This worksheet is designed to help organizations review their current setup, evaluate the permissions of each role in their organization, and group similar roles together. Once complete, security groups will be automatically assigned based on a user’s role, eliminating the need to manually set permissions for each new hire.
In this article:
Permissions & Security Groups
Your Current Role: Permission Structure
Identifying Your Ideal State: Role-Based Security Groups
Mapping Current Permissions to Security Groups
Inbound SFTP
F.A.Q.
Additional Resources
Permissions & Security Groups
What is the difference between permissions and security groups?
- What are permissions? Permissions are the actions a user can take.
- What is a security group? A security group is a collection of permissions.
- As part of this migration, a Security Group has been created for each permission currently used in your ClearCompany account.
- For example, a user who had the recruiter's permission will now be a part of the recruiter security group. If someone had multiple permissions, they will now belong to multiple security groups– one for each permission.
Security Groups make it easier to manage future updates as new, more granular permissions are added to ClearCompany. Follow the steps below to review your current role and permission structure, identify your ideal state, and translate current to ideal.
Step 1: Your Current Role: Permission Structure
Use this section to identify your existing roles and their associated permissions.
| Role Name | Current Permission(s) Assigned | Notes (e.g. who typically holds this role, specific use cases) |
|---|---|---|
| Sales Manager | Hiring Manager Task Assignee |
Any manager across departments that are not human resources can be added to requisitions as hiring managers and asked to complete/approve documents during onboarding. |
| Catering Manager | Hiring Manager | Although this role does not currently have the task assignee permission there is a chance that they will need to complete onboarding paperwork for a new hire in the future. |
| IT Team Lead | User Admin | Responsible for maintaining and improving systems and services within the organization. Usually, this user collaborates with other departments to ensure seamless integration and operation of technology solutions. |
Tip:
Include all roles–even if they are currently empty or rarely used. This ensures you are set up for long-term success.
Step 2: Identifying your Ideal State: Role-Based Security Groups
Use this section to start grouping similar roles together based on what permissions they need.
Resource: Adding Security Groups to Roles.
| Security Group Name | Role(s) to Include in this Group |
|---|---|
| Employee | All Employees will receive this security group |
| Manager | Sales Manager |
| Catering Manager | |
| Office Manager | |
| Talent Acquisition/Recruiter Group | Recruiter |
| Talent Acquisition Coordinator | |
| Onboarding Group | Onboarding Coordinator |
| HR Generalist |
Tip:
Assign security groups at the role level, rather than managing permissions for each individual.
Step 3: Mapping Current Permissions to Security Groups
Use this section to consider how your existing permissions will translate into the new security group model.
Employee Security Group: Every organization will have an employee security group that all employees are added to automatically. By default, it includes only the basic Employee permission. If all employees need access to other permissions, those permissions should be added to the Employee Security Group.
- For performance & Goal clients: Add Goal Alignment and Performance Management.
- For LMS clients: Add Learning.
CEO Access: Any user who previously had the CEO permission will automatically be given the CEO designation on the user page within ClearCompany. If more than one user had the CEO permissions, all of them will receive the designation. If you manually assign the CEO designation to a different user after the migration, that user will become the only one with the designation and it will be removed from all other users.
Vendor Access: If you currently have vendors accessing your system, they will now appear with a non-employee vendor designation on the user page within ClearCompany. A security group should not be created for vendor access, and vendor users cannot be assigned any additional permissions beyond their vendor designation.
| Security Group Name | Permission(s) |
|---|---|
| Employee | Employee |
| Goal Alignment | |
| Performance Management | |
| Recruiter Group | Recruiter |
| Hiring Manager | |
| Offer Letter Sender | |
| Background Check | |
| Manager Group | Hiring Manager |
| Task Assignee |
Scenario: Someone with recruiter permission + user admin permission + background check permission (3 permissions)
| Employee | Current Permissions | New Security Group |
|---|---|---|
| Emily Anderson, TA Coordinator | Employee | Employee Group |
| Recruiter | Recruiter Group | |
| Hiring Manager | ||
| Offer Letter Sender | ||
| Background Check | ||
| Onboarding Coordinator | ||
| Task Assignee | ||
| Tom Jensen, Catering Manager | Employee | Employee Group |
| Hiring Manager | Manager Group | |
| Task Assignee |
Note:
If all employees within the TA Coordinator role have the same permissions/security groups, you can assign the TA Coordinator role to the associated Security Groups.
Inbound SFTP
For organizations that are currently set up to use an inbound SFTP file to manage user data within ClearCompany and have chosen to create security groups to be assigned based on roles, following the migration to the security group structure.
As part of this transition, your organization (or your third-party provider) will need to adjust the inbound STP file that is sent to ClearCompany. When you are ready to remove the single-permission security groups created by the migration process and begin using your role-based security groups, it is important to coordinate the timing of these changes.
Before removing the single-permission security groups:
- The inbound SFTP file must be updated to remove the individual permission columns.
- The file should include the role column that lists each user’s assigned role, which will then drive their access via the new security groups.
- If the permission columns are NOT removed, the system will continue to recreate the single-permission security groups.
Please Note:
Please work with your internal team or third-party provider to ensure the necessary updates are made before making the switch to role-based security group assignments.
F.A.Q.
Migrations will occur between June and September 2025. ClearCompany will communicate with organizations directly.
HR Admins will be assigned a new permission called security groups admin. This permission allows them to edit security groupings, role and user access.
No. The migration is automated and no action is needed by you. For more information, refer to Migration to Security Groups.
A security group will be created for each individual permission and each employee will be moved into the corresponding security group based on their previously assigned permissions. Access remains the same.
All users will be assigned the employee permission. Vendor permission will override employee permission, so vendors will not have access where they didn’t have it before. You will have an employee security group created automatically and it will be tied to the company role.
Yes, assigning permissions via the API will still be supported.
Yes, assigning permissions via the inbound SFTP will still be supported. See the worksheet section labelled Inbound SFTP for more information.
Additional Resources
Below is a customizable checklist and downloadable worksheet to empower your team as you get ready for the transition to the new Security Groups model.
Comments
Please sign in to leave a comment.