To prevent the system administrator from accessing the HR module, we propose to create a default system administrator role that doesn't have access to the HR module.
Comments
The reason why we need an additional System administrator role is because one cannot duplicate the System administrator today and restrict access. The system administrator is an empty role: No duties/privileges/tables – but it got access to everything. We have tried to make a custom system administrator role with almost all standard roles available and tried to restrict access to HR, but this role cannot give other users the System administrator role if there are any access issues with the custom system administrator. Only System administrator can give System administrator role to users. More customers are today letting us know that the System administrator should follow GDPR requirements (no access to HR and other sensitive modules). Could also restrict access to other alternative sensitive tables/modules as: - Module: Payroll. - System administration > Inquires > Deleted attachments. (HR documents can be deleted and seen). - Sensitive information other places?
Category: System administration