User Permissions
Control exactly what each user can see and do in Olympus Cloud. This guide covers the permission matrix, custom roles, row-level security, delegation workflows, access auditing, and SSO group integration.
Permission Model Overview
Olympus Cloud uses Role-Based Access Control (RBAC) with granular permissions. Each user is assigned one or more roles, and each role grants a specific set of permissions.
Organization
└── Roles (define permissions)
└── Users (assigned roles)
└── Locations (scope access)
Key Concepts
| Concept | Description |
|---|---|
| Role | A named collection of permissions (e.g., Manager, Scheduler) |
| Permission | A specific action a user can perform (e.g., approve_timesheet) |
| Scope | Where a permission applies (organization-wide, location, department) |
| Delegation | Temporarily granting permissions to another user |
Built-In Roles
Olympus Cloud includes pre-configured roles that cover common use cases.
| Role | Description | Typical Users |
|---|---|---|
| Organization Admin | Full access to all features and settings | Business owners, IT admins |
| Location Manager | Manage a specific location's staff and schedules | Store managers, site leads |
| Department Manager | Manage a department within a location | Kitchen manager, shift lead |
| Scheduler | Create and publish schedules | Scheduling coordinators |
| Timekeeper | Approve timesheets and manage time entries | Payroll coordinators |
| Employee | View own schedule, clock in/out, request time off | All staff members |
| Viewer | Read-only access to reports and dashboards | Executives, auditors |
Permission Matrix
Schedule Permissions
| Permission | Admin | Location Mgr | Dept Mgr | Scheduler | Timekeeper | Employee | Viewer |
|---|---|---|---|---|---|---|---|
| View all schedules | Yes | Location | Dept | Yes | No | Own only | Yes |
| Create schedules | Yes | Yes | Dept | Yes | No | No | No |
| Publish schedules | Yes | Yes | No | Yes | No | No | No |
| Edit published schedules | Yes | Yes | No | Yes | No | No | No |
| Approve shift swaps | Yes | Yes | Dept | Yes | No | No | No |
| View open shifts | Yes | Yes | Dept | Yes | No | Own dept | No |
Time and Attendance Permissions
| Permission | Admin | Location Mgr | Dept Mgr | Scheduler | Timekeeper | Employee | Viewer |
|---|---|---|---|---|---|---|---|
| View timesheets | Yes | Location | Dept | No | Yes | Own only | Yes |
| Approve timesheets | Yes | Yes | Dept | No | Yes | No | No |
| Edit time entries | Yes | Yes | Dept | No | Yes | No | No |
| Add manual entries | Yes | Yes | Dept | No | Yes | No | No |
| Delete time entries | Yes | No | No | No | No | No | No |
| Configure overtime rules | Yes | No | No | No | No | No | No |
People Management Permissions
| Permission | Admin | Location Mgr | Dept Mgr | Scheduler | Timekeeper | Employee | Viewer |
|---|---|---|---|---|---|---|---|
| Add employees | Yes | Yes | No | No | No | No | No |
| Edit employee profiles | Yes | Location | Dept | No | No | Own only | No |
| Deactivate employees | Yes | No | No | No | No | No | No |
| Assign roles | Yes | Limited | No | No | No | No | No |
| View employee directory | Yes | Yes | Yes | Yes | Yes | Yes | No |
| Approve time-off requests | Yes | Yes | Dept | Yes | No | No | No |
Reporting Permissions
| Permission | Admin | Location Mgr | Dept Mgr | Scheduler | Timekeeper | Employee | Viewer |
|---|---|---|---|---|---|---|---|
| View standard reports | Yes | Location | Dept | Schedule | Time | Own only | Yes |
| Create custom reports | Yes | Yes | No | No | No | No | No |
| Export reports | Yes | Yes | Dept | Yes | Yes | No | Yes |
| Schedule reports | Yes | Yes | No | No | No | No | No |
| View labor costs | Yes | Yes | No | No | No | No | Yes |
System Administration Permissions
| Permission | Admin | Location Mgr | Dept Mgr | Scheduler | Timekeeper | Employee | Viewer |
|---|---|---|---|---|---|---|---|
| Manage integrations | Yes | No | No | No | No | No | No |
| Configure locations | Yes | No | No | No | No | No | No |
| Manage billing | Yes | No | No | No | No | No | No |
| View audit log | Yes | No | No | No | No | No | No |
| Configure SSO | Yes | No | No | No | No | No | No |
| Manage custom roles | Yes | No | No | No | No | No | No |
Custom Roles
Create roles tailored to your organization's needs when built-in roles do not match your requirements.
Creating a Custom Role
- Go to Settings > Roles & Permissions
- Click Create Role
- Enter a role name and description
- Select permissions from each category:
- Check individual permissions to grant
- Use Select All within a category for bulk selection
- Set the default scope:
- Organization-wide: Access across all locations
- Location-scoped: Access limited to assigned locations
- Department-scoped: Access limited to assigned departments
- Click Save Role
Custom Role Best Practices
Grant only the minimum permissions needed for a role. It is easier to add permissions later than to deal with the consequences of overly broad access. Start restrictive and expand based on actual needs.
| Practice | Description |
|---|---|
| Name clearly | Use descriptive names like "Payroll Coordinator" not "Custom Role 1" |
| Document the purpose | Add a description explaining who uses this role and why |
| Start with a template | Clone a built-in role and modify it |
| Review quarterly | Audit custom roles every quarter for continued relevance |
| Limit admin-level roles | Keep the number of Organization Admin users minimal |
Editing Custom Roles
- Go to Settings > Roles & Permissions
- Click on the role to edit
- Modify permissions as needed
- Click Save Changes
Changing a role's permissions immediately affects all users assigned to that role. Review the list of affected users before saving. Consider creating a new role instead of modifying a widely-used one.
Row-Level Security
Row-level security ensures users only see data relevant to their assigned locations and departments, even when they have broad feature permissions.
How It Works
| User Scope | Data Visible | Example |
|---|---|---|
| Organization-wide | All locations, all departments | Organization Admin sees everything |
| Location-scoped | All departments within assigned locations | Downtown Manager sees only Downtown data |
| Department-scoped | Only assigned department within assigned locations | Kitchen Manager sees only Kitchen data at their location |
Configuring Data Scope
- Go to Settings > Users
- Click on the user to configure
- Under Access Scope, assign:
- Locations: Which locations this user can access
- Departments: Which departments within those locations
- Save changes
Data Scope and Reports
Row-level security applies to all data views:
- Dashboard widgets show only scoped data
- Reports filter automatically based on user scope
- Employee directory shows only employees in scope
- Schedules display only relevant departments and locations
- Time entries are limited to scoped employees
Delegation Workflows
Temporarily grant your permissions to another user during vacations, leaves, or role transitions.
Creating a Delegation
- Go to Profile > Delegation
- Click Create Delegation
- Select the delegate (the person receiving your permissions)
- Choose which permissions to delegate:
- All permissions: Full delegation of your role
- Specific permissions: Select individual permissions
- Set the delegation period:
- Start date and time
- End date and time
- Add a reason (optional but recommended)
- Click Activate Delegation
Delegation Rules
| Rule | Description |
|---|---|
| Approval required | Delegations require admin approval (configurable) |
| Maximum duration | Delegations cannot exceed 30 days by default |
| No escalation | A delegate cannot further delegate permissions |
| Audit trail | All delegated actions are logged with the delegate's identity |
| Auto-expiry | Delegations automatically expire at the end date |
| Early termination | The delegator or an admin can end a delegation early |
Managing Active Delegations
Admins can view all active delegations at Settings > Security > Active Delegations:
- See who has delegated to whom
- View the permission set and duration
- Revoke any delegation immediately if needed
Access Auditing
Track every permission-related action for compliance and security.
Audit Log
Access the audit log at Settings > Security > Audit Log.
| Event Type | What Is Logged |
|---|---|
| Login events | Successful and failed login attempts |
| Permission changes | Role assignments, custom role modifications |
| Data access | Report views, data exports |
| Configuration changes | Settings modifications, integration changes |
| Delegation events | Delegation creation, activation, expiry |
| User management | Account creation, deactivation, role changes |
Filtering the Audit Log
| Filter | Options |
|---|---|
| Date range | Specific dates or relative periods |
| User | Specific user or all users |
| Event type | Login, permission change, data access, etc. |
| Action result | Success or failure |
| IP address | Filter by source IP |
Exporting Audit Data
- Apply your desired filters
- Click Export
- Choose format (CSV or PDF)
- Download the audit report
Audit logs are retained for 12 months on Professional plans and 24 months on Enterprise plans. For compliance requirements beyond these periods, set up scheduled exports to your own archival system.
SSO Group Mapping
Map your identity provider's groups to Olympus Cloud roles for automated role assignment.
Supported Identity Providers
| Provider | Protocol | Status |
|---|---|---|
| Google Workspace | SAML 2.0 / OIDC | Supported |
| Microsoft Entra ID | SAML 2.0 / OIDC | Supported |
| Okta | SAML 2.0 | Supported |
| OneLogin | SAML 2.0 | Supported |
Setting Up SSO Group Mapping
- Go to Settings > Security > SSO Configuration
- Ensure SSO is configured and active (Enterprise plan required)
- Click Group Mapping
- For each IdP group, select the corresponding Olympus Cloud role:
| IdP Group (Example) | Olympus Cloud Role |
|---|---|
olympus-admins | Organization Admin |
olympus-managers | Location Manager |
olympus-schedulers | Scheduler |
olympus-timekeepers | Timekeeper |
olympus-employees | Employee |
- Set the default role for users without a group match
- Enable Auto-Provisioning to create accounts on first SSO login
- Save the mapping
SSO Group Sync Behavior
| Event | Behavior |
|---|---|
| User logs in via SSO | Role updated based on current IdP group membership |
| User added to IdP group | Role updated on next login |
| User removed from IdP group | Role reverted to default on next login |
| User deactivated in IdP | Access denied on next login attempt |
When SSO group mapping is enabled, manual role assignments in Olympus Cloud are overwritten on the user's next SSO login. To make individual exceptions, add the user to the appropriate IdP group rather than assigning the role manually.