Multi Role Access Control

Modified on Wed, 30 Jul at 10:11 AM

Last Updated: July 30, 2025

Overview:
This feature allows users to be assigned more than one role, with permissions evaluated intelligently across scopes and actions — giving organisations greater flexibility, clearer permission logic, and stronger control over users' access.

TABLE OF CONTENTS

Multi role access can be enabled via
Why it matters?
How it works?

1. Multiple Roles = Combined Permissions

2. Per-Scope Evaluation

3. Conflict Resolution: Higher Access Wins

4. Scope Enforcement Over Incidental Overlap

5. Terminated Employees Handling

6. Distinct Role Assignment Paths

7. Edit with Approval - Approval Rules: Rank-Based Resolution

8. Non-Scoped Permissions (What User Can Do)

⚠️ Important Exception

Multi role access can be enabled via

Employee Profile; Access Level tab
Add Employee
Bulk Import Feature

Why it matters?

In growing organisations, one person often wears multiple hats — for example, a regional HRBP who manages both company-level data and a direct team. This feature will allow:

Admins to assign multiple roles to a single user
Omni ensures permissions are evaluated correctly across scopes

Core Concepts
Scope: Where the role’s permissions apply (e.g., Company A, Direct Reports)
Permission Type: What the user is allowed to do (View, Edit, No Access)
Access Level: The strength of the permission (Edit > View > No Access)

How it works?

1. Multiple Roles = Combined Permissions

A user can now have more than one role. Permissions from all assigned roles are evaluated in combination, but:
- Only within their respective scopes

Example: Meet Sarah

Sarah is an HR Manager who handles both:

Global HR operations (Company-wide), and
A regional team (her Direct Reports)

So she has two roles:

Result:

Sarah can view Compensation for her Direct Reports
Sarah cannot view Compensation for other employees in Company A — even though some of her Direct Reports are in Company A

Each role is applied within its own scope.
Even though both scopes include employees from Company A, Sarah only gets what each role explicitly allows.

2. Per-Scope Evaluation

Each role is evaluated independently per scope.

Example: Meet Ravi

Ravi has two roles:

Result:

Ravi can Edit Compensation for employees in Company A
Ravi can only View Compensation for employees in Company B
Ravi cannot edit compensation in Company B even though he has Edit permission in another scope

Why: Permissions apply only within each defined scope. Edit in one company doesn’t grant edit in another.

3. Conflict Resolution: Higher Access Wins

When two roles define different permissions for the same scope, Omni will apply the higher access level:
- Higher | Edit > View > No Access | Lower

Example: Lina

Lina has two roles that both apply to Company A:

Result:

Lina will have View access to Bank Info for Company A

Why: In the same scope, View overrides No Access.

4. Scope Enforcement Over Incidental Overlap

Even if users share entities (e.g., a Direct Report exists in a restricted company), the system won’t allow unintended access. Access is granted only if explicitly permitted in the scope.

Example: Alex

Alex has two roles:

Some of Alex’s Direct Reports work in Company A.

Result:

Alex can view Compensation for Direct Reports
Alex cannot view Compensation for other employees in Company A

Why: Even though some Direct Reports are in Company A, Role A’s restriction does not override Role B’s specific scope. Each scope is respected independently.

5. Terminated Employees Handling

If any role includes terminated employees for a given scope → they will be visible
If none of the roles include them → they are excluded

Example: Farah

Farah has two roles:

Some of her Direct Reports are terminated and are part of Company A.

Result:

Farah can view terminated employees in Company A
Farah cannot view terminated Direct Reports outside of Company A

Why: Terminated visibility is respected per scope. Inclusion in one scope (Company A) doesn't spill over to others.

6. Distinct Role Assignment Paths

Omni splits how roles can be assigned:
- Assign Role permission controls roles you can assign to existing employees
- Add Employee permission controls roles assignable during hiring

When a user has multiple roles, assignable roles are determined separately for each path.

Example: Marcus

Marcus has two roles:

Result:

When hiring a new employee (Add Employee), Marcus can assign only Role C, D
When updating an existing employee (Assign Role), Marcus can assign only Role A, B

Why: Assign Role and Add Employee use separate permission paths.

7. Edit with Approval - Approval Rules: Rank-Based Resolution

If a user has multiple roles and more than one approval rule applies when editing profile sections:
- The system applies the highest-ranked matching rule, based on the rule order in the system
- Only one rule is applied per action, and it must match at least one role the user has

Example: Darwin

Darwin has three roles: Role 1, Role 2, Role 3

Approval rules for editing Basic Info:

Result:

Rule 1 is applied, because it’s higher-ranked and Darwin has Role 2, which matches it

Why: Only one rule is applied, and it's the highest-ranked one that matches any of the user's roles

8. Non-Scoped Permissions (What User Can Do)

Some permissions — like View Org Chart, Manage document library, or Manage OKR settings — are not tied to any scope.
In these cases, Omni will check whether any assigned role includes the permission.

Example: Ken

Ken has two roles:

Result:

Ken can view the Org Chart because at least one role grants it

⚠️ Important Exception

Generate and Download Reports is a non-scoped action, but the data included in the report will still respect the user's scoped visibility.

Even if a role grants access to Generate Reports:

The report content is filtered based on who the user is allowed to see, according to their scoped roles.
This ensures that users cannot export data they don’t have permission to view in the system.

Related Article(s):

Still Need Help?

Reach out to our support team should you need further assistance.