Security in Taleo Performance

Security Overview

Security is the combination of what type of information you can access, whose data you can view, and what actions you can perform.

Conceptually, security is broken down into three main pillars, focused on object ownership, hierarchy, and coverage areas. Other components, such as mentoring, matrix management and talent pools lead to slight variations on the three main themes.

Practically, security is handled by a combination of user type permissions, user accounts, coverage areas, and groups, which control access to functional domains. The placement of organization, location, and job fields within coverage areas and groups helps in segmenting user's access.

Security Components

The majority of Taleo Performance security conditions can be met using the controls provided by object ownership, hierarchical control of objects and coverage areas.

These impact the relationship a user has with the different domains in Taleo Performance.

Object Ownership

Ownership security means a user can access objects they own.

Typically when a new object is created for someone and assigned to them, they become the owner of that object. For instance, when an employee creates a development activity for themselves or when a manager creates a goal for an employee. The majority of the time this refers to the employee's perspective, however; for position management it is based on the position manager's perspective. There can only be a single owner of an object.

Image showing an object ownership where an employee owns a development plan.

Hierarchical Control of Objects

Hierarchical security is based on a hierarchical structure - the reporting relationships that exist within an organization.

This supports the employee organizational structure with two levels of hierarchical security: direct or indirect. Direct provides access to the details of a line manager's direct report (or level 1 in relation to the diagram). Indirect access can give higher level managers (level 2 & more) the same rights to the employee's information as the line manager. For example, a vice-president might have rights to assign a goal to all people who report below him, not just his direct reports.

Taleo Performance supports hierarchical control based on the employee organizational structure, meaning that access to objects is dependent on the user's relationship to the owner of the object.

Image showing an employee organizational structure. At the top, there is a high level manager, below a direct manager, below an employee.

Coverage Areas and User Groups

A coverage area is a combination of functional domains, organizations, locations, and job fields that can be associated with an individual - or combined in user groups and associated with multiple users - to control their access to people and parts of Taleo Performance.

Coverage areas must consist of at least a single functional domain, but otherwise can include any number of domains, organizations, locations and job fields. The items included in a coverage area are what the user associated with the coverage area has access to. Once a user is associated with a coverage area - either individually or via a group - they can only see other users who also have the same association. For instance, if your coverage area includes the engineering organization, then only employees in that organization will be displayed when you run a search.

Typically in large organizations it is not realistic or scalable to apply coverage areas to users individually and groups are preferred. Groups using coverage areas enable security to be applied that mirrors how your organization is structured. An additional benefit of using groups is that Taleo Connect Client can be used to assign groups to employees, saving the time of manually assigning them in SmartOrg.

Image showing an example of coverage area for an organization.

Combining coverage areas and groups increases your access to Taleo Performance, much in the same way that user type permissions are cumulative and offer the widest access. If you have one coverage area with the Performance Reviews domain and the location Canada and add another coverage area with Goal Plans and United States, you can see employees who meet either coverage area criteria.

These are referred to as OR relationships, in that employees who fit either criteria are displayed to the user. They do not need to match both, which would be an AND relationship.

Functional Domains for Coverage Areas

These functional domains can be added to coverage areas to provide users with access to the corresponding modules in Taleo Performance.

Functional domain information, in regards to user type permissions, is available in the section Performance User Type Functional Domains.

Name	Function
Career Plans	This controls access to the Career Plan module.
Development Plans	This includes the Development Plan module and development activities. Activities can be created in context in different modules outside of the development plan module.
Employee Metrics	These can be displayed throughout Taleo Performance, such as the talent profile and performance card.
Employee Profile	This controls access to the overall talent profile object, however; this does not include all of the content of the talent profile. For instance, access to employee metric data on the talent profile requires the employee metrics domain. This also controls access to the people selector.
Goal Plans	This controls access to the Goal Plan module.
Performance Reviews	This controls access to the Performance Reviews module and managers also get access to the Performance Review Management view, which shows all the reviews they are responsible for in list form.
Succession Employee Search	This is required be able to search for people to add to succession plans and talent pools.
Succession Plans	This controls access to the Succession Plan module and Talent Pools.
Team Management	This controls access to actions in the Team Management and Talent Browser such as, adding an employee, adding a matrix manager, changing an employee's manager, and changing an employee's OLF values.

User Type Security Permissions

User type permissions are the main method used for controlling security in Taleo Performance. This section provides information on these permissions and how they affect access to modules and the actions you can complete in Taleo Performance.

Access to Taleo Performance features are controlled by user type permissions. Permissions are organized by functional domains. For instance, Goal Plans, Performance Reviews and Employee Profiles are specific domains that can have unique user permissions configured for each user type. For each domain, the administrator can configure whether the user type will have read-only access (View) or full edit rights (Manage). With a goal plan a line manager may have View and Manage permissions, while with an employee profile the line manager may only be able to view it.

View and Manage permissions can be applied to the user’s own data, their direct reports, the employees of those direct reports, employees within the user’s coverage area and individuals the person mentors.

Note: Having manage access does not imply view access, it must also be selected.

Permissions are cumulative and the most expansive access related to those permissions is applied to the actions of a user. For instance a user may be assigned a line-manager user type, which enables them to edit the goals of their direct reports only. In addition, the user may also be associated with a user type that provides view and manage permissions for goal plans associated with the same group as the user, which would then allow the user to edit non-direct report goals.

Default User Types

Taleo Performance provides three basic user types that can be used as the foundation for configuring different user types for your implementation.

Depending on the requirements of your organization and the modules that are used, your may need to create a number of customized user types. Most users typically fall into an employee, manager, or administrator category and the default user types make it easy to create your customized user types accordingly.

Taleo Performance Default User Types
Name	Code
HR Administrator	PM_HR_ADMINISTRATOR
Manager	PM_MANAGER
System Administrator	PM_SYSTEM_ADMIN
Employee	PM_EMPLOYEE

HR Administrator

The HR Admin user type provides access to HR Administration Tools, options for managing workflow processes of items like performance reviews and goal plans, as well as general administrative oversight into your Taleo Performance implementation.

The ability to use the HR Administration Tools is the most important part of the HR Administrator's permissions. These tools enable the administrator to troubleshoot approvals and restart them or complete them as necessary. This enables the administrator to act as the first line of support and potentially quickly resolves problems for managers and employees.

It is recommended that there be at least one individual assigned to the HR Administrator - Global role, to ensure that there is never an object (goal plan, succession plan, performance review, career plan) that does not have an HR Administrator responsible for it.

Manager

The manager user type gives managers access to work with information on their reports for all functionalities across Taleo Performance.

Managers can view and edit information for their employees in each of the modules. By default, managers have read and write access to their direct reports and subsequent levels of employees.

Employee

The employee user type is for those users in an organization, who do not have line manager or system admin duties and do not require access to HR Administration Tools or the Manager Center.

By default, an employee has read and write access to their own records and information, but not those of anyone else.

Additional User Types

The Matrix Manager and Mentor user types enable any employee in the application to take those roles.

Matrix Managers

Matrix management provides the ability to assign employees, for a specific period, to matrix or proxy managers that can participate in reviews, goals and any other tasks on behalf of the primary manager.

The matrix management feature provides important management functions:

Allows managers to share their work responsibilities and administrative tasks with matrix managers who may act on their behalf.
Allows managers or HR administrators to appoint temporary resource managers. In case that a primary manager is unavailable or on a leave, their tasks and performance management functions may be conducted by the matrix manager.
Allows matrix managers to participate in performance management functions of employees who work in cross functional teams. It is important to note that to be entitled to participate in a review, matrix managers must also be made review collaborators.

Mentors

Mentor user type permissions enable a user to take on the responsibilities of a mentor without needing to worry about organizational or hierarchical structures.

Mentor View/Manage permissions can be set for any functional domain that a mentor could require access to, such as development plans, career plans and employee profiles.

Performance User Type Functional Domains

User type permissions are organized by functional domains.

A user type can accumulate permissions for multiple functional domains and gain access to many products and modules within them. For the functional domains to be available, the corresponding module must be activated in Configuration > [SmartOrg] Administration > Product Configuration. You must typically have support user access to activate modules.

Performance Reviews

Users must have View permissions to access the Review links and Manage permissions to create and edit performance reviews.

Along with the typical view/manage and administration tools permissions, managers can have additional access to the Performance Review Management view with the Access via Manager Center permission. This permission grants the user access to the Performance Review Management view, from the 'Team Reviews' link displayed under the Navigation bar's More dropdown. heading. However, the user needs viewing and/or managing rights to performance reviews to be able to view/manage reviews. When performance reviews are accessed via the Navigation bar > More dropdown > Team Reviews link, the user is presented with a list of reviews, which offers a new management view that can be used to display a specific group of reviews and to take action upon multiple reviews at once if needed.

Succession Plans

Users must have View permissions to have access to the Succession Plan links and Manage permissions to create and edit succession plans.

With the appropriate view and manage permissions users can complete tasks such as, creating succession plans, adding and removing successors, requesting approvals, and ranking successors. While the Succession Plan module is required for Talent Pools to be available, Talent Pool user permissions are kept in the Common functional domain.

Goal Plans

Users must have View permissions to have access to the My Goal Plan and Goal Plan links and Manage permissions to create and edit goal plans.

Along with allowing access to goal plans from HR Administration tools, the Access administration tools permission enables you to see which goal plan template is used for the goal plan you are currently viewing in Taleo Performance.

Career Plans

Users must have View permissions to have access to the Career links and Manage permissions to create and edit career plans.

Development Plans

Users must have View permissions to have access to the Development links and Manage permissions to create and edit dev plans.

As development activities can be created in different contexts throughout the system, it is not enough for a user to have access to a certain module, they must have the development plan permissions as well. For instance, while you do not need development plan user permissions to use talent pools, if you want to assign development activities to a talent pool member then you need them.

Employee Metrics

Employee metrics represent employee information that can be used for analysis or calibration purposes or to show summary information about an employee.

While metrics user type permissions control overall access to metrics in Taleo Performance, configuration settings control which specific metrics are displayed and editable.

The employee metrics that are configured to be displayed and/or edited are reflected in various locations:

in the Talent Profile
in the employee's performance card and summary profile
in the Employee Details window, available from the performance card
in the Talent Snapshot

Employee metrics can also be used as dimension types for the X and Y axes in matrices. This can affect which people are automatically rated on a matrix and which people can have their metrics updated. Users with fewer employee metric permissions will typically see a larger unrated population.

Team Management

Team Management provides managers with a self-service tool for performing employee changes and maintaining information about their employee-manager relationships.

The team management options are available from Performance Cards in the Manager Center and from HR Administration Tools. Users must have Access permission to create new requests via the Request Employee Change and Add Employee Go to menu options. To cancel a change request the user must have general Access permission and be the owner of the approval request or have the Access administration tools permission.

Following is a list of possible team management actions:

Add an employee from another team
Add a matrix manager
Change an employee's manager, thus moving the employee to another team
Change an employee's organization
Change an employee's location
Change an employee's job field

Team management permissions also control access to Talent Search, Native Reporting and setting up Matrix Manager relationships. Instead of having product settings to enable these features, they are enabled via their permissions.

Employee Profile

These view and manage permissions control user's access to the Talent Profile.

Employee profile permissions grant access to the overall talent profile object, however; they do not necessarily grant access to all of the sections of a talent profile. For instance, the ability to edit the metrics displayed on the talent profile is controlled by Configuration > [Taleo Performance] Administration > [Employee Management] Metrics Configuration.

Employee profile permissions also control access to the People Selector from the Employee > Other... option. Without permissions more expansive than View > If this user is the owner, users will not be able to search for other employees while within a module. These permissions also impact who can upload an employee photo.

Administration

This provides access to the Taleo Performance section of the Configuration module.

Selecting Allow system administration provides access to all of the configuration sections required for configuring Taleo Performance, with the exception of SmartOrg. To be able to access SmartOrg and set up users the Manage User Accounts permission is required.

Business Goals and Projects

There are only single View and Manage permissions for business goals and projects.

These options add Business Goals and My Projects to the user’s Navigation bar under the More dropdown, and enables the user to view those objects. The business goals you can view are dependent on which business organizations you have access to.

Note: These settings are not used for employee goal plans.

Other User Type Domains

There are a few additional domains, sitting outside Performance that impact the product.

Pools

While pools is currently only available within Taleo Performance, the permissions have been placed in a Common domain.

The permissions for talent pools do not work in the same manner as for other domains. A key difference between talent pool permissions and other components is that talent pools have explicit creation and deletion permissions nested within an umbrella manage permission. With only the Manage permission, the user can edit pools, but cannot create them. Once the Allow creating and deleting pools permission is selected then the user can begin adding new pools. Also to change pool ownership, users must have the high level View and Manage permissions.

For an example of these constraints, see Talent Pool User Permissions.

Compensation Data

The view and manage compensation data permissions control the ability to edit the data in those areas. This includes current salary, salary increase, target bonus and non-vested stock. This only impacts how compensation data is handled in the talent profile. Compensation security in Taleo Enterprise is managed separately.

Succession Employee Search

This domain is only available when you are selecting functional domains to include in a coverage area associated with a user group.

This domain controls who users can search for within Succession Plans and Talent Pools. When a user within a group that has the Succession Employee Search domain associated with it, searches for people to add to a succession plan or pool, they will only be able to search amongst other people within that group.

Learning

In addition to Learn user type permissions, Development Plan user permissions are required to successfully use Taleo Learn functionality within Taleo Performance.

Unlike other functional domains, which typically provide view and manage access to different levels of users, Learn permissions map user types in Taleo Performance to user types in Taleo Learn. For instance, you can access Learn as a default user, supervisor, administrator, or as a custom user type.

Please consult Taleo Learn documentation for full details on user permissions within the Learn system.