Setting up roles in Lucca

Before you get started

A role is a set of permissions that defines what the user or users to whom it is assigned can see and/or do when they log on to Lucca. This answers the question: What applications will users with this role have access to? And what will they be able to see and do?

The default roles are "user", "manager" or "administrator", but it is possible to customize others (unlimited), such as "accountant", "Timmi Absences user only", "company representative" or other, depending on the organization within the company.

In Lucca, there are two types of roles:

  • The primary role which represents a user's primary access rights. There can only be one primary role.
  • The secondary role allows access to additional features in addition to the primary role. A user can have several secondary roles. Secondary roles are generally used to supplement the primary role for a specific feature intended for a dedicated number of employees.

This page will explain how to add/create a primary or secondary role. On another helpsheet, you will learn how to assign this role to a user.

Access to role management

To access role management, click on the cog wheel at the top right of your navigation bar, then the "Roles" tab:

If you don't have access to the role settings, you can submit a request to the Lucca Help desk.

Easily find an existing role

Some databases have a large number of roles already set up. In order to find them easily, the module lets you search by different criteria:

  1. By role description (see the screenshot below, on the left-hand side).
  2. By user, by selecting employees from the list (see the screenshot below, on the right-hand side).
  3. By solution, by selecting it from the list (in the same way as for the employees).


As you can see from the screenshots above, roles are also categorized according to their level of criticality.
This enables you to quickly see whether a role has important or potentially critical permissions.
The best practice is to ensure consistency between the role’s criticality level and the role description itself, e.g. a role labeled “Cleemy user” that is categorized as “Business manager”.

As a guide, here is the list of criticality levels:

Dessin sans titre (1).jpg

Note that there is actually a sixth category called “No category”, which is for permissions that cannot be categorized for technical reasons. It serves as an exception.

Create or edit a role

Now that you have accessed the role management, you have two options, if you want:

  • Create a role: click on the "add a role" button. You can name the role and indicate whether it is a primary role (as the name suggests, it represents the primary access rights of a user). A secondary role is simply a "complement" to the primary role.

  • Modify a role: click directly on the relevant role

This takes you to the role settings, as shown in the screenshot below with:

  • 3 tabs:
    • Permissions: to enable/disable access to the application for this role, and manage view and action permissions within it (see dedicated paragraph below) ;
    • Users: to see the users that have been assigned this role, and to add new users to this role if necessary (see our helpsheet: Assigning a role to one or more users);
    • Establishments: to manage the scope of this role for one or more establishments (see dedicated paragraph below).
  • The option to view the history of this role (via a hypertext link).
  • Action buttons with icons and the name of the role:
    • Pencils to edit the name of the role by clicking on it. You can edit the name according to the language;
    • Duplicate to copy the role ;
    • A trash can to permanently delete the role (provided there are no attached users, otherwise it remains grayed out, as shown here).

You'll notice that the pictograms used to define criticality can be found in both the application and scope tabs.

This enables you to quickly analyze the composition of the role and the level of permission granted for each application.

Role permission details

In the "permission" tab, you can define:

  1. which applications the people with this role will have access to. To add permissions, simply click on the relevant application, for example here "Cleemy Expenses"
  2. The user permission to allow access to the application(s) can be set by ticking the box next to the permission
  3. The permission's scope of application.

Sans titre.png

In the above screenshot, access has been given to Cleemy Expenses so the user can "view expense reports" and "enter expenses" for themselves as a user. We could have also provided access to other applications (Timmi Absences and Pagga Payslip, for example).

We could also have expanded the scope of the permission to other users. This could be useful if you wanted to set up the role of a manager, department head or administrator, for example. To do this, simply click on the "+" that appears when you hover the mouse over to the right of the already visible "user" perimeter:


As you can see in the video above, there are different types of access scopes:

  • By department: to limit the scope according to the hierarchical organization of the department.
    • Departments from level N: these are all the users assigned in the level-N department and its children by positioning themselves at the level of the employee with the role. The idea is to climb the department tree from the position of the employee with the role up to level N, and then to retrieve the list of all employees belonging to this branch of the tree.
    • Department and sub-departments: all employees belonging to the same department as the user with the role, as well as all those belonging to any child departments.
    • Department only: all employees belonging to the same department as the user with the role.
  • By context:
    • Manager: this is the manager of the user with the role.
    • User: this is the user with the role.
    • Supervised employees: these are all employees whose manager is the user with the role. Convenient for configuring a manager role!
    • Employees with the same manager
    • Specific user(s)


You can combine several scopes of action within a single permission. In this example, people in this role can see details of absences for their supervised employees as well as for themselves.

Each scope has a criticality level, for example, in the screenshot above, the given scopes each have a different criticality level. “Supervised employees” have a “Manager” criticality level and “Specific department(s)” have a “Business administrator” criticality level.

If editing a permission or scope changes the criticality level of a role, a message will be displayed in the interface, to prevent you from making any errors.
Here's an example of the message that will be displayed if you save the permission above:

Limiting the role according to the establishments

It is also possible to limit the scope of a role's permissions to one or more establishments. To do this, go to the Establishment tab (no. 1) of a role and tick the relevant establishments. In this example, people with the Timmi Absences - UK Administrator role will only be able to manage people at the Lucca UK establishment (no. 2).

However, please note that you can also limit it to the user's establishment (no. 3), so you do not have to create a role for each establishment.

Assign the role to a user

Well done, you have created the role! Now assign it to users as described on the following helpsheet: Assign a role to one or more users.

Page content

Was this article helpful?
8 out of 11 found this helpful