I would like to inquire about the possibility of customizing the permissions assigned to the HR role within the HR.my system.
Currently, it appears that the HR role has very broad (almost administrator-level) permissions. From a governance and internal control perspective, we would like to apply more granular restrictions, specifically:
Preventing the HR role from deleting payroll records entirely
Restricting certain sensitive actions that should be exclusively reserved for the employer/owner or system administrator
Allowing the HR role to manage operational HR tasks without full system authority
Our objective is to enhance internal controls, segregation of duties, and compliance with best practices in payroll and HR management.
Could you please advise:
Whether such permission customization is currently supported?
If not, whether it is planned in your development roadmap?
Or if there is an alternative recommended approach to achieve this level of access control?
Thank you in advance for your support. We look forward to your guidance.
Kind regards, Dr. Hasan Attili
Administrative & Financial Director
This is the module that allows you to have fine-grained control of what a user could do in each area.
When you mentioned that:
I suspect that you are assigning HR.my Manager role to your employee instead. The correct way should be creating appropriate HR Roles with relevant access control and assign such HR Roles to your employees.
HR.my Manager is almost as powerful as the account owner (HR.my Administrator), therefore you should avoid using this role if not necessary.
Thank you for the clarification. Yes, I have reviewed Employee → HR Role and the permission screen you referred to.
However, I would appreciate a more practical explanation of how this screen works in detail, particularly in relation to sensitive actions. From what is currently visible, I would like to clarify the following points:
The permission toggles shown (e.g. managing requests, leaves, assigned items, etc.) appear to control general functional access.
However, it is not clear whether they also restrict critical actions, such as:
Deleting payroll records or payroll runs
Modifying approved payroll data
Performing financial actions that should be restricted to the employer or administrator only
Could you please clarify:
Do these toggles control access only at a module level, or also at an action level (Create / Edit / Delete / Approve)?
Is it possible to allow view-only access without permitting edit or delete actions?
If this screen does not currently support this level of granularity:
What is the recommended approach to enforce proper segregation of duties?
How can we practically ensure that an HR Role cannot perform critical actions, even when not assigned the HR.my Manager role?
Our goal is to implement proper governance and internal controls, where:
HR Roles manage daily operational tasks, and
Sensitive payroll and financial actions remain strictly limited to the owner or Administrator.
Thank you for your support. We look forward to your guidance or a practical example of the recommended setup.
Kind regards, Dr. Hasan Attili
Administrative & Financial Director
I would like to clarify that I have followed the instructions in the guide and assigned an employee to a specific HR Role accordingly. However, the functionality does not seem to be working as described.
Specifically:
After assigning the HR Role to the employee, the user does not see any option to manage or access the role that has been assigned to them.
I am also unable to locate where the three access levels (No Access / View / Modify) mentioned in the documentation can be configured or assigned within the system.
At this stage, it is unclear whether:
The role permissions are not being applied correctly, or
There is an additional configuration step required that is not covered in the guide, or
This feature is limited to certain subscription plans or administrator settings.
I would appreciate your guidance on:
Where exactly the three access levels are defined and assigned
How the assigned HR Role should appear or function for the user
Whether there are any prerequisites or limitations that may affect this feature
