration |
| Users - View Users Language | Enables administrator to view the portal display language for a user via the Admin/Users screen. This permission only works when used in conjunction with the Universal Profile - User Record - View Users permission. | Core Administration |
| Users - View Users Last Hire Date | Enables administrator to view the Last Hire Date for a user via the Admin/Users screen. This permission only works when used in conjunction with the Universal Profile - User Record - View Users permission. | Core Administration |
| Users - View Users Manager | Enables administrator to view the assigned Manager for a user via the Admin/Users screen. This permission only works when used in conjunction with the Universal Profile - User Record - View Users permission. | Core Administration |
| Users - View Users Original Hire Date | Enables administrator to view the Original Hire Date for a user via the Admin/Users screen. This permission only works when used in conjunction with the Universal Profile - User Record - View Users permission. | Core Administration |
| Users - View Users Phone | Enables administrator to view the Phone number for a user via the Admin/Users screen. This permission only works when used in conjunction with the Universal Profile - User Record - View Users permission. | Core Administration |
| Users - View Users Photo | Enables administrator to view a photo for a user via the Admin/Users screen. This permission only works when used in conjunction with the Universal Profile - User Record - View Users permission. | Core Administration |
| Users - View Users Reconciliation | Enables administrator to view the Reconciliation status for a user via the Admin/Users screen. This permission only works when used in conjunction with the Universal Profile - User Record - View Users permission. | Core Administration |
| Users - View Users Required Approvals | Enables administrator to view the number of required training approvals for a user via the Admin/Users screen. This permission only works when used in conjunction with the Universal Profile - User Record - View Users permission. | Core Administration |
| Users - View Users Time Zone | Enables administrator to view the portal time zone for a user via the Admin/Users screen. This permission only works when used in conjunction with the Universal Profile - User Record - View Users permission. | Core Administration |
| Users - View Users Type and Status | Grants ability to view user type and status information on the User Record. This permission cannot be constrained. This permission only works when used in conjunction with the Users - View and Users - Edit permissions. | Core Administration |
| Users - View | Grants the ability to search for and view summary information about users in the portal via the Admin/Users screen. This permission can be constrained by OU, User's OU, User Self and Subordinates, and Users. If multiple constraints are added, these constraints are considered OR statements. This is an administrator permission. | Core Administration |
| Welcome Page - View | Grants access to view Welcome Page. This permission cannot be constrained. This is an end user permission. | Core |
| Work Force Planning - Administrator | Grants access to the Headcount Planning page. Users with this permission can also create new headcount plans for any part of the organization, as well as create subplans that have been assigned to them. Administrators can only view plans that they have created or to which they were assigned as a Co-Planner or Primary Planner. This is an administrator permission. | Core Administration |
| Work Force Planning - Cost Model Manager |
Allows user to upload and manage costing files and exchange rates for Planning. |
Core Administration |
| Work Force Planning - Owner | Grants owner-level access to plans. Users with this permission can view their assigned plans and can create plans. This permission cannot be constrained. | Core Administration |
| Work Force Planning - Reporting Analyst | Grants reporting analyst-level access to plans. Users with this permission cannot create plans or edit plan metadata. This permission cannot be constrained. | Core Administration |
| Work Force Planning - Subplanner | Grants the ability to complete subplans that have been assigned to the user as a Primary Planner or a Co-Planner. Users with this permission cannot create new headcount plans or view all plans. Within the plans assigned to them, users can assign subplans to their direct reports. | Core Administration |
Forms Management and Administration Permissions
| PERMISSION NAME | PERMISSION DESCRIPTION | CATEGORY |
| Form Proxy Completion - Manage | Allows administrator to configure the Proxy Availability settings for a form. These settings determine which users can complete the form on behalf of other users and for which users they can complete the form. This permission can be constrained by OU, User's OU, User, and Employee Relationship. This is an administrator permission. | Forms Administration |
| Form Task Administration - Manage | Grants access to the Form Task Administration functionality. This permission can be constrained by OU and User's OU. This is an administrator permission. | Forms Administration |
| Question Bank - Manage | Grants access to the Question Bank functionality. This permission can be constrained by OU and User's OU. This is an administrator permission. | Forms Management Administration |
Universal Profile Permissions
| PERMISSION NAME | PERMISSION DESCRIPTION | CATEGORY |
| Action Items - Forms | Grants ability to view Form actions via the Universal Profile - Actions page or the Welcome/Custom page Actions widget. This permission cannot be constrained. | Universal Profile |
| Action Items - View | Grants ability to view action items on the Action Items page and in the Your Action Items widget. Users without this permission cannot access the Action Items page. This permission can be constrained by Employee Relationship, OU, User's OU, User's Self and Subordinates, and User's Self. This is an end user permission. | Universal Profile |
| Bio About Preferences - Manage | Enables administrator to access and edit the Bio About Preferences page. The availability of this permission is controlled by a backend setting. This permission can be constrained by OU and User's OU. This is an administrator permission. | Universal Profile |
| Bio Career Preferences - View | Grants ability to view the Bio - Career Preferences page for users within the permission constraints. This permission can be constrained by Employee Relationship, OU, User's OU, User Self and Subordinates, User's Direct Reports, User's Self, and User. | Universal Profile |
| Documents - Delete | Enables user to delete a file that has been uploaded to the Snapshot - Documents page. The constraints on this permission determine which documents the user can delete. This permission can be constrained by Employee Relationship, OU, User's OU, User Self and Subordinates, Self and Direct Reports, User's Self, User's Manager, User's Superiors, User's Subordinates, and User's Direct Reports. | Universal Profile |
| Feedback - Delete | Enables user to delete a feedback post or comment on a user's page. The user can delete feedback from the Feedback page of any user who is within the permission constraints. This permission can be constrained by OU, User's OU, User Self and Subordinates, and User's Self. The permission constraints apply to the creator of the post or comment, not the target user. | Universal Profile |
| Feedback - Request |
Enables user to request feedback from the Feedback page of their Universal Profile. Users can only request feedback from other users within their permission constraints. This permission can be constrained by OU, User's OU, User Self and Subordinates, and User's Self. This is an end user permission. Note: This permission should not be constrained by Employee Relationship, as this constraint would not be effective and does not stop the user from requesting feedback from users outside of Employee Relationship constraint if applied. Note: This permission should not be constrained by Restrict to Employee Relationship because the User Picker is unable to evaluate this constraint. |
Universal Profile |
| Feedback - View and Post | Enables user to view the Feedback page of the Universal Profile and to post feedback. Users can only view the Feedback page for users within their permission constraints. Similarly, users can only post feedback for users within their permission constraints. This permission can be constrained by OU, User's OU, User Self and Subordinates, User's Self, and Employee Relationship. This is an end user permission. | Universal Profile |
| Feedback Details - View | Enables user to view the Feedback Details page and provide feedback when they are requested to provide feedback. This permission cannot be constrained. This is an end user permission. | Universal Profile |
| Feedback Preferences - Manage | Enables administrator to access and edit the Feedback Preferences page. From this page, administrators can configure which options are available when users are requesting and providing feedback within the Universal Profile: Feedback page. This permission can be constrained by OU and User's OU. This is an administrator permission. | Universal Profile |
| Feedback - Request for other users | Enables user to request feedback on behalf of other users from their Feedback page. This permission can be constrained by User's Subordinates, Direct Reports, and Custom Relationship. | Universal Profile |
| Snapshot - Badges |
Enables user to view the Badges widget and subpage within the Universal Profile - Snapshot page for users within their permission constraints. Any user with this permission will always be able to view their own Badges widget when the widget is enabled. This permission also allows end users to view the Badges field on the Learner Home page. This permission works in conjunction with the Snapshot Main - View permission. This permission can be constrained by OU, User's OU, User Self and Subordinates, User, User's Self, User's Manager, User's Superiors, User's Subordinates, User's Direct Reports, and Employee Relationship. Best Practice: For most users, this permission should be constrained by User Self and Subordinates. |
Universal Profile |
| Snapshot - Competencies | Enables user to view the Competencies widget and subpage within the Universal Profile - Snapshot page for users within their permission constraints. This permission can be constrained by OU, User's OU, User Self and Subordinates, User, User's Self, User's Manager, User's Superiors, User's Subordinates, User's Direct Reports, and Employee Relationship. Best Practice: For most users, this permission should be constrained by User Self and Subordinates. | Universal Profile |
| Snapshot - Development Plans |
Enables user to view the Development Plans widget and subpage within the Universal Profile - Snapshot page for users within their permission constraints. This permission can be constrained by OU, User's OU, User Self and Subordinates, User, User's Self, User's Manager, User's Superiors, User's Subordinates, User's Direct Reports, and Employee Relationship. Best Practice: For most users, this permission should be constrained by User Self and Subordinates. |
Universal Profile |
|
Snapshot Goals - Manage |
Enables user to manage their own goals, and others public goals, using the Goals widget and subpage within the Universal Profile - Snapshot page, for users within their permission constraints. This permission can be constrained by Employee Relationship, OU, User's OU, User Self and Subordinates, User, User's Self, User's Manager, User's Superiors, User's Subordinates, and User's Direct Reports. Best Practice: For most users, this permission should be constrained by User Self and Subordinates. |
Universal Profile |
|
Snapshot Goals - View |
Enables user to view their own goals, and others’ public goals, using the Goals widget and subpage within the Universal Profile - Snapshot page, for users within their permission constraints. This permission can be constrained by Employee Relationship, OU, User's OU, User Self and Subordinates, User, User's Self, User's Manager, User's Superiors, User's Subordinates, and User's Direct Reports. Best Practice: For most users, this permission should be constrained by User Self and Subordinates. Note: Managers can assign this permission to select subordinates when they are away from the office for an extended period. |
Universal Profile |
| Snapshot - Leaderboard | Enables user to view the Leaderboard widget and subpage within the Universal Profile - Snapshot page for users within their permission constraints. This permission works in conjunction with the Snapshot Main - View permission. This permission can be constrained by OU, User's OU, User Self and Subordinates, User, User's Self, User's Manager, User's Superiors, User's Subordinates, User's Direct Reports, and Employee Relationship. Any user with this permission will always be able to view their own Leaderboard widget when the widget is enabled. Best Practice: For most users, this permission should be constrained by User Self and Subordinates. | Universal Profile |
| Snapshot - Peers | Grants ability to view the Peers widget within the Universal Profile - Snapshot page. This permission can be constrained by OU, User's OU, User's Self and Subordinates, User, User's Self, User's Subordinates, and User's Direct Reports. This is an end user permission. | Universal Profile |
| Snapshot - Reviews |
Enables user to view the Reviews widget and subpage within the Universal Profile - Snapshot page for users within their permission constraints. This permission can be constrained by OU, User's OU, User Self and Subordinates, User, User's Self, User's Manager, User's Superiors, User's Subordinates, User's Direct Reports, and Employee Relationship. Best Practice: For most users, this permission should be constrained by User Self and Subordinates. |
Universal Profile |
| Snapshot Documents - View | Grants ability to view the Documents widget and subpage within the Universal Profile - Snapshot page. This permission can be constrained by Employee Relationship, OU, User's OU, User's Self and Subordinates, User, User's Self, User's Manager, User's Superiors, User's Subordinates, and User's Direct Reports. This is an end user permission. | Universal Profile |
| Snapshot Folder Preferences - Manage | Enables administrator to view the Folder Preferences Admin page and manage folder creation, access, and deletion for the Documents page within Universal Profile: Snapshot. This permission cannot be constrained. This is an administrator permission. | Universal Profile |
| Snapshot Main - View | Enables user to view the Snapshot page for users within their permission constraints. This permission can be constrained by Employee Relationship, OU, User's OU, User Self and Subordinates, User, User's Self, User's Manager, User's Superiors, User's Subordinates, and User's Direct Reports. Best Practice: For most users, this permission should be constrained by User Self and Subordinates. | Universal Profile |
| Snapshot Preferences – Manage | Enables administrator to access and edit the Snapshot Preferences page. This permission can be constrained by Employee Relationship, OU, and User's OU. This is an administrator permission. | Universal Profile |
| Snapshot Succession – Manage | Enables user to view the Succession widget and subpage within the Universal Profile - Snapshot page for users within their permission constraints. On this page, users can view and manage successors and successor ratings. Users cannot view their own Succession widget and subpage, regardless of permissions. This permission can be constrained by OU, User's Subordinates, User's Direct Subordinates, and Employee Relationship. | Universal Profile |
| Snapshot Succession - View | Enables user to view the Succession widget and subpage within the Universal Profile - Snapshot page for users within their permission constraints. On this page, users can view successors and successor ratings. Users cannot view their own Succession widget and subpage, regardless of permissions. This permission can be constrained by OU, User's Subordinates, User's Direct Subordinates, and Employee Relationship. For most users, this permission should be constrained by User Self and Subordinates. | Universal Profile |
| Universal Profile Preferences - Manage | Enables administrator to access and edit the Universal Profile General Preferences page. This permission can be constrained by OU and User's OU. This is an administrator permission. | Universal Profile |
Workflow Engine Permissions
| PERMISSION NAME | PERMISSION DESCRIPTION | CATEGORY |
| Workflows - Global Settings | Grants access to manage Global Workflow Settings. | Workflow Engine |
| Workflow Engine - Initiate Workflows | Grants ability to initiate the first step of a workflow. | Workflow Engine |
| Workflow Executions - Manage | Grants access to manage Workflow Executions. | Workflow Engine |
| Workflow - Management Page | Grants access to manage their Workflows, Global Workflow Settings, and view Workflow Executions. | Workflow Engine |
| Workflow - Mass Enrollment | Grants access to the mass enrollment functionality. This permission cannot be constrained. | Workflow Engine |
| Workflow Engine - Workflow Library - Manage | Grants access to view, edit, and publish workflows in the Workflow Library. This is an administrator permission. | Workflow Engine |
View Permissions
| PERMISSION NAME | PERMISSION DESCRIPTION | CATEGORY |
| View Data: Preferences | Grants access View Data Preferences. This permission can be constrained by OU, User's OU, User, User Self and Subordinates, User's Subordinates, User's Direct Subordinates, and User's Corporation. | View |
| View Data: View | Grants access to View Data. This permission can be constrained by OU, User's OU, User, User Self and Subordinates, User's Subordinates, User's Direct Subordinates, and User's Corporation. | View |
| View People Preferences Page | Grants access to the View People Preferences page, which allows administrators to configure the View People page according to their needs per organizational unit (OU). This permission can be constrained by OU, User's OU, User, User Self and Subordinates, and User's Subordinates. | View |
| View People: Share | Grants access to open View People to view shared lists. Can dynamically grant access to users to only view the lists that have been shared with the user. This permission can be constrained by OU, User's OU, User, User Self and Subordinates, User's Direct Reports, and User's Subordinates. | View |
| View People: View | Grants access to open View People to see results and share lists. This permission can be constrained by OU, User's OU, User, User Self and Subordinates, and User's Subordinates. | View |
Edge and Data Load Permissions
Data Load Wizard Permissions
| PERMISSION NAME | PERMISSION DESCRIPTION | CATEGORY |
| Data Load Wizard - Compensation | Enables administrator to load compensation data via the Data Load Wizard. This permission also enables administrators to track data loads and manage data load templates. This is an administrator permission. | Data Load Wizard |
| Data Load Wizard - Data Load Queue | Enables administrator to access the Data Load Queue screen, which displays all data loads, including current and past loads. Constraints can be applied to this permission. However, these constraints do not impact which data loads are visible to the administrator. This is an administrator permission. | Data Load Wizard |
| Data Load Wizard - Feed Configuration: Compensation – Create | Enables administrator to access the Feed Summary page in order to create and edit compensation data feeds. This is an administrator permission. | Data Load Wizard |
| Data Load Wizard - Feed Configuration: Compensation – Run Feed | Enables administrator to access the Feed Summary page in order to manually run a compensation data feed once it has been created. This is an administrator permission. | Data Load Wizard |
| Data Load Wizard - Feed Configuration: Compensation - Save | Enables administrator to access the Feed Summary page in order to view and edit compensation data feeds. This is an administrator permission. | Data Load Wizard |
| Data Load Wizard - Group Data Load | Enables administrator to load group data via the Data Load Wizard. This permission also enables administrators to track data loads and manage data load templates. This permission cannot be constrained. This is an administrator permission. | Data Load Wizard |
| Data Load Wizard - Manage Templates | Enables administrator to access the Manage Templates page within the Data Load Wizard. From the Manage Templates page, administrators can view, download, and archive templates. This permission cannot be constrained. This is an administrator permission. | Data Load Wizard |
| Data Load Wizard - OUs | Enables administrator to load OUs. This permission also enables administrators to track data loads and manage data load templates. This is an administrator permission. | Data Load Wizard |
| Data Load Wizard - Resume | Enables administrator to load resume data via the Data Load Wizard. This permission also enables administrators to track data loads and manage data load templates. This is an administrator permission. | Data Load Wizard |
| Data Load Wizard - Set User Password | Enables administrator to set a default password for new users when loading users. This is an administrator permission. | Data Load Wizard |
| Data Load Wizard - Track Data Loads | Enables administrator to access the Track Data Loads page within the Data Load Wizard. From the Track Data Loads page, administrators can print and download error and archive logs. This permission cannot be constrained. This is an administrator permission. | Data Load Wizard |
| Data Load Wizard - Users | Enables administrator to load users. This permission also enables administrators to track data loads and manage data load templates. This is an administrator permission. | Data Load Wizard |
| Data Load Wizard - Enable User GUID | Enables the GUID in the Data Load Wizard User Load and mapping template. This enables organizations to include the GUID as the primary key for user data loads. This permission cannot be constrained. | Data Load Wizard |
Edge Permissions
| PERMISSION NAME | PERMISSION DESCRIPTION | CATEGORY |
| Access Edge Bulk API History | Grants access to the Bulk API History page, which displays all the loads that have been performed using the Bulk API. Administrators can select a load to view additional details of the load, including the results. This permission cannot be constrained. This is an administrator permission. | Edge |
| Access Edge Bulk API |
Grants ability to access and utilize the Bulk API. This permission cannot be constrained. This is an administrator permission. This permission is only available when the Bulk API is enabled via Edge Marketplace. |
Edge |
| Bulk API - Cost Center OU |
Grants ability to use the Bulk API to load cost center organizational unit (OU) data. This permission cannot be constrained. This is an administrator permission. This permission is only available when the Bulk API is enabled via Edge Marketplace. |
Edge |
| Bulk API - Custom OU |
Grants ability to use the Bulk API to load custom organizational unit (OU) data. This permission cannot be constrained. This is an administrator permission. This permission is only available when the Bulk API is enabled via Edge Marketplace. |
Edge |
| Bulk API - Division OU |
Grants ability to use the Bulk API to load division organizational unit (OU) data. This permission cannot be constrained. This is an administrator permission. This permission is only available when the Bulk API is enabled via Edge Marketplace. |
Edge |
| Bulk API - Employee |
Grants ability to use the Bulk API to load employee data. This permission cannot be constrained. This is an administrator permission. This permission is only available when the Bulk API is enabled via Edge Marketplace. |
Edge |
| Bulk API - Grade OU |
Grants ability to use the Bulk API to load grade organizational unit (OU) data. This permission cannot be constrained. This is an administrator permission. This permission is only available when the Bulk API is enabled via Edge Marketplace. |
Edge |
| Bulk API - Legal Entity OU |
Grants ability to use the Bulk API to load legal entity organizational unit (OU) data. This permission cannot be constrained. This is an administrator permission. This permission is only available when the Bulk API is enabled via Edge Marketplace. |
Edge |
| Bulk API - Location OU |
Grants ability to use the Bulk API to load location organizational unit (OU) data. This permission cannot be constrained. This is an administrator permission. This permission is only available when the Bulk API is enabled via Edge Marketplace. |
Edge |
| Bulk API - Position OU |
Grants ability to use the Bulk API to load position organizational unit (OU) data. This permission cannot be constrained. This is an administrator permission. This permission is only available when the Bulk API is enabled via Edge Marketplace. |
Edge |
| Download Reports Access when portal opts-in for Restrict reports access - Edge Import |
Grants ability to download Edge Import load details reports for loads performed by others. Users who do not have this permission cannot download load import results for loads performed by others. In addition, users without this permission cannot load data for someone who has previously only validated their data. This permission cannot be constrained. This is an administrator permission. This permission is only available and applicable when the portal has enabled the restriction for Edge Import load details report access. |
Edge |
| Edge APIs - Manage | Grants ability to manage Edge APIs on the API Management page. | Edge |
| Edge Develop - API Explorer | Grants access to the API Explorer, which provides access to help documentation for various API applications. | Edge |
| Edge Endpoints - Create Secret | Grants access to create the secret key for Edge Endpoints used with Webhooks. This permission can be constrained by OU and User. This is an administrator permission. | Edge |
| Edge Endpoints - Manage | Grants access to view, create, edit, and verify Edge Endpoints used with Webhooks. This permission can be constrained by OU and User. This is an administrator permission. | Edge |
| Edge Integrations - Manage | Grants access to the Integrations service for Edge Integrate, where the administrator can configure, enable, and disable their third-party integrations used within the Cornerstone system. This permission cannot be constrained. This is an administrator permission. | Edge |
| Edge Webhooks - Manage | Grants access to view, create, and edit Edge Webhooks. This permission can be constrained by OU and User. This is an administrator permission. | Edge |
| Edge Webhooks - Start/Stop | Grants access to start and stop Edge Webhooks. This permission can be constrained by OU and User. This is an administrator permission. | Edge |
| Edge Webhooks - View | Grants access to view Edge Webhooks. This permission can be constrained by OU and User. This is an administrator permission. | Edge |
| Employee API - Edit |
Grants ability to use the Employee API v2 to create and update users. This permission can be constrained by OU and User's OU. The constraints on this permission limit what data is accessible via the Employee API v2. This is an administrator permission. This permission is only available when the Employee API v2 is enabled via Edge Marketplace. |
Edge |
| Employee API - View - Constrained |
Grants ability to use the Employee API v2 to view employee data with constraints. This permission can be constrained by User, OU, and User's OU. The constraints on this permission limit what data is accessible via the Employee API v2. This is an administrator permission. This permission is only available when the Employee API v2 is enabled via Edge Marketplace. |
Edge |
| Employee API - View |
Grants ability to use the Employee API v2 to view employee data. This permission can be constrained by OU, and User's OU. The constraints on this permission limit what data is accessible via the Employee API v2. This is an administrator permission. This permission is only available when the Employee API v2 is enabled via Edge Marketplace. |
Edge |
Edge Import Permissions
| PERMISSION NAME | PERMISSION DESCRIPTION | CATEGORY |
| Access Bulk API - LMS - Curriculum |
Grants ability to use the Bulk API to load curriculum learning object and structure data. This permission cannot be constrained. This is an administrator permission. This permission is only available when the Bulk API is enabled via Edge Marketplace. |
Edge Import |
| Access Bulk API - LMS - Events |
Grants ability to use the Bulk API to load event learning object data. This permission cannot be constrained. This is an administrator permission. This permission is only available when the Bulk API is enabled via Edge Marketplace. |
Edge Import |
| Access Bulk API - LMS - Event Transcript Update |
Grants ability to use the Bulk API to load event transcript update data. This permission cannot be constrained. This is an administrator permission. This permission is only available when the Bulk API is enabled via Edge Marketplace. |
Edge Import |
| Access Bulk API - LMS - ILT Instructors |
Grants ability to use the Bulk API to load ILT instructor data. This permission cannot be constrained. This is an administrator permission. This permission is only available when the Bulk API is enabled via Edge Marketplace. |
Edge Import |
| Access Bulk API - LMS - ILT Transcripts |
Grants ability to use the Bulk API to load instructor-led training (ILT) transcript data, session transcript custom fields data, and event transcript custom fields data. This permission cannot be constrained. This is an administrator permission. This permission is only available when the Bulk API is enabled via Edge Marketplace. |
Edge Import |
| Access Bulk API - LMS - LO Availability | Grants access to the LO Availability load in the Bulk API. This permission cannot be constrained. This is an administrator permission. | Edge Import |
| Access Bulk API - LMS - Material |
Grants ability to use the Bulk API to load material learning object data. This permission cannot be constrained. This is an administrator permission. This permission is only available when the Bulk API is enabled via Edge Marketplace. |
Edge Import |
| Access Bulk API - LMS - Online Course |
Grants ability to use the Bulk API to load online course learning object data. This permission cannot be constrained. This is an administrator permission. This permission is only available when the Bulk API is enabled via Edge Marketplace. |
Edge Import |
| Access Bulk API - LMS - Online Transcripts |
Grants ability to use the Bulk API to load online transcripts data. This permission cannot be constrained. This is an administrator permission. This permission is only available when the Bulk API is enabled via Edge Marketplace. |
Edge Import |
| Access Bulk API - LMS - Sessions |
Grants ability to use the Bulk API to load event session data. This permission cannot be constrained. This is an administrator permission. This permission is only available when the Bulk API is enabled via Edge Marketplace. |
Edge Import |
| Access Bulk API - LMS - Subjects |
Grants ability to use the Bulk API to load subject data. This permission cannot be constrained. This is an administrator permission. This permission is only available when the Bulk API is enabled via Edge Marketplace. |
Edge Import |
| Access Bulk API - LMS - Test Transcripts |
Grants ability to use the Bulk API to load test transcript data. This permission cannot be constrained. This is an administrator permission. This permission is only available when the Bulk API is enabled via Edge Marketplace. |
Edge Import |
| Access Bulk API - LMS - Test |
Grants ability to use the Bulk API to load test learning object data. This permission cannot be constrained. This is an administrator permission. This permission is only available when the Bulk API is enabled via Edge Marketplace. |
Edge Import |
| Access Bulk API - LMS - Video |
Grants ability to use the Bulk API to load video learning object data. This permission cannot be constrained. This is an administrator permission. This permission is only available when the Bulk API is enabled via Edge Marketplace. |
Edge Import |
| Access CHR - Employee Load | Grants access to the Cornerstone HR (CHR) employee data load via Edge Import. This permission and data load type are only available to organizations using CHR. This permission cannot be constrained. This is an administrator permission. | Edge Import |
| Access Edge Import | Grants access to the Edge Import tool, which enables administrators to load data into their portal. This permission cannot be constrained. This is an administrator permission. | Edge Import |
| Access Edge Import Workflow - Cost Center | Grants access to the Cost Center organizational unit data load via Edge Import. This permission cannot be constrained. This is an administrator permission. | Edge Import |
| Access Edge Import Workflow - Custom OU | Grants access to the Custom organizational unit data load via Edge Import. This permission cannot be constrained. This is an administrator permission. | Edge Import |
| Access Edge Import Workflow - Division | Grants access to the Division organizational unit data load via Edge Import. This permission cannot be constrained. This is an administrator permission. | Edge Import |
| Access Edge Import Workflow - Grade | Grants access to the Grade organizational unit data load via Edge Import. This permission cannot be constrained. This is an administrator permission. | Edge Import |
| Access Edge Import Workflow - Group | Grants access to the Group organizational unit and Group Membership data load via Edge Import. This permission cannot be constrained. This is an administrator permission. | Edge Import |
| Access Edge Import Workflow - Legal Entity | Grants access to the Legal Entity organizational unit data load via Edge Import. This permission cannot be constrained. This is an administrator permission. | Edge Import |
| Access Edge Import Workflow - Location | Grants access to the Location organizational unit data load via Edge Import. This permission cannot be constrained. This is an administrator permission. | Edge Import |
| Access Edge Import Workflow - Position | Grants access to the Position organizational unit data load via Edge Import. This permission cannot be constrained. This is an administrator permission. | Edge Import |
| Access LMS - Curriculum Load |
Grants ability to access load reports and perform Curriculum load and Curriculum Structure loads via Edge Import. This permission cannot be constrained. This is an administrator permission. |
Edge Import |
| Access LMS - Curriculum Transcripts Load | Grants access to the Curriculum Transcripts data load via Edge Import. This permission can be constrained by OU and Provider. This is an administrator permission. | Edge Import |
| Access LMS - Event Transcript Update Feed | Grants access to the Event Transcript Update data feed via Edge Import. This permission cannot be constrained. This is an administrator permission. | Edge Import |
| Access LMS - Event Transcript Update Load | Grants access to the Event Transcript Update data load via Edge Import. This permission can be constrained by OU and Provider. This is an administrator permission. | Edge Import |
| Access LMS - Events Load | Grants access to the Events data load via Edge Import. This permission cannot be constrained. This is an administrator permission. | Edge Import |
| Access LMS - External Training Load | Grants access to the External Training data load via Edge Import. This permission can be constrained by OU. This is an administrator permission. | Edge Import |
| Access LMS - Facilities Load | Grants access to the Facilities data load via Edge Import. This permission cannot be constrained. This is an administrator permission. | Edge Import |
| Access LMS - ILT Instructors Feed | Grants access to the ILT Instructors data feed via Edge Import. This permission cannot be constrained. This is an administrator permission. | Edge Import |
| Access LMS - ILT Instructors Load | Grants access to the ILT Instructors data load via Edge Import. This permission cannot be constrained. This is an administrator permission. | Edge Import |
| Access LMS - ILT Transcripts Load | Grants access to the ILT Transcripts data load via Edge Import. This permission can be constrained by OU and Provider. This is an administrator permission. | Edge Import |
| Access LMS - LO Availability Feed | Grants access to the LO (Learning Object) Availability data feed via Edge Import. This permission cannot be constrained. This is an administrator permission. | Edge Import |
| Access LMS - LO Availability Load | Grants access to the LO (Learning Object) Availability data load via Edge Import. This permission cannot be constrained. This is an administrator permission. | Edge Import |
| Access LMS - LO Catalog Update Load | Grants access to the LO Catalog Update data load via Edge Import. This permission cannot be constrained. This is an administrator permission. | Edge Import |
| Access LMS - Material Transcripts Load | Grants access to the Material Transcripts data load via Edge Import. This permission can be constrained by OU and Provider. This is an administrator permission. | Edge Import |
| Access LMS - OLCO Metadata Feed | Grants access to the Online Content Metadata data feed via Edge Import. This permission cannot be constrained. This is an administrator permission. | Edge Import |
| Access LMS - OLCO Metadata Load | Grants access to the Online Content Metadata data load via Edge Import. This permission cannot be constrained. This is an administrator permission. | Edge Import |
| Access LMS - OLCO Transcript Feed | Grants access to the Online Content Transcript and Online Content Transcript Custom Field data feed via Edge Import. This permission cannot be constrained. This is an administrator permission. | Edge Import |
| Access LMS - OLCO Transcript Load | Grants access to the Online Content Transcript and Online Content Transcript Custom Field data load via Edge Import. This permission can be constrained by OU and Provider. This is an administrator permission. | Edge Import |
| Access LMS - Online Course Assets Feed | Grants access to the Online Course Assets data feed via Edge Import. This permission cannot be constrained. This is an administrator permission. | Edge Import |
| Access LMS - Online Course Assets Load | Grants access to the Online Course Assets data load via Edge Import. This permission cannot be constrained. This is an administrator permission. | Edge Import |
| Access LMS - Online Course Metadata Load | Grants access to the Online Course Metadata data load via Edge Import. This permission cannot be constrained. This is an administrator permission. | Edge Import |
| Access LMS - Online Transcripts Load | Grants access to the Online Transcripts data load via Edge Import. This permission can be constrained by OU and Provider. This is an administrator permission. | Edge Import |
| Access LMS - Providers Load | Grants access to the Providers data load via Edge Import. This permission cannot be constrained. This is an administrator permission. | Edge Import |
| Access LMS - Question Category Load | Grants access to the Question Category data load via Edge Import. This permission cannot be constrained. This is an administrator permission. | Edge Import |
| Access LMS - Question Load | Grants access to the Question data load via Edge Import. This permission cannot be constrained. This is an administrator permission. | Edge Import |
| Access LMS - Session Parts Load | Grants access to the Session Parts data load via Edge Import. This permission cannot be constrained. This is an administrator permission. | Edge Import |
| Access LMS - Sessions Load | Grants access to the Sessions data load via Edge Import. This permission cannot be constrained. This is an administrator permission. | Edge Import |
| Access LMS - Subjects Feed | Grants access to the Subjects data feed via Edge Import. This permission cannot be constrained. This is an administrator permission. | Edge Import |
| Access LMS - Subjects Load | Grants access to the Subjects data load via Edge Import. This permission cannot be constrained. This is an administrator permission. | Edge Import |
| Access LMS - Test Mapping Load | Grants access to the Test Mapping data load via Edge Import. This permission cannot be constrained. This is an administrator permission. | Edge Import |
| Access LMS - Test Transcripts Load | Grants access to the Test Transcripts data load via Edge Import. This permission can be constrained by OU and Provider. This is an administrator permission. | Edge Import |
| Access LMS - Tests Load | Grants access to the Tests data load via Edge Import. This permission cannot be constrained. This is an administrator permission. | Edge Import |
| Access LMS - Video Transcripts Load | Grants access to the Video Transcripts data load via Edge Import. This permission can be constrained by OU and Provider. This is an administrator permission. | Edge Import |
| Access LMS - Videos Load | Grants access to the Videos data load via Edge Import. This permission cannot be constrained. This is an administrator permission. | Edge Import |
| Create/Update Configurations | Grants ability to create and update Edge Import configurations. This permission cannot be constrained. This is an administrator permission. | Edge Import |
| Delete Configurations | Grants ability to delete Edge Import configurations. Users with this permission can delete configurations created by anyone for all types of data imports. This permission cannot be constrained. This is an administrator permission. | Edge Import |
| Delete Feeds | Grants ability to delete disabled Edge Import feeds. Users with this permission can delete disabled feeds created by anyone for all types of data feeds. This permission cannot be constrained. This is an administrator permission. | Edge Import |
| Edge Import - Competency Bank Load | This permission enables administrators to load competency data via Edge Import. This permission cannot be constrained. This is an administrator permission. | Edge Import |
| Edge Import - Employee Load Constrained | This permission enables organizations to constrain an administrator's ability to load employee data. Administrators can only load employee data if the employee is within the constraints on this permission. This permission can be constrained by OU. This is an administrator permission. | Edge Import |
| Edge Import - Load Employee Salary | Grants access to the employee salary data load via Edge Import. This permission cannot be constrained. This is an administrator permission. | Edge Import |
| Edge Import - Load Review Scores | Grants access to upload or override the rating score for reviewees via Edge Import. This permission cannot be constrained. This is an administrator permission. | Edge Import |
| Edge Import - Load Review Scores and PDFs | Grants access to load performance review scores and PDFs via Edge Import. This permission cannot be constrained. This is an administrator permission. | Edge Import |
| Edge Import - Load Salary Structures | Grants access to the salary structure load for Compensation via Edge Import. This permission cannot be constrained. This is an administrator permission. | Edge Import |
| Edge Import - User Goal Load | Grants access to the User Goal Load via Edge Import. This permission cannot be constrained. This is an administrator permission. | Edge Import |
| Edge Import Learning - Modify Training Creator | Grants the ability to modify the "created by" value for training in the LO Catalog Update data load via Edge Import. This permission cannot be constrained. This is an administrator permission. | Edge Import |
| Edge Import Learning - Modify Training ID | Grants the ability to modify the "Training ID" value for training in the LO Catalog Update data load via Edge Import. This permission cannot be constrained. This is an administrator permission. | Edge Import |
Reporting Permissions
Reporting 2.0 Permissions
The granular model uses the Reporting 2.0 permissions to allow you to create more specific reports by report field. For this reason, permissions are at more of a granular level with this functionality.
The permissions are broken down by the main product level permission, section level, and then at the field level. For example, if you wanted to report on Instructor Led Training (ILT) in the system, you would need:
- The Reporting - Manage permission to create reports.
- The Reporting - View permission to preview reports and view reports.
- The top-level product specific permission to create reports related to that product.
- e.g. Reporting - Learning - Manage
- The section specific permission to create reports for that feature within the product.
- e.g. Reporting - Learning - ILT - Manage
- The field level permissions to be able to create reports with the specific fields for that feature within the product.
- e.g. Reporting - Learning - ILT - ILT Facility - Manage
If a user does not have each level of permission, then they may not have access to the report builder, or the section may not be visible, or the fields within the section may not be visible. Also, if a user does not have the top-level product permission, then none of the fields for that product will be visible, such as the fields for LMS reports.
The power of this granularity of permissions is that you can give access to as many or as few fields as necessary for your users. For example, you may give users access to the User section but not give them access to the User Identifier section if that contains sensitive data for your portal.
If a user has all relevant permissions, but the backend setting for a particular area is set to FALSE, any fields related to that section will still appear blank in a report. An example where this could occur is SCORM 2004 quiz data.
Note: When a user has a top-level, section, or field level permission, it is not necessary to also assign the or permissions since the more granular product specific permissions will give the user access to Reporting 2.0.
Note: Due to sensitivity, users who need to report on Gender, Ethnicity and Grade information, would need the following permissions in addition to the reporting permissions:
- For Gender: User Upload - Gender
- For Ethnicity: User Upload - Ethnicity
- For Grades: View Grades
List of Permissions
For the full list of permissions and their relationships, see the permissions spreadsheet.
Apply Owner Constraints Permission
The permission grants the ability to turn on the Apply Owner Constraints setting for reports in the Report Properties panel. This setting affects shared users, delivery, and reports published to dashboards.
When the setting is enabled, the report owner's constraints are applied to the report, and users that run the report will see the report with the report owner's constraints instead of their own. For reports published to dashboards the owner constraints are only applied if the underlying report is also shared with the user. If just the dashboard is shared, but not the report itself, the users own constraints are applied even though the toggle is set to apply owner constraints.
Due to the possibility of unintended user data becoming visible to a user viewing a report with the report owner's constraints, it is recommended that filters be added to the report to restrict data visibility. It is also recommended that the report owner test the report prior to sharing to ensure the data visibility is appropriate and intended.
Download Permission
The permission grants users the ability to download Reporting 2.0 reports. This permission cannot be constrained; however, when users download a report, any Reporting - View constraints are applied. Users with the permission see the download option on the Report Home and the Report Viewer.
For clients that have already opted in and previously activated Reporting 2.0, this new permission is added automatically to the System Administrator role and to any security role that currently has at least one Reporting - View permission.
For clients that are opting in and activating Reporting 2.0 for the first time with the August ’18 Release, this new permission is available to administrators in the System Administrator role who can then add the permission to other roles at their discretion. Users without this permission will not see any download options in the Report Home or the while Viewing Reporting 2.0 reports.
Email Delivery Permission
The permission grants the ability to deliver reports in Reporting 2.0. Users must also have permission to view reports. The permission can be used in conjunction with the various product, section, and field level permissions. Users must have permission to view Reporting 2.0 in order to have access to a report that is delivered to them. If they do not have view access, then the Reporting 2.0 navigation sublink will not display for them.
Users who have permission to manage Reporting 2.0 can edit a report that is delivered to them. They can also copy the delivered report.
The following constraints are available for this permission:
- OU
- User’s OU
- User Self and Subordinates
- User
- User's Self
- User's Manager
- User's Superiors
- User’s Subordinates
- User’s Direct Subordinates
- Employee Relationship
FTP Delivery Permission
The permission grants the ability to schedule delivery of Reporting 2.0 reports to an FTP directory. This permission cannot be constrained.
This permission is used in conjunction with the view permission for Reporting 2.0 and can also be used in conjunction with the various product, section, and field level permissions. Users must have permission to view Reporting 2.0 in order to have access to a report that is delivered to them. If they do not have view access, then the Reporting 2.0 navigation sublink will not display for them.
Users who have permission to manage Reporting 2.0 can edit a report that is delivered to them. They can also copy the delivered report.
Global Calculated Fields Permission
The permission grants the ability to publish calculated fields to all users. This permission cannot be constrained.
Note: Calculated fields can be created by all users who have permission to create reports in Reporting 2.0. However, in order to publish the calculated field globally, a user needs permission to manage global calculated fields.
Manage Custom Recruiting Integrations Permission
The permission grants access to build and manage reports in the Custom Integrations section. This permission cannot be constrained.
View Custom Recruiting Integrations Permission
The permission grants access to view the Custom Integrations section in reporting. This permission cannot be constrained.
Share Reports Permission
The option for sharing reports is only visible to users who have the Reporting - Share permission. Users without the permission can still receive shared reports, but constraints (for other permissions, such as Reporting - Core permissions) will be respected. For example, if you share a report that contains data around Location A and the user receiving the report is constrained to only see data for Location B, the report would not contain any records.
The following constraints are available for this permission:
- OU
- User’s OU
- User Self and Subordinates
- User’s Direct Report
- User
- User's Self
- User's Manager
- User's Superiors
- User’s Subordinates
- User’s Direct Subordinates
- Relationship
System Templates Permission
The permission grants users the ability to use all system templates. System templates are available for generating certain Learning, Core, and Performance data.
This permission works in conjunction with other Reporting 2.0 permissions. For example, users without the Reporting - Learning - View permission will not see any templates for Learning.
This permission is automatically added to the Cornerstone Administrator and System Administrator security roles in all portals that have self-enabled Reporting 2.0.
Sharing Reports Created with a System Template
When you share a report that was created using a template, the shared users will be able to view the report without needing to be granted the Reporting - System Templates permission. The permission is only needed for administrators who should distribute templates to their users.
Permission Constraints
Constraints exist at the section level for permissions. The following constraints are available:
- OU
- User’s OU
- User Self and Subordinates
- User’s Direct Report
- User
- Learning-specific constraints:
- Provider
- Training Item
- Training Type
- Requisition-specific constraints:
- User's Division
- User's Position
- User's Location
- Division
- Position
- Location
Note: Constraints are applied differently for Recruiting reports. Multiple criteria for the same OU type use the OR logic (e.g., only constraints for Location OU), while inter-OU type criteria use AND logic (e.g., a constraint for Location OU and a constraint for Division OU).
For all other reports, the regular constraint logic is applied. See this Knowledge Article for more details about the general constraint logic: https://cornerstoneondemand.my.site.com/s/articles/Several-constraints-added-to-permission-work-as-OR-statements.
Reports - Dashboards Permissions
| PERMISSION NAME | PERMISSION DESCRIPTION | CATEGORY |
| Dashboard - Create | Grants the ability to create a dashboard of one or more graphical standard reports and/or charts that can be saved and refreshed at-will to update the results on an ongoing basis. User must also have permission for at least one of the standard reports that are designated for use in dashboards, or for a Reporting 2.0 report with chart that has been published to Dashboards. If a user does not have permission to view a report type, the user cannot add that report type to the dashboard. | Reports - Dashboards |
| Dashboard - Share | Grants the ability to share a dashboard created by self with other users within the portal who may then view and refresh the results of the dashboard at-will. This permission works in conjunction with the Create Dashboard permission. | Reports - Dashboards |
| Dashboard - View |
Grants the ability to view dashboards created by self or shared by others. User must also have permission to view the standard, custom or Reporting 2.0 reports that are included in any shared dashboards. If a user does not have permission to view a report type, the user cannot view that report type within the dashboard. This is an end user permission. |
Reports - Dashboards |
Reports - System (Standard Reports) Permissions
| PERMISSION NAME | PERMISSION DESCRIPTION | CATEGORY |
| Dashboards Details Report | Grants access to view the Dashboards Details Report, which displays details related to the dashboards in their portal, such as the dashboard creator and with whom the dashboard is shared. This permission cannot be constrained. This is an administrator permission. | Reports - System |
| Groups Criteria Report | Grants access to the Group Criteria Report, which enables organizations to retrieve the criteria defined for one or more groups in their portal. This permission cannot be constrained. | Reports - System |
| Login Report | Grants access to the Login Report, which enables organizations to report which users have logged in to the portal and when. This permission cannot be constrained. | Reports - System |
| OU Audit Report | Grants access to OU Audit report, which displays audit information for changes made to organizational units. This permission can be constrained by OU, User's OU, and User's Corporation. | Reports - System |
| OU Hierarchy Report | Grants access to OU Hierarchy Report, which displays details of each organizational unit for a selected OU type. | Reports - System |
| Proxy as User Report | Grants access to the Proxy as User Report, which enables organizations to report on which users have logged in to the portal and when. This permission cannot be constrained. | Reports - System |
| Reporting 2.0 Delivery Log | Grants access to view the Reporting 2.0 Delivery Log, which displays user-level information about deliveries for your Reporting 2.0 Reports. | Reports - System |
| Reporting 2.0 Report Details |
Grants access to view the Reporting 2.0 Report Details, which displays information about the Reporting 2.0 reports created and ran. The Reporting 2.0 Report Details permission can be constrained by OU and User constraints. The constraints apply to the recipient user. The Reporting 2.0 Report Details permission will be assigned to the Cornerstone Administrator and System Administrator roles by default. |
Reports - System |
| Security Role - Audit Report | Grants access to the Security Role - Audit Report, which enables organizations to report on which users have been assigned to which security roles and the security role modification history. This permission cannot be constrained. | Reports - System |
| Security Role - User Permission Report | Grants access to the Security Role - User Permission Report, which enables organizations to report on the roles assigned to a user and the permissions and constraints associated with those roles. This permission cannot be constrained. | Reports - System |
| User Audit Report - Detailed | Grants access to the User Audit standard report, which displays detailed changes to user data. Users with this permission must also have permission to view user fields in other areas of the system. The users and fields available in this report are controlled by additional permissions. This permission can be constrained by OU, User's OU, User's Subordinates, User's Direct Subordinates, User's Self, User Self and Subordinates, User, and Employee Relationship. The constraints on this permission limit the users and OUs that are available when running the report. This is an administrator permission. | Reports - System |
| User Record as of a Date | Grants access to run the User Record as of a Date report, which displays user data as of a specified effective date. This permission can be constrained by OU, User's OU, User Self and Subordinates, and User. The constraints on this permission limit the users and OUs that are available when running the report. Also, the constraints are based on the data as of the effective date of the report. This is an administrator permission. | Reports - System |
| User Record Audit Report | Grants access to User Record Audit report, which displays user record modification history. The selected constraints function independently and are then combined to determine the availability for this report. | Reports - System |
| User's OUs and Groups Report | Grants access to User's OUs & Groups Report, which lists all of the OUs and Groups to which a user belongs, and can include OUs and Groups to which a user has belonged in the past. | Reports - System |
Reports - Track Employee (Standard Reports) Permissions
| PERMISSION NAME | PERMISSION DESCRIPTION | CATEGORY |
| Employee Transcripts - Manager/Approver Access |
Grants access to transcript (training record) screen of those for whom user is designated manager, approver or cost center approver. System administrators can access all user transcripts from this page. Link to this screen appears under Standard Reports/Track Employees. This is a manager/approver permission. This permission can be constrained by Employee Relationship and User's Direct Subordinates. Note: The Employee Relationship constraint allows administrators to constrain the permission to a user’s custom employee relationship. For example, an administrator can select to restrict the Matrix Manager relationship to viewing user data for users who have that Matrix Manager indicated on their user record. Note: The User's Direct Subordinates constraint allows administrators to constrain the data that a user can view to only the data for their direct reports. The user will not be able to view their own data with this constraint. Note: By design, for any Track Employees report permission that is included in the Manager default security role, all of the manager's direct and indirect reports are included in the constraints, even if they are not selected in the permission constraints for the role. |
Reports - Track Employee |
| Form Management Status Report | Grants access to Form Management Status report, which displays form task status summary by user. Note: By design, for any Track Employees report permission that is included in the Manager default security role, all of the manager's direct and indirect reports are included in the constraints, even if they are not selected in the permission constraints for the role. | Reports - Track Employee |
| ILT No Show Report - Manager Version | Grants access to manager version of the ILT No Show Report, which displays attendance summaries and lists of subordinates who were registered for but did not attend any parts of instructor led training sessions. Note: By design, for any Track Employees report permission that is included in the Manager default security role, all of the manager's direct and indirect reports are included in the constraints, even if they are not selected in the permission constraints for the role. | Reports - Track Employee |
| ILT Session Withdrawal Report - Manager Version |
Grants access to Session Withdrawal report for subordinates of the user. The report displays subordinates who registered and later withdrew their registration, including reasons for withdrawal. This is a manager report. This permission can be constrained by Employee Relationship and User's Direct Subordinates. Note: The Employee Relationship constraint allows administrators to constrain the permission to a user’s custom employee relationship. For example, an administrator can select to restrict the Matrix Manager relationship to viewing user data for users who have that Matrix Manager indicated on their user record. Note: The User's Direct Subordinates constraint allows administrators to constrain the data that a user can view to only the data for their direct reports. The user will not be able to view their own data with this constraint. Note: By design, for any Track Employees report permission that is included in the Manager default security role, all of the manager's direct and indirect reports are included in the constraints, even if they are not selected in the permission constraints for the role. |
Reports - Track Employee |
| Past Training Requests Report |
Grants access to Past Requests, an interactive report that displays training requests the user has already approved, deferred, or denied. The user may change the approval decision for training that an employee has not yet registered for. This is an approver permission. Note: By design, for any Track Employees report permission that is included in the Manager default security role, all of the manager's direct and indirect reports are included in the constraints, even if they are not selected in the permission constraints for the role. |
Reports - Track Employee |
| Track Employees - Employee Records |
Grants access to Employee Records, enabling manager to view basic user and transcript data for a single direct or indirect report. This is a manager permission. This permission can be constrained by User's Direct Subordinates. Note: The User's Direct Subordinates constraint allows administrators to constrain the data that a user can view to only the data for their direct reports. The user will not be able to view their own data with this constraint. Note: By design, for any Track Employees report permission that is included in the Manager default security role, all of the manager's direct and indirect reports are included in the constraints, even if they are not selected in the permission constraints for the role. |
Reports - Track Employee |
| Track Employees - Past Due Report | Grants access to Employee Past Due report, which displays past due training for subordinate employees (system administrators see all employees). This is a manager report. Note: By design, for any Track Employees report permission that is included in the Manager default security role, all of the manager's direct and indirect reports are included in the constraints, even if they are not selected in the permission constraints for the role. | Reports - Track Employee |
| Track Employees - Training Progress Pie Chart |
Grants access to Employee Training Progress Summary Report, a pie chart report that displays transcript status on a single learning object for a manager's direct reports. This is a manager permission. This permission can be constrained by Employee Relationship and User's Direct Subordinates. Note: The Employee Relationship constraint allows administrators to constrain the permission to a user’s custom employee relationship. For example, an administrator can select to restrict the Matrix Manager relationship to viewing user data for users who have that Matrix Manager indicated on their user record. Note: The User's Direct Subordinates constraint allows administrators to constrain the data that a user can view to only the data for their direct reports. The user will not be able to view their own data with this constraint. Note: By design, for any Track Employees report permission that is included in the Manager default security role, all of the manager's direct and indirect reports are included in the constraints, even if they are not selected in the permission constraints for the role. |
Reports - Track Employee |
| Track Employees - Training Status Summary Report |
Grants access to Employee Training Status Summary Report, which displays transcript status of all training for a manager's direct reports, and allows the manager to view the transcript details for any learning object listed on the report. This is a manager permission. This permission can be constrained by Employee Relationship and User's Direct Subordinates. Note: The Employee Relationship constraint allows administrators to constrain the permission to a user’s custom employee relationship. For example, an administrator can select to restrict the Matrix Manager relationship to viewing user data for users who have that Matrix Manager indicated on their user record. Note: The User's Direct Subordinates constraint allows administrators to constrain the data that a user can view to only the data for their direct reports. The user will not be able to view their own data with this constraint. Note: By design, for any Track Employees report permission that is included in the Manager default security role, all of the manager's direct and indirect reports are included in the constraints, even if they are not selected in the permission constraints for the role. |
Reports - Track Employee |
Additional Permissions
A full list of all permissions is also available. See Security Permissions.