Skip to main content

help center

Pay Suite

Submit a request
Submit a request
  1. beqom PaySuite HelpCenter
  2. Technical admin
  3. Users & roles

Authorization in Pay Suite

Paulina Hausner-KraiƄska
  • Last updated:

Authorization in Pay Suite

Pay Suite provides a flexible and secure way to manage user permissions and data visibility within the platform. Its authorization model, which combines Roles and Attribute-Based Access Control (ABAC), protects sensitive employee data and ensures that users only see the workers they're supposed to. Organizations can easily scale their access model by reusing existing attributes, and flexibility is available through overrides for exceptions and special cases. In short, Pay Suite's authorization model balances control with flexibility, ensuring compliance while adapting to customer needs.

Roles and ABAC explained

Roles define what actions a user can perform. For example, a Compensation Administrator role might grant a user permission to create and publish a compensation round.

ABAC defines which workers a user can see, based on attributes such as organization, location, or employment status. For example, that same Compensation Administrator might only see employees in their specific region or business unit, depending on their assigned attributes.

This separation ensures that users not only have the right permissions but also only see data that's relevant to them. It allows organizations to configure granular access, meaning a user can have powerful permissions but still be restricted to a defined population of workers.

Cohort vs. Override attributes

ABAC in Pay Suite uses two types of attributes to manage visibility:

  • Cohort Attributes: These define a user's baseline population. They are automatically applied based on data values like Organization, Worker Country, or Employment Status. For instance, a manager might only see active employees in Ireland within the Sales organization.

  • Override Attributes: These allow for exceptions to the baseline. For example, a Compensation Administrator could be given visibility of a single employee or an additional organizational unit outside their normal cohort. Overrides can explicitly include or exclude specific workers.

This model provides both structure (via cohorts) and flexibility (via overrides). For more information about this model please, see: Controlling access with ABAC and Role assignments.

How authorization is managed

Authorization in Pay Suite can be configured in two ways, offering customers control based on their needs:

  • CSV Upload: Administrators can configure roles and ABAC attributes directly in the platform's Security & Roles section by uploading a CSV file. This method is often used for initial setup or for bulk updates. For more information please, see: Managing professional roles.

  • Authorization API: For dynamic or automated management, customers can use the Authorization API to programmatically assign roles and ABAC attributes. This approach is ideal for integrating Accelerate with existing identity or HR systems. For more information please, see: Managing roles via API.

Attachments
Was this article helpful?
0 out of 0 found this helpful
Return to top