The User Record page is organized into sections. The Sensitive Information section is only available on the User Record when Encrypted Sensitive Information is enabled in the portal, and this functionality is only available to organizations using Cornerstone HR. This section enables organizations to view and edit Sensitive Personally Identifiable Information (SPII) fields.
To add a new user record, go to . Then, select the Add User link.
Edit a user's user record in one of the following ways:
- Go to and select the name of the appropriate user.
- Navigate to the user's Universal Profile. Select the User Record tab from the Universal Profile navigation. Then, select the button.
Permissions
| PERMISSION NAME | PERMISSION DESCRIPTION | CATEGORY |
| Universal Profile - User Record - Create Users | Grants ability to access the User Record Administration page and to create new users in the system. When creating a new user, this permission grants the ability to add general information, which includes first name, last name, username, assigned OUs, and custom relationships. The administrator must have additional permissions to add any additional fields. This permission can be constrained by OU, User's OU, User's Self, User Self and Subordinates, and User. This is an administrator permission. | Core Administration |
| Universal Profile - User Record - Edit Users | Grants ability to edit user records in the system. The administrator must have additional permissions to edit specific fields on the user record. This permission can be constrained by OU, User's OU, User's Self, User Self and Subordinates, and User. This is an administrator permission. Note: This permission DOES NOT grant the ability to view user records in the system. Administrators must have the Universal Profile - User Record - View Users permission in order to view user records. | Core Administration |
| Users - View | Grants the ability to search for and view summary information about users in the portal via the Admin/Users screen. This permission can be constrained by OU, User's OU, User Self and Subordinates, and Users. If multiple constraints are added, these constraints are considered OR statements. This is an administrator permission. | Core Administration |
| Users – View General Information | Grants ability to view the general fields on a user record, including first name, last name, username, assigned OUs, and custom relationships. This permission works in conjunction with the Universal Profile - User Record - View Users permission. This permission can be constrained by OU, User's OU, User's Self, User Self and Subordinates, and User. This is an administrator permission. | Core Administration |
Additional permissions are required to view and edit the various fields on the user record. See User Record Permissions.
Security Considerations
When viewing the User Record page, administrators must have permission to view these fields. In addition, an administrator may have permission to view these fields masked or unmasked.
When adding a new user or editing the User Record page, administrators must have permission to edit these fields.
Only administrators whose IP addresses are listed in the Authorized Sensitive Information IP Addresses section on the IP Whitelist page are able to decrypt and view SPII fields. If an administrator has permission to view or edit SPII fields, but the Sensitive Information IP Whitelist has not been configured or the administrator's IP is not on the safe list, then an error message is displayed in this section. See IP Whitelist.
Date of Birth
This field is used to store the user's date of birth (DOB). By default, the entire DOB is masked.
- When an administrator views or edits the user record, a Show link is displayed next to the field if the administrator has permission to view or edit the unmasked value. Select this link to view or edit the unmasked field value. The DOB value cannot be copied. Whenever an administrator selects the Show link for a SPII field, the system captures this information on the backend for auditing purposes.
- When an administrator enters a value for this field or shows the unmasked value for this field, a Hide link is displayed next to the field. Select this link to hide or mask the DOB.
Social Security Number
This field is used to store the user's Social Security Number (SSN). By default, only the last four digits of the SSN are displayed, and the first five digits are masked.
- When an administrator views or edits the user record, a Show link is displayed next to the field if the administrator has permission to view or edit the unmasked value. Select this link to view or edit the unmasked field value. The SSN value cannot be copied. Whenever an administrator selects the Show link for a SPII field, the system captures this information on the backend for auditing purposes.
- When an administrator enters a value for this field and exits the field, the field value is automatically masked. The last four digits of the SSN remain visible.
- When an administrator shows the unmasked value for this field, a Hide link is displayed next to the field. Select this link to hide or mask the first five digits of the SSN. The last four digits of the SSN remain visible.
Proxy as Another User - Sensitive Personally Identifiable Information
When an administrator logs in to the system as another user using the Proxy as Another User functionality, that administrator can never unmask, edit, or set Sensitive Personally Identifiable Information (SPII) fields. This ensures the information is completely secured and can only be accessed by administrators who have the appropriate permissions.
If an administrator attempts to unmask or edit SPII fields, a pop-up opens to indicate that the administrator cannot access SPII fields when a use account is impersonated. If an administrator attempts to create a user and set SPII fields, an error message is displayed when the administrator attempts to save the user record.
In order to be able to unmask, edit, or set SPII fields, an administrator with the appropriate permissions must log in to the system or use Single Sign On (SSO) to log in as themselves.