Roles : scopes of operation

Background information

A role is a set of rights that determines, for one or more users assigned to it, what they can see and/or do when they sign in to Lucca. This answers the questions: What applications will users with this role be able to access? And what can they see and do with them?

The default roles are: ‘user’, ‘manager’ or ‘administrator’, but you can customise other roles (as many as you want), like ‘accounting’, ‘ Timmi Absences user only’, ‘company representative’ or another, based on the company’s structure.

There are 2 types of roles in Lucca:

  • The primary role representing a user’s main access rights. There can only be one.
  • The secondary role enabling access to other features, in addition to the primary role. A user can have several secondary roles. Secondary roles are generally used to supplement the primary role on a specific feature intended for a number of dedicated employees.

This page will explain how to add/create a primary or secondary role. On another page, you will learn how to assign this role to a user.

Accessing role management

To access role management, click on the cogwheel, at the top right of your navigation bar; then the ‘roles’ tab:


If you cannot access role settings, request access from the Lucca help desk.

Easily finding an existing role

There is a database with many pre-configured roles. To easily find the one you are looking for, use the role filter bar to launch a search:

  • By username: by putting an @ before the last name and first name (see the screenshot below, right)
  • By role name (see the screenshot below, left)

chrome_RTHFgq7oqH.png mceclip1.png

Creating or editing a role

Now that you have accessed role management, you have 2 options, to:

  • Create a role: click on the ‘add a role’ button. You can then name the role and indicate whether it is a primary role (as its name implies, this represents a user’s main access rights). A secondary role is simply an addition to the primary role.


  • Edit a role: click directly on the name of the role in question


You will then go into the role’s detailed settings, as shown in the screenshot below, with:

  • 3 tabs:
    • Permissions: to enable/disable access to the application for this role and manage view and action permissions (refer to the dedicated paragraph below)
    • Users: to see users who have been assigned this role and possibly add new users to this role (see the help page: Assigning a Role to One or More Users)
    • Legal entities: to manage the scope of this role on one or more legal entities (refer to the dedicated paragraph below)
  • The option to view this role’s history (using a hyperlink)
  • The action buttons with icons: mceclip6.png
    • Pencils to change the role’s title
    • Copy to reproduce the role
    • Waste bin to permanently delete the role (as long as there are no users linked to it)


Details of the role permission

In the ‘permission’ tab, you will establish:

  1. What applications people with this role can access. To add permissions to it, simply click on the application in question, such as ‘ Cleemy Expenses’
  2. The user’s permission when they access the application(s), by ticking the box next to the permission
  3. The permission’s scope of application


In the screenshot above, we gave the user access to Cleemy Expenses so that they can ‘view expense reports’ and ‘enter expenses’, only on their own behalf. We could have given them access to other applications too ( Timmi Absences and Pagga Payslip, for example).


We also could have expanded the scope of the permission to other users. This would be useful if we were configuring a manager, department head or administrator role, for example. To do this, simply hover the mouse over the ‘user’ scope that is already there and click on the ‘+’ that appears to the right of it:


As you can see in the GIF above, there are different types of access scopes:

- By departments: to limit the field of action based on the department tree view.

  • Departments from level X: these are all users assigned to the level X department and its child departments, from the position of the level of the employee with the role. This means going up the department tree starting from the position of the employee with the role until reaching level X, then retrieving the list of all employees belonging to this branch of the tree.
  • Department and sub-departments: these are all employees in the same department as the user with the role, as well as all those who belong to any child departments.
  • Single department: these are all employees belonging to the same department as the user with the role.


- By context:

  • Manager: this is the manager of the user with the role.
  • User: this is the user who has the role.
  • Supervised colleagues: these are all the employees whose manager is the user with this role. Useful for configuring a manager role!
  • Employees with the same manager
  • Specific user(s)


You can add up several scopes of action on the same permission. For example, here, people with the role can see the details of their supervised colleagues’ absences as well as their own.


Limiting the role by legal entity

You can also limit the field of action for all of a role’s permissions to one or more legal entities. To do this, you must go to a role’s Legal entity tab and tick the legal entities in question. In this example, people with Timmi Absences - Administrator UK roles can only perform actions on people from the Lucca UK entity.


Assigning the role to a user

Well done! You created the role. Now you need to assign it to users by following the instructions described on the following help page: Assigning a Role to One or More Users.

Other configuration features

One feature of Timmi Absences and Poplee application roles is that they have operations with fields of application that can also be limited to a sub-group of items specific to the business of each application.

For Timmi Absences, business items are lists of absence accounts. As a result, certain Timmi Absences operations, like ‘Place on leave’, may only apply to a certain list of absence accounts that must be defined in advance. For more information on the list of accounts, please visit the following help page.

Poplee business items are different sections inside of which user data are organised. Consequently, the configuration for a role granting access to Poplee allows you to clearly define both read and right access permissions for each section. For more information on setting up Poplee roles, please visit the following help page.

Page content

Was this article helpful?
5 out of 6 found this helpful