icon in Editing a Worksite Manager User
Configure users who are managers at a client with the Worksite Manager form. Worksite Manager Users need to be linked to an existing PrismHR employee ID. This allows for one manager user to have access to both employee and manager functions inside employee portal.
To set up a worksite manager user:
| 1. | Enter or select the User ID. The Users form displays the information for the Worksite Manager. |
| 2. | Select Worksite Manager from the User Type drop-down menu. |
| 3. | Update the user's First Name, Middle Name, Last Name, Mobile Phone, Notifications Email, Registration Email, or Security Email, if required. |
Note: If a user updates their primary email address through Employee Portal (EP) or through the Employee Details Address tab, the system displays that address in the Email Address field.
| 4. | Enter the Employee ID to link the user account to the appropriate employee record. |
| 5. | You can include a photo of the user. Mouse over the image and then select Upload to add an image, or select Delete to remove an existing image. |
| 6. | Click Save. |
Configuring Data Security
Manage data and client security for the user account by opening the Actions menu and selecting Data Security. The Data Security window opens.
To add companies that the user can access:
| 1. | Click Add Company and select a client. Typically, this is the client that employs the user. Access is set to Pending. |
| 2. | Click Save to return to the Users form to select the employee ID. |
| • | If you select an employee that is employed by the client, the Access changes to Granted. |
| • | If the employee is not employed by the client, the status remains Pending. |
Note: For clients already assigned to the user, the access you can set depends on whether the user is employed by that client. If this is the case, you can set the access to Granted or a thru date, otherwise you can set only a thru date.
To change from Granted or Pending to a thru date:
| 1. | Click the link. |
| 2. | Enter the Optional Override Access Thru date. |
| 3. | Click Submit. User access to the client expires after 11:59:59 p.m. on that date (Central Time). |
To change from a thru date to Granted:
| 1. | Click the link. |
| 2. | Delete the Optional Override Access Thru date. |
| 3. | Click Submit. The access is set to Granted. |
To remove access completely, click Delete 
in the company row.
The displayed entities are specific to the selected client and are set in Client Details. Using the drop-down, you can choose to show All Defined Entities or limit the list to specific entities.
Note:
For each entity, you can set the access by clicking the row:
| • | Full Access: User can view, edit, and save data. |
| • | No Access: User cannot see any data associated with the entity. |
When you are finished, click Save. You return to the Users form where you can complete the necessary steps for editing the user.
Worksite Manager Settings
Configure these optional settings to control worksite manager password, multi-factor authentication, and activity behavior.
| Field | Description |
|---|---|
|
Active User |
Deselect to remove system access for this user without deleting their user record. |
|
Requires New Password |
Select this option to prompt the user for a new password the next time they log in. This feature works even if passwords are set to never expire on the Authentication Services form. |
|
Logging Enabled |
Do not select this option unless absolutely necessary, as it adds overhead and slows down the system. This option enables back-end logging to assist with troubleshooting. |
|
Last Changed On |
This field displays the date and time of the most recent change to the user account. |
|
sMFA Device Expiration |
This field determines the amount of time until a user is prompted to verify their login using multi-factor authentication. You can use the global MFA setting for MFA expiration, select a different time interval, or disable it entirely. PrismHR highly recommends that you do not disable MFA expiration. See the previous warning. |
|
sMFA Support |
This field determines if multi-factor authentication is supported for password recovery. |
|
Birth Date |
This field is used to enter the user's birth date for use in password recovery. |
|
ZIP Code |
This field is used to enter the user's ZIP code for use in password recovery. |
Note: Password recovery always requires message templates for Password Reset and Password Reset Confirmation. If you are also using sMFA Support, it requires a message template for MFA Passcode.
Setting User Details (PrismONE ID)
Configure these settings to control the user's registration with PrismONE ID.
| Field | Description |
|---|---|
| Registration Status | This field displays the user's PrismONE registration status. |
| Registration Email | Enter the user's email address that is used as the registration message's destination. |
| Require This Email for PrismONE ID | Select this option to require the user to use the Registration Email address for their PrismONE ID address. |
| Registration Code | This field displays the status of the PrismONE registration code sent to the user's Registration Email. |
| Send Code via Mobile Phone | Select this option to send the registration code as an SMS/Text message. |
Assigning User Roles
Maintain the user roles that apply to this user with the User Roles panel. Each role determines what forms and fields the user can access.
| • | Click + to add a new role and then click Role ID to select the User Role. |
| • | Click x to remove a role for that row. |
Note: If a user is assigned more than one user role, and one allows access to a feature while another denies it, then the system does not allow the user to access the feature. This is to ensure the security of your organization's information and that of your clients. If instead one role allows access and another role has simply removed it, the users can access it.
If a user has two roles with different field security settings, the system honors the settings for the first role assigned to the account. The administrator must take this into consideration when designing and assigning roles.
You can also select the Human Resource Roles for this user.
Human Resource Roles
Human Resource roles determine what the user can do in PrismHR. The user can only perform actions for client companies assigned in Data Security.
Note the following:
| • | The Payroll Processor can perform all payroll tasks. |
| • | If your organization separates the time sheet entry and check printing tasks, you should assign some worksite users as Time Sheet Entry types and other users as Payroll - Prints Checks and Payroll - Print Garnishment Checks. |
| Human Resource Role | Details |
|---|---|
| Employee's Manager (Leave Request Only) | User can approve employee leave requests. |
| H/R Action Approver | User can approve human resource actions for clients assigned in Data Security. |
| Payroll Approver | User can approve payroll-related actions for clients assigned in Data Security. |
| Payroll Processor |
User can process payroll information for clients assigned in Data Security. (Applies to Portal Time Sheet Entry.) |
| Time Sheet Entry (w/ Pay Rates) | User can enter time sheet data, including pay rates. (Applies to Portal Time Sheet Entry.) |
| Time Sheet Entry (w/o Pay Rates) | User can enter time sheet hours, but cannot see or enter pay rate information. (Applies to PrismHR Core and Portal Time Sheet Entry.) |
| Payroll - Prints Checks |
User can view and print regular paychecks. Note: If a user's role is only set to the Payroll - Prints Checks role, they cannot print garnishment paychecks. |
| Payroll - Print Garnishment Checks |
User can view and print garnishment paychecks. Note: If a user's role is only set to the Payroll - Print Garnishment Checks role, they cannot print regular paychecks. |
| Enrollment Proxy | User can act as an employee and execute the employee's enrollment selections. (PrismHR Benefits Enrollment only.) |
|
Onboarding Proxy |
User can read employees' full onboarding workflows. (Note: The system bypasses any field-level security when using this role.) |
| Benefits Approver | User can approve benefits-related actions for clients assigned in Data Security. (PrismHR Benefits Enrollment only.) |
| PTO Administrator | User can see all employees in the Planned Time Off Requests form, regardless of whether they are restricted by Data Security settings, not only direct reports. |
| Client Manager | User can be assigned to receive notifications in the Notification Recipients form. |
| I-9 Approver | User can approve Form I-9s for employees during the onboarding process. |
| Pay Card Account Approver | User can approve pending pay card account approvals. |
|
Manager User Setup |
Worksite managers can set up other worksite managers. |
|
Custom HR role (defined by your organization) |
If your organization has defined custom human resources roles using the Custom HR Approval Roles form, you can add them to the user. These roles are for customizing global or client-specific approval policies. |
