Roles and permissions in Small Improvements are deliberately simple. We used to get by with 2 roles only: HR Admin for dealing with sensitive data, and regular Admin for access to non-sensitive data plus system administration.
While our intentions were good, the regular Admin role got bloated over time, and was used for entirely separate purposes: On the one hand by IT staff to set up integrations, and on the other hand by HR staff to help managing reviews while not having access to review content. No matter into what camp you fell, you always had “too many” permissions, which is never good from a security perspective.
Splitting up one role into two
Moving forward, we’re splitting up the Admin into two roles: One named Technical Admin that can be used to configure integrations and security settings, and one called HR Assistant which is limited to managing reviews – still without access to confidential data. The HR Admin role stays like it is.
You can read more about the roles and their permissions on our overhauled documentation page.
How does the transition work?
Everyone who was only an “old” Admin will now have two roles: Tech Admin and HR Assistant. People who only were HR Admin will remain HR Admins. Someone who had both HR Admin and “old” Admin will now have HR Admin and Tech Admin – but not HR Assistant, because the assistant role doesn’t add any permissions the HR Admin role doesn’t already have.
The transition should not have major effect on your day-to-day work. However, we strongly encourage “super users” (who have both the HR Admin and the Tech Admin role) to revisit everyone’s roles, and revoke either the Tech Admin role or the HR Assistant role from those users that don’t need them anymore. Simply go to the user directory, and use the filter in the top right to show you only Tech Admins or HR Assistants. Then use the dropdown menu on each user to revoke unneeded permissions.
This way you’ll greatly reduce the chance of accidental errors on our more complex screens. Someone who works in HR usually doesn’t need the Tech Admin role, and someone who is on your IT team usually doesn’t need the HR Assistant role.
This change allows us to work on the “cycle admins” feature next. We’re hoping to release functionality in January that enables you to specify “admins” or “assistants” for specific cycles only – even if they are not “global” admins or assistants. Stay tuned – or let us know if you’d like to participate in the beta phase of the “cycle admin”-feature.