This article provides a summary of the permission groups you can set up and what each one controls. Use them to decide the data and features your employees can access, and what they can do.
If you're new to setting up permissions, read the Overview of permissions and employee roles article first. It explains the basics of permissions and how employee roles work.
When you set up a role, you choose what role members can see and do in each area. Access levels control what they can do, and the access scope controls which employees they can do it for.
The sections below explain each permission group.
Employee profile
This permission group controls access to the profile sections in the Personal Information tab in the employee profile.
See the Summary of Employee profile and Employment details permissions article for more information.
Workflows
This permission group controls access to Automations features, like the Overview tab, Activity tab, and the Workflow builder. It also controls access to employee lifecycle workflows, like Onboarding and Offboarding.
Admins can access the full Automations area. Non-admin access depends on the permissions granted in this group, and in some cases, additional employee data permissions.
| Permission | Controls access to | Considerations |
| Automations overview | The Overview tab where you can monitor employee lifecycle workflows. |
Only admins can see all widgets in the Overview tab, like the Active signatures and Approval requests widgets. To see the Onboarding and Offboarding widgets in the Overview tab, non-admins also need view access or higher for both of these permissions:
|
| Monitoring workflows | The Activity tab in Automations, where you can view the activity log for automated workflows and monitor their status. | Only admins can see approval-related data in this tab. |
| On-/Offboarding settings | Configure your organization's onboarding and offboarding setup, where you can create and edit templates and steps, and assign onboarding/offboarding workflows to employees. |
This permission doesn't control someone's access to view or update their own on/offboarding steps. To control that, use the Employment details > On-/Offboarding permission. |
| Role reminders | Create and manage automated reminders for employee roles. |
To create individual reminders in the Reminders tab of an employee profile, you also need view access to the Account > Manage accounts permission. Reminders follow each recipient's data access. Users only get reminders for attributes they can at least view. |
| Workflows | The workflow builder where you can create, publish, and manage automations. |
Only Admins can create, edit, and monitor approval workflows, and only they can see Approval-related data, including pending approvals in the Automations > Activity tab. Workflow notifications follow each recipient's data access. If you add someone as a recipient for a workflow notification, make sure they have view access to the related data. |
Documents
This permission group controls access to Document-based data for employees and configuring document settings.
See the Summary of Documents permissions article for more information.
Attendance
This permission group controls access to attendance data for employees and to configure attendance settings.
See the Summary of Attendance permissions article for more information.
Time off
This permission group controls access to time off data for employees and to configure time off settings.
See the Summary of Time off permissions article for more information.
Analytics
This permission group controls access to analytics and reporting features. Read more about how to grant employees permission to create reports and share a report with other employees.
| Permission | Controls access to | Considerations |
| Report builder |
The Analytics area, including the Metrics and Reports tabs. Users can access, create, and manage reports and report templates. |
Role members also need access to the relevant employee attribute data. |
| Report builder (legacy) |
The Reports tab in the Analytics area and the custom reports builder depending on the access enabled:
|
This permission shows all employee data in Personio, regardless of the role member's other access rights. |
Payroll
This permission group controls access to the Payroll area. You can set individual permissions for each legal entity within this group.
| Permission | View permissions control access to | Edit permissions control access to |
| [Legal entity] |
|
All capabilities included with view permissions, and:
|
Note:
Edit access doesn't let role members create new payroll groups or customize table columns. Only an Administrator can do that.
Salary and Compensation
This permission group controls access to salary data, salary imports, and compensation cycles.
| Permission | Controls access to | Considerations |
| Salary band |
See salary band details for employees within the defined scope. See salary band and compa-ratio columns in the People List. |
To edit salary bands, role members also need edit access to the Job Architecture & Catalog permission. |
| Salary information |
The Salary tab on employee profiles, including current salary, salary history, and salary type depending on the access enabled:
|
|
| Compensation types settings | View, create, and manage recurring or one-time compensation types for use across Personio. | |
| Manage compensation cycles | The Compensation Management app, where you can create and manage salary review cycles, approve proposals, and update salaries. | Users with this permission can see eligible employees' salaries during cycles. |
| Import - Salary | Importing salary data in bulk. |
Role members also need edit access to Salary information for the relevant scope. This is sensitive, because it lets role members update salary entries for the affected employees. |
| Import - one-time compensation | Importing one-time compensation entries, like bonuses, in bulk. |
Role members also need edit access to Salary information for the relevant scope. This is sensitive, because it lets role members update one-time compensation entries for the affected employees. |
Planning
This permission group controls access to headcount planning features.
| Permission | Controls access to | Considerations |
| Position list |
The Position management feature in the Planning area, which shows your open and filled positions. Depending on access, you can:
|
Edit also requires at least View access to Job architecture & catalog |
| Workforce planning app access |
The Workforce Planning app, to plan headcount across teams and budgets. Depending on access, you can:
|
Read more about workforce planning and permissions. |
Recruiting
This permission group controls access to Recruiting data and features in Personio.
| Permission | Controls access to |
| Recruiting settings | Set up and manage the Recruiting app, including email templates, application forms, and stages. See a summary of permissions in the Recruiting app. |
| Recruiting calendar events | Recruiting events in the user's calendar, like scheduled interviews. |
| Recruiting app access |
The Recruiting area to view or manage job postings, candidates, and the application pipeline depending on the access enabled:
|
Recruiting insights and metrics permissions
The Metrics tab in Recruiting has a separate permission for each section so you can grant access to specific charts without opening up the full Recruiting app. You can set permissions individually for each of these sections:
- Application insights
- Channel insights
- Disqualification reasons
- Hiring efficiency
- Hiring progress
- Offer insights
- Pipeline health
For the sections they have access to, users can:
| View | Edit |
| See the Metrics tab and charts, but the underlying records (like individual applications) stay hidden. | See the Metrics tab, the charts, and the underlying records. |
Performance
This permission group controls access to performance management features.
| Permission | Controls access to | Considerations |
| Continuous Feedback and Performance Notes |
View and manage continuous feedback and private performance notes for employees within the defined scope:
|
Employees can never see, add, or edit performance notes about themselves |
| Cycles and Cycle Reviews |
Create and manage performance review cycles:
|
Only admins can edit or archive all cycles. Other users can only edit or archive the cycles they created. |
| Goals | View and manage employee goals beyond the default scope. | Employees always have access to their own goals without this permission. |
| Performance (config) |
Configure Performance settings in the Performance > Manage area to:
|
This permission doesn't grant access to general settings in Personio. |
Find out more about performance permissions.
Training
This permission group controls access to Training features and data in Personio.
All employees can see the training catalogue by default, they don't need additional permissions.
| Permission | Controls access to | Considerations |
|---|---|---|
| Training Record |
Add external courses to training records for the defined scope.
|
Users with this permission can edit external courses they created. However, if participants outside their reporting line join the course, only users with Course Management permissions can edit it. |
| Course Management |
Create and manage courses and training sessions for the whole organization, which includes:
|
Surveys
This permission group controls access to Survey features in Personio.
| Permission | Controls access to | Considerations |
|---|---|---|
| Surveys |
Create and manage surveys, including:
|
By default, all employees have access to view and respond to surveys they're invited to. |
| Survey themes | Create, edit, and delete survey themes. |
Read more about Survey permissions.
Whistleblowing
| Permission | Controls access to | Considerations |
|---|---|---|
| Whistleblowing app access |
Manage reporting channels and case managers in Whistleblowing. Users with this permission can access the Whistleblowing inbox to view and manage anonymous employee reports. |
Due to the sensitive content in Personio Whistleblowing, permissions for Personio and Personio Whistleblowing are kept completely separate. |
Read more about the levels of access for Whistleblowing.
Employment details
This permission group controls access to employee data and configuration options in Personio.
See the Summary of Employee profile and Employment details permissions article for more information.
Account
This permission group controls access to account management features in Personio.
| Permission | Controls access to | Considerations |
| Manage accounts |
Manage accounts, depending on the access enabled:
|
To perform these actions, role members also need view access to at least one section in the Employee profile group. |
| Reset password | Reset other users' password | Employees can always reset their own password without this permission enabled. |
| Authentication settings | Configure company-wide authentication settings, including 2FA enforcement for employee roles. | |
| Subscription management |
View or manage your company's Personio subscription plan and details, depending on the access enabled:
|
Learn about managing your plan. |
Integrations
This permission group controls access to integration features.
| Permission | Controls access to | Considerations |
|---|---|---|
| API configurations | View and manage API credentials used for custom integrations. | See below this table for more information. |
| Marketplace integration | Set up and manage third-party integrations available in the Personio Marketplace. | See below this table for more information. |
To ensure users who set up integrations can both configure and monitor them, we recommend granting all three of these permissions:
- API configurations
- Marketplace integration
- Legal entities
Without these permissions, users can't open Marketplace > Connected integrations to monitor integrations.
- You don't need the API configurations permission to set up a Marketplace integration. But without it, you can't monitor the integration's performance or troubleshoot issues in Marketplace > Connected integrations.
- Without the Legal entities permission, you see an error when you open Marketplace > Connected integrations, but you can still browse available integrations in the Marketplace.
API requests from custom integrations use the integration's API credentials and access rights. Employee role permissions don’t restrict what a custom integration can retrieve via the API. Learn how to generate and manage API credentials.
The integrations you can create depend on your subscription plan:
- Core: you can only set up Marketplace integrations.
- Core Pro: you can set up Marketplace and custom integrations. Only Core Pro users can see the Create custom integration option.
Organization
This permission group controls access to organizational data and settings. Users with these permissions can access Settings from the main navigation, but only see the sections they have permissions for.
| Permission | Controls access to | Considerations |
| Personal information settings | Configure the attributes and sections in the Personal information tab of the employee profile, and manage settings for the About tab. | |
| Career frameworks | Create and manage career frameworks. | |
| Company information |
The Company defaults and Customization sections in Settings. Role members can view and manage company-wide details like company name, default language, themes, colors, and the account homepage for the account. |
Learn more about the company and customization settings. |
| Cost centers | Create and manage cost centers. | |
| Departments | Create and manage departments and teams. | |
| Holidays | Creating and managing public holiday calendars. | |
| Job architecture and catalogue |
Your job architecture settings. Depending on access levels, you can:
|
To see the full list of jobs in the dropdown and to propose or assign a job to an employee, role members also need view access. Edit access covers full configuration. |
| Legal entities | Create and manage legal entities to reflect your company structure in Personio. | Check the Integrations permission group to see how this permission impacts setting up and monitoring integrations. |
| Org chart view | The Org chart to see the company structure, including reporting lines and relationships. |
What each person sees depends on their access to specific employee data (public profile, department, team); anything they can't access is hidden or shown as a placeholder card. To see other employees in the Org chart, the role also needs view access to Employee profile > Public profile. |
| Workplaces | Your Workplaces settings to add, update, or remove workplaces. |
Home
This permission group controls access to homepage features.
| Permission | Controls access to | Considerations |
| Announcements | Create and manage company-wide announcements, which all employees in your organization see on their homepage. | Ensure you've enabled the Announcements card in the Homepage settings. |
| Personio Assistant | The Personio Assistant, where you can ask HR-related questions and get help navigating Personio. |
Admins can see advanced analytics and reporting data. Other users only see the data their permissions allow, controlled at the attribute level. |
| Workforce Overview | The visibility of the workforce overview card on the homepage. | Ensure you've enabled the workforce overview card in the Homepage settings. |