Setting up roles in Lucca

Before you get started

A role is a set of permissions that defines what the user or users to whom it is assigned can see and/or do when they log on to Lucca. This answers the question: What applications will users with this role have access to? And what will they be able to see and do?

The default roles are "user", "manager" or "administrator", but it is possible to customize others (unlimited), such as "accountant", "Timmi Absences user only", "company representative" or other, depending on the organization within the company.

In Lucca, there are two types of roles:

The primary role which represents a user's primary access rights. There can only be one primary role.
The secondary role allows access to additional features in addition to the primary role. A user can have several secondary roles. Secondary roles are generally used to supplement the primary role for a specific feature intended for a dedicated number of employees.

This page will explain how to add/create a primary or secondary role. On another page, you will learn how to assign this role to a user.

Access to role management

To access role management, click on the cog wheel at the top right of your navigation bar, then the "Roles" tab:

If you don't have access to the role settings, you can submit a request to the Lucca Help desk.

Easily find an existing role

Some databases already have a large number of roles set up. To easily find the one you're looking for, use the role filter search bar:

By username: by entering an @ before the last and first name (see screenshot below, right).
By role label (see screenshot below, left).
By software solution using # followed by the software name.

Create or edit a role

Now that you have accessed the role management, you have two options, if you want:

Create a role: click on the "add a role" button. You can name the role and indicate whether it is a primary role (as the name suggests, it represents the primary access rights of a user). A secondary role is simply a "complement" to the primary role.

The order in which the primary roles are displayed is important, because if you proceed as shown in the below screenshot, the administrator (1) won't be able to assign other employees a role higher than his own, the user role (2) for example. This is why the most important roles are placed at the top. To move them, simply click on the 3 horizontal bars to the left of the role name.

Modify a role: click directly on the relevant role

This takes you to the role settings, as shown in the screenshot below with:

3 tabs:
- Permissions: to enable/disable access to the application for this role, and manage view and action permissions within it (see dedicated paragraph below)
- Users: to view the users this role has been assigned to, and add new users to this role if necessary (see Help page: Assigning a role to one or more users)
- Establishments: to manage the scope of this role on one or more establishments (see dedicated paragraph below)

The option to view the history of this role (via a hypertext link)
Action buttons with the icons:
- Pencils to change the role title
- Duplicate to copy the role
- Trash can to permanently delete the role (provided there are no attached users)

Role permission details

In the "permission" tab, you can define:

Which applications the people with this role have access to. To add permissions, simply click on the relevant application, for example here "Cleemy Expenses"
The user permission to allow access to the application(s) can be set by ticking the box next to the permission
The permission's scope of application.

In the above screenshot, access has been given to Cleemy Expenses so the user can "view expense reports" and "enter expenses" for themselves as a user. We could have also provided access to other applications (Timmi Absences and Pagga Payslip, for example).

We could also have expanded the scope of the permission to other users. This could be useful if you wanted to set up the role of a manager, department head or administrator, for example. To do this, simply click on the "+" that appears when you hover the mouse over to the right of the already visible "user" perimeter:

As you can see in the above GIF, there are different types of access scopes:

- By department: to limit the scope of action according to the department tree structure.

Departments from level N: these are all the users assigned in the level-N department and its children by positioning themselves at the level of the employee with the role. The idea is to climb the department tree from the position of the employee with the role up to level N, and then to retrieve the list of all employees belonging to this branch of the tree.
Department and sub-departments: all employees belonging to the same department as the user with the role, as well as all those belonging to any child departments.
Department only: all employees belonging to the same department as the user with the role.

- By context:

Manager: this is the manager of the user with the role.
User: this is the user with the role.
Supervised employees: these are all employees whose manager is the user with the role. Convenient for configuring a manager role!
Employees with the same manager
Specific user(s)

You can combine several scopes of action within a single permission. In this example, people in this role can see details of absences for their supervised employees as well as for themselves.

Limiting the role according to the establishments

It is also possible to limit the scope of a role's permissions to one or more establishments. To do this, go to the Establishment tab of a role and tick the relevant establishments. In this example, people on the Timmi Absences - UK Administrator role will only be able to manage people on the Lucca UK establishment.

Assign the role to a user

Well done, you have created the role! Now assign it to users as described on the following help page: Assign a role to one or more users.