Core Concepts

1. Hierarchical Permission Model (N-Level)

The system uses a hierarchical N-level model for default permissions based on the manager-employee reporting structure:

Level	Description	Visibility
N-1	Direct reports	Default scope for most permissions
N-2	Direct reports + their direct reports	Extended visibility
N-3	Three levels of hierarchy	Further extended

Example Hierarchy

CEO (N)
├── VP of Sales (N-1 of CEO)
│   ├── Sales Manager A (N-2 of CEO, N-1 of VP)
│   │   ├── Sales Rep 1 (N-3 of CEO, N-2 of VP, N-1 of Manager)
│   │   └── Sales Rep 2
│   └── Sales Manager B
└── VP of Engineering (N-1 of CEO)
    └── Tech Lead (N-2 of CEO)
        ├── Developer 1 (N-3 of CEO)
        └── Developer 2

How N-1 Works in Practice

When a manager has a permission with N-1 scope (the default):

• They can only see/act on their direct reports
• They cannot see other teams or departments
• This enforces need-to-know access control

Manager: Sarah (Engineering Manager)
├── Direct Reports: 5 engineers
├── Can see: Only her 5 engineers
└── Cannot see: Marketing team, Sales team, other engineering teams

2. Permission Extension via Scopes

Permission Scopes allow extending visibility beyond the default N-1 scope when business needs require it.

Without Scope (Default N-1)

┌─────────────────────────────────────┐
│ HR Business Partner sees:           │
│   ├── Direct Report 1               │
│   ├── Direct Report 2               │
│   └── Direct Report 3               │
│                                      │
│ Cannot see: Engineering (50 people) │
│ But HR BP supports Engineering!     │
└─────────────────────────────────────┘

With "Engineering Department" Scope

┌─────────────────────────────────────┐
│ HR Business Partner sees:           │
│   ├── Direct Report 1               │
│   ├── Direct Report 2               │
│   ├── Direct Report 3               │
│   └── All 50 Engineering employees  │
│                                      │
│ Extended visibility granted via     │
│ Permission Scope                    │
└─────────────────────────────────────┘

Scope Assignment

Permission: "Read user information"
├── No scope assigned → See only N-1 (direct reports)
├── Scope: "Engineering Dept" → See all engineering team members
└── Scope: "Paris Office" → See all Paris employees

3. Dynamic Rules for Automatic Membership

User Groups can use dynamic rules to automatically add or remove members based on user profile attributes.

Available Profile Fields for Rules

Field	Type	Example Values
Gender	Selection	Male, Female, Other
Name	Text	Any text pattern
Job Title	Text	Manager, VP, Director, Engineer
Department	Text	Engineering, HR, Finance
Status	Selection	Active, Inactive
Location	Text/Selection	Paris, France; New York, USA
Manager	Reference	Manager name or ID

Supported Operators

Operator	Description	Example
=	Equals (exact match)	Status = Active
!=	Not equals	Department != Executive
LIKE	Contains (partial match)	Job LIKE Manager
>, >=	Greater than	Start Date > 2024-01-01
<, <=	Less than	Start Date < 2023-01-01
IN	Value in list	Location IN (Paris, London)
NOT IN	Value not in list	Department NOT IN (Executive)

Rule Structure

Rules are organized in sections with logical operators:

Section 1 (AND between conditions):
├── Location = "Paris, France"
└── Status = "Active"

Section 2 (OR between conditions):
├── Job LIKE "Manager"
├── Job LIKE "VP"
└── Job LIKE "Director"

Combined: (Section 1) OR (Section 2)
Result: Paris active employees OR any manager/VP/director

Automatic Membership Updates

When a user's profile changes, dynamic group membership updates automatically:

Event	Trigger	Result
Entry	User attributes START matching rules	User ADDED to group
Exit	User attributes STOP matching rules	User REMOVED from group

Example:

Group: "Paris Office - Active Employees"
Rule: Location = "Paris, France" AND Status = "Active"

Employee transfers from Paris to London:
1. Profile updated: Location = "London, UK"
2. Dynamic rule no longer matches
3. Employee automatically removed from Paris group
4. Roles associated with Paris group are revoked
5. (If dynamic "London Office" group exists, employee is added there)

4. Membership Types

Users can be added to groups and scopes via different methods:

Type	Icon	Description	Auto-Update	Best For
Manual	Hand	Admin individually selects users	No	Specific individuals, project teams
Dynamic	Sync arrows	Rule-based automatic assignment	Yes	Department/location-based groups
Group	Users	Inherited from another group	Yes	Nested grouping, group composition

Viewing Member Type

In the Population section of any group or scope detail view, each member shows their Creation Type indicator:

Population (25 members)
├── Sophie Martin (Manual) - Added Jan 15, 2024
├── Thomas Bernard (Dynamic) - Added Feb 3, 2024
├── Marie Dubois (Group) - Added Dec 1, 2023
└── 22 more...

Filter by: [All Types ▼] [Manual] [Dynamic] [Group]

5. Localization Support

All entity names support multiple languages for international organizations:

// User Group name example
name: {
  en: "Development Team",         // English (required)
  fr: "Équipe de Développement"   // French (optional)
}

// Role name example
name: {
  en: "HR Manager",
  fr: "Responsable RH"
}

Supported Languages

Code	Language
en	English (default, always required)
fr	French
de	German
es	Spanish
it	Italian
pt	Portuguese
nl	Dutch
pl	Polish

Language Priority Display

The system displays names in this order:

1. User's preferred language (if translation available)
2. English (default fallback)
3. First available translation

6. Permission Categories

Permissions are organized into 20+ categories for easier management:

Category	Permission Count	Examples
Access Control	6	Create role, Delete roles, Add role to user
Campaign	4	Create campaign, Read campaign, Update campaign
Company	2	Read company config, Update company config
Field	8	Create custom field, Read standard field
Group	17	Create user group, Update visibility group
Job	8	Create job listings, View job offers
Objective	5	Create objective, Change objective status
Review	2	Read reviews
Skill	4	Create skill, Update skill
Training	4	Create training, Read trainings
User	10	Create user, Read user information
User Skill	4	Create user skill, Read user skills

Permission States

Each permission can be in one of two states:

State	Visual	Effect
Activated	Toggle ON (blue)	Permission is granted
Deactivated	Toggle OFF (gray)	Permission is denied

Category-Level Activation

• Toggling a category activates/deactivates ALL permissions in that category
• Individual permissions can be toggled independently within a category
• Category header shows "Activated" if ANY permission within it is active

7. Bulk Operations

The system supports bulk operations for efficiency across all modules:

Entity	Available Bulk Actions
User Groups	Export, Delete selected
Roles	Export, Delete selected
Permission Scopes	Export, Delete selected
Permissions (in Role)	Activate, Deactivate, Manage Scopes
Members (in any module)	Remove selected

Bulk Scope Assignment Warning

When managing permission scopes in bulk:

1. Select multiple permissions using checkboxes
2. Click "Manage Permission Scopes" in bulk action bar
3. Select groups to apply
4. Warning: Assigned scopes will overwrite existing scopes for all selected permissions

8. Search, Filter, and Sort

All list views support consistent data management features:

Search

• Real-time filtering as you type
• Searches across name and relevant fields
• Case-insensitive matching

Filter Options

Filter	Description
Status	Filter by active/inactive entities
Creation Type	Filter members by Manual/Dynamic/Group
More Filters	Additional advanced filtering options

Sort Options

• Click any column header to sort
• Click again to reverse sort direction
• Third click clears sorting
• Sort icon indicates current direction (▲/▼)

Pagination

• Default: 8 items per page
• Navigate between pages
• Total count displayed

Navigation

• Previous: Overview
• Next: Users Module
• Back to: Documentation Index