SYS: User Security
Overview
Use the User Security screen to do the following:
- Add, edit, or delete users
- Change passwords for existing users
- Assign and un-assign Groups to a User
- Lock out individual Users at specific times during the day or all day
The User Name used to log on to the system controls the information made available to them.
When you enter this screen initially, the User Name "WinTeam" displays. This is the ONLY User Name that is loaded with the software. Do NOT delete this. WinTeam has full access to everything, except for the ability to print signatures on Payroll and A/P checks. You should add a password as soon as possible.
We recommend that each User who will be using the WinTeam system be set up with their own User Name and Password so that the System Administrator can identify who has logged on and off and when. There are a variety of logs that are kept on the system that identify the User who performed a particular function.
The Rollover button on the toolbar is available if you are on a current User Security record. You can roll over (copy) from one User Security record to another. Permissions set up for the selected User Name will be rolled over. For more information, see Adding a New User (security).
WinTeam Enterprise and ASP customers also have the ability to limit security by Locations.
For more information, see Learning about Location Security.
The TeamBid Only check box was added to enable Users to have access to TeamBid only and be excluded from counts towards regular licenses. For more information on TeamBid Only User licenses, contact our Sales Department at 800.500.4499.
Pay Security and PS Security do not display for TeamBid Only users. A TeamBid Only user does have access to change the logo in Company Setup.
Key Functionality
Use the Rollover button to copy the current User Security record and create a new record. Only the permissions set up for the current User Security record are rolled over. For more information, see Adding a WinTeam User.
Use the Lookup list to locate an existing record.
If your database includes TeamBid Only licenses, and a User Name is set up in User Security and selected for TeamBid Only, when the User logs in, s/he is counted as a TeamBid Only user and can only access TeamBid related screens.
Warning: If this check box is selected on an existing User, the Pay Security and PS Security information is hidden and any information that was set up for Pay and PS Security is deleted.
Hover over the Change Information icon to see User Added, Date Added, User Changed and Date Changed information. WinTeam records the logon name of the user entering or changing this record. The Date Added is the original date this record was entered into the system. The Date Changed is the date the record was last changed. Right-click on the Change Info icon to filter for records added or changed by a specific user or date.
When you hover over the User Changed or Date Changed filters, you can:
- Filter By Selection - Filters for all records that match your current records field value.
- Filter by Exclusion - Excludes from your filter all records that match your current records field value.
- Filter For - Filters based on the text/value you enter.
- Sort Ascending - If you already have a filter applied, the Sort Ascending command is available. Also used to include all records in the filter and sort in ascending order based on the current records field value.
- Sort Descending - If you already have a filter applied, the Sort Descending command is available. Also used to include all records in the filter and sort in descending order based on the current records field value.
Enter a unique name to identify the User Security record.
Type the User Name in this field. If you type an existing User Name the system prompts you for a unique name or directs you to use the Lookup to locate an existing record.
For more information, see Adding WinTeam User.
Use the Login Settings field to assign logon information and password rules. Type or select the Login Settings. To add a new Login Setting, double-click in the Login Settings field, or type a new description and press Enter. The Login Settings add/edit list displays.
Use the Password field to enter a unique password for the User Security record. Passwords can be a maximum of 20 characters.
Use the Verify Password field to re-enter the password.
Enter an Employee Number associated with the User Name. Type the Employee Number in this field, or use the Lookup to locate the Employee Number. If you enter a specific Employee number, eHub will open automatically using that Employee's log in information when the eHub button is selected in the toolbar.
If a User's account is locked out due to invalid login attempts, then this field is set to the current server time plus 3 minutes and the label will display in a bold red.
If the account was locked out while the administrator had the user record loaded on this screen, the administrator will need to hit refresh (escape) to reload the record. Once the Locked Thru Date is less than the current server date and time, then the label will return to normal.
Use the Notes field to enter any notes about this User's security settings. If you enter more than one line of information, the system automatically wraps the line of information for you. To start a new line or paragraph, press Ctrl + Enter.
Select the Groups to which the User has access. Click the Detail button to display the Security Groups screen.
Group Filters
Group Filters are not available if the Only Allow Users to be Assigned Roles check box is selected in SYS: Defaults.
The Group Filters are used to limit the Groups displayed in the Groups grid.
Custom
Use the Custom Group Filter to display Custom Groups. These are Groups that were created by you (your company).
The Custom Groups include "Role" groups.
System Report Groups
Use the System Report Groups to display all reports in all modules.
All Other Groups
Use the All Other Groups to filter for all groups in WinTeam, excluding Custom Groups, System Report Groups, and Roles.
Roles
Use the Roles filter to list only Security Groups considered "Roles" (Group is considered a Role check box is selected on the Security Groups screen).
For more information see Security Groups and Using Role Security.
The Pay Security levels are used to set up security privileges for each user of WinTeam who has access to the Payroll and Insurance Benefits module. If a user is not set up with Pay Security levels, WinTeam does not allow access to any information in the Employee Master File. In addition, the user will have very little access to information in other areas of Payroll. On the other hand, if a user is set up with Pay Security levels, WinTeam limits the information the user can add, change, or view within the Employee Master File record and other areas of Payroll based on the level assigned.
The security levels assigned to each employee in the Security Levels screen determine the employee information a particular User Name is allowed to see or modify. Security levels range from 0 to 9. WinTeam considers the security level of 0 as the lowest level, which is normally assigned to hourly employees. A security level of 9, which is the highest level, is normally assigned to the President/Owner or to the Payroll Supervisor of your company.
You will need to enter the appropriate level of security (from 0 to 9) for each Read and Write field (Basic, Pay Rates, Pay Comps, Pay Deducts, Pay Garns, Paychecks, HR Benefits, PS Pay Rates, and HR Trackers) for the selected User Name. WinTeam requires a level in the Read field equal to or greater than the level in the Write field. In addition, the level entered in all Read and Write fields must be LESS than or equal to the levels in the Basic Read and Write fields.
Basic - Read and Write
The Basic Read and Write security levels control the Employee Master File screen and a majority of the screens found within the Employee Master File. Basic Security also applies to some Human Resources and Insurance Benefits screens. This means you would not be able to see the employee records on the screen or report unless your Basic Security Read was equal or greater than the employee’s Security level. Although if the employee is not in your Company and Location security, then you would not be able to see them regardless. Therefore, the following screens fall in the area of Basic:
Human Resources Menu
Insurance Benefits
Payroll Menu
- Employee Master File
- Employee Pay Rate Creator
- Pay Comp/Ded Creator
- Direct Deposit Information
- Hours Summary
- Other Information
- Permanent Timecards
- Status Information
- Tax Information
- Tier Descriptions (Job Master File) - Employee Number
- PAY: Titles/Occupational Groups
Reports
- Benefit Hours Report
- Benefit Insurance/Other Analysis
- Benefit Insurance/Other Report
- Compliance Status Report
- EEO/Vets Report
- Eligibility Status Report
- Employee Absence Report
- Employee Master File Report
In addition, a User must have Basic Write security in order to change or set up an employee’s eHub settings.
For each User Name that is set up, WinTeam compares the security levels entered in the Basic Read and Write fields to the Security Level field found in the Employee Master File for all employees. WinTeam allows the user to view and modify information for any employee that has a security level less than or equal to the security levels entered for this user.
Example: Assume a timekeeper has a Basic Read level of 4 and a Basic Write level of 2. The timekeeper has access to view all of the employees with a security level from 1 to 4, but can only change information for those employees with a security level of 1 or 2. If the timekeeper selects a record that relates to a level 3 employee, the timekeeper is able to view this record, but cannot make any changes to it, because the fields are locked by the system.
Reports secured by User's Pay Rate Security (Pay Rate Read)
The following reports are based on User’s Pay Rate Read Security and therefore, you cannot see all employees on these reports even though they are in your Company and Location security. It is important that proper security is given to protect this information.
- 401k Report
- 941 Report
- Payroll Check Register
- Employee W2 report
- Hours By Employee
- Hours Budget Comparison Report
- NACHA Bank Transmission
- Other Compensations and Deductions Report
- Pay Check Warning Report
- Pay Info History Report
- Pay Check History Report
- Wages by Job report
- HR Reports
- Employee Equipment Agreement
- Employee Master File Report
- Employee Termination Report
- Equipment Escrow Report
- Equipment Tracker Report
- License/Expiration Report
Important: The Timekeeping Report is unique; if an employee has hours, they are included in the report, but if the security level for Pay Rate Read is less than the security level of the employee, the Pay Rate is not included in the report.
If you want to reduce or downgrade a user's security, you will need to create a Custom Security Group that removes Features, since, by default, the user who has access to the Employee Master File also has access to many Features.
For more information see Creating a Custom Security Group.
Pay Rates - Read and Write
The Pay Rates Read and Write security levels control the Pay Information tab found in the Employee Master File. The security levels assigned here also affect whether this user can view or change the Pay Information: Use This Rate field found in the Timekeeping screens in Payroll and in the Schedule Detail for a Cell screen in Personnel Scheduling.
A user without rights to see an employee's pay rate (due to their Pay Rate Read Security) cannot see the Pay Rate Used for Billing.
Billing information displays once the PS Wizard has been run. The label and the rate will both be hidden if the User does not have permission to see the employee’s pay rate.
For each User Name set up, the system compares the security levels entered in the Pay Rates Read and Write fields to the Security Level field found in the Employee Master File for all employees. The system allows the user to view and modify information for any employee that has a security level less than or equal to the security levels entered for this user.
Pay Comps - Read and Write
The Pay Comps Read and Write security levels control the Other Compensations and Deductions screens that are accessed from the PAY: Employee Master File.
For each User Name set up,WinTeam compares the security levels entered in the Pay Comps Read and Write fields to the Security Level field found in the Employee Master File for all employees.
If your Read security level for Pay Compensations is equal to or greater than the employee's security level, you will have rights to see the Compensations, and you will have access to see the History.
If your Write security level for Pay Compensations is equal to or greater than the employee's security level, you will be able to add new records to the grid or change existing records.
If you have Read access to either the Deductions or Compensations section, but not the other, you will only see the tab you have rights for.
If you do not have Read access to either the Comps or Deducts, you will not be able to access these screens and you will receive a message stating so.
Pay Deducts - Read and Write
The Pay Deducts Read and Write security levels control the Other Compensations and Deductions screens that are accessed from the PAY: Employee Master File.
For each User Name set up, the system compares the security levels entered in the Pay Deducts Read and Write fields to the Security Level field found in the Employee Master File for all employees.
If your Read security level for Pay Deductions is equal to or greater than the employee's security level, you will have rights to see the Deductions, and you will have access to see the History.
If your Write security level for Pay Deductions is equal to or greater than the employee's security level, you will be able to add new records to the grid or change existing records.
If you have Read access to either the Deductions or Compensations section, but not the other, you will only see the tab you have rights for.
If you do not have Read access to either the Comps or Deducts, you will not be able to access these screens and you will receive this message:
Pay Garns
The Pay Garnishments Read and Write security levels control the Employee Other Compensations and Deductions screen.
Pay Checks - Read and Write
The Pay Checks Read and Write security levels control these screens found in the Employee Master File:
- Check History
- W-2 Summary
- Employee Other Compensations and Deductions (History tab) details
The Pay Checks security levels also have a direct effect on the Check Processing Wizard. When a user creates a new check batch, only those employees with a security level less than or equal to the user’s Write security level are available for selection. In addition, the Payroll Check History report uses the Write security level for determining employee information available to the user.
For Labor Accrual based on Timekeeping and Personnel Scheduling, we are using the Basic Read Security level to find the employees timekeeping records and employee’s salaries to include in the Timekeeping Accrual.
For Labor Accrual based on Budgets, we are not using security since there are no employees to look at when doing accruals based on Budgets.
For Labor Accrual based on Payroll Batches, we bypass all Security Level checking and always include all records in the batches being selected.
We do 1 and 3 above so that we do not exclude an employee from the accrual, since the User does not know that they are not accruing for everyone.
The Creator Security level, written into the Batches table (check processing wizard batch screen), writes in the Pay Check Write security level like all other batch types. That way, the Creator is able to see the batches they created.
ADP Users
When creating the periodic or quarterly tax files, it is the user’s Paycheck Write security level that determines the Employee check records contained in those files.
For each User Name set up, the system compares the security levels entered in the Pay Checks Read and Write fields to the Security Level field found in the Employee Master File for all employees. The system allows the user to view and modify information for any employee that has a security level less than or equal to the security levels entered for this user.
HR Benefits - Read and Write
The HR Benefits Read and Write security levels control the Benefits by Employee, INS: Deduction Sync, and INS: Package Validation screens.
PS Pay Rates - Read and Write
Use the PS Pay Rates Write field to enter the appropriate level of security (from 1 to 9) for the selected User Name.
The system requires the level in the Read field equal to or greater than the level in Write field.
In addition, the level in the PS Pay Rates Read field defaults from the Pay Rates Read field.
If a User has a PS Pay Rate Read Security Level of 0 (zero), Hourly Pay Information cannot be accessed from the Shift Details panel. Salary Pay Information can be accessed and is available for editing. Editing Salary Pay Information with a rate other than $0.00 only effects billing if Tier Billing is used.
HR Trackers - Read and Write
The HR Trackers control the Absence Tracker, Compliance Tracker, Equipment Tracker, and Time Off Planner.
Enter the appropriate level of security for HR Trackers.
Bill Rates - Read and Write
Use the Bill Rates Read and Write fields to enable the ability to read and write Bill Rates on the Schedule Detail for a Cell screen for the selected User Name.
Can Insert Shifts On Scheduling Screen
Select this check box to allow the user to insert a shift on the Schedules screen. If you clear this option, the system does allow the user to insert a shift on the Schedules screen.
Can Select from List, Invoice Description and Bill Category on Scheduling Screen
Select this check box to allow User to select from list on Detail Cell Information screen for Invoice Description, Bill Category (and Reset functionality), and Non Billable item.
This option is selected by default for new Users.
Can Change Additional Tier Description on Scheduling Screen
Select this check box to grant a User permission to edit the Personnel Schedules, Detail Cell, Additional Tier Description field.
Changing the Additional Tier Description includes adding, changing or deleting characters directly in the Additionall Tier Description field. (For example: Changing "Regular Officer" to "Regular Security Guard" by deleting the word "Officer" and adding the words "Security Guard.")
However a user can select a different Addl Tier Description from the list, whether or not the Can Change Addl Tier Description has been selected.
Can Change Invoice Description Text On Scheduling Screen
Select this check box to allow the user to change the Invoice Description field on the Schedule Detail for A Cell screen. If you clear this option, the system does not allow the user to change the Invoice Description field on the Schedule Detail for a Cell screen.
Changing the Invoice Description includes adding, changing or deleting characters directly in the Invoice Description field. (For example: Changing "Regular Officer" to "Regular Security Guard" by deleting the word "Officer" and adding the words "Security Guard.")
However a user can select a different Invoice Description from the list, whether or not the Can Change Invoice Description on Scheduling Screen option has been selected.
Can Change the Master Schedule
Select this check box to allow the user to change the Master Schedule.
Allow Post Requirement Overrides
Select this check box to allow Post Requirements to be overwritten in the Post Set Up screen.
Can Bypass Compliance Requirements
Select this check box to allow Compliance Requirements to be bypassed when scheduling a shift.
Can Schedule Overlapping Shifts
Select this check box to allow the scheduling of Overlapping Shifts on the Schedules screen.
Can Schedule Overtime
Select this check box to allow the scheduling of Overtime hours.
Can Exceed Post Pay Rate
Select this check box to allow the scheduling of Employees who exceed the Post Pay Rate of a Post on the Schedules screen.
Can Offer Position
Select this check box to allow offering positions from the Search for Eligible Employees screen.
Some reports, grids, and wizards allow for the creation of criteria templates. Specifically the Report templates, Grid templates, and Pay Wizard templates. These templates allow for quickly loaded report criteria that may be used frequently. Select this check box to grant a user permission to save last used settings on report option screens, in order to select report templates from the list, create report templates for later reuse, or delete report templates from the list.
The messaging feature allows WinTeam users to send messages to employees via eHub Mobile, or SMS text messages. When this check box is selected the Messaging Service icon in the WinTeam toolbar displays. For additional information on this feature see this link.
The Lock Out grid can be used to implement specific Lock Out times per User. You can lock out individual Users at specific times during the day or for the entire day. The system will perform a check every five minutes. The WinTeam Administrator (those with SYS ALL rights) can also Lock Out everybody by using a setting in System Defaults. For more information, see System Defaults.
Please be aware of the five-minute buffer. Once the Begin Lock time is reached, logged in Users have five minutes from that point before the system automatically logs them out.
Example: For example, the Begin Lock time is set for 2200. Joe does not have SYS ALL and tries to log in at 2200. He is locked out. Mary does not have SYS ALL and has been in the system since 1900. At 2200 a message displays stating she has 5 minutes to log out. At 2205 her session of WinTeam ends. At 2205 all Users are out of WinTeam, except those with SYS ALL rights.
Special Rules
- Times cannot cross midnight.
- The hours must be between 0 and 23.
- The minutes must be between 0 and 59.
If a User is currently logged in when the Lock Out time is reached, they will have 5 minutes to save all data and close WinTeam after the initial warning. Similarly, the system will not allow a User to log in during a time that has been specified as a Lock Out time. If there are no Lock Out times entered for a User, then WinTeam will function as normal. A User with SYS ALL rights has unrestrained access and Lock Out time do not matter.
Select All or specific Locations to which this User has access.
Select All or specific Companies to which this User has access.
The SYS User Security Setup screen has its own Security Group, SYS User Security.
The SYS User Security Setup screen (not the SYS User Security Setup Security Group) is part of the SYS ALL Security Group.