User Roles

User roles control which features users can access in Dayforce, and they play an important part in the security of Dayforce. User roles are assigned to user names. Security Configuration describes the differences between user roles and user names.

You can configure as many user roles as your organization requires in System Admin > Roles. The more granular the access requirements, the more user roles you'll need to configure.

For example, if your organization needed to provide access to a different set of features for corporate management, location managers, assistant managers, and employees, you'd configure four user roles, one for each of those groups.

Note that the term ESS (employee self-service) is used throughout Dayforce documentation. Configurations can be different, depending on the needs of your organization, but ESS generally refers to features that individual employees can access directly. These can include individual earning statements, annual tax forms, timesheets, and various forms they can use to update tax or other records.

When you’re creating user roles, you can arrange them in a hierarchy of parent and child roles. Users with the highest level of access can assign features to other roles, and child roles can only use features to which they have been assigned access. Users can only assign features to other user roles at or below their own role's level in the hierarchy.

See Configure User Roles.

User Role Properties

You can configure several different properties for each user role.

*User role properties*
Name	Description
Name	The name for the user role.
Description	The description of the user role.
Parent Role	The role under which the new role will be nested in the hierarchy.
Password Policy	The password policy that will govern the role. Required. This setting is automatically populated with the default password policy, which is configured in System Admin > Password Policy. See Password Policies.
ESS Role	Allows users with the role to access Dayforce through Employee Self-Service. With this checkbox selected, new users assigned this role don’t need to be assigned additional security settings that are needed for other roles that manage organizational units. This means that when this role is selected while onboarding a new employee, Dayforce disables the Location Visibility drop-down list in the New Hire form.
Termination Role	Allows users with the role to have limited access to required features of Dayforce after their employment has been terminated. You can only configure one termination role. If you select the Termination Role checkbox when a termination role already exists, Dayforce displays a prompt confirming if you want to change the current termination role. You must configure the termination role with the appropriate limited role features and access authorizations. For example, if employees need to access their historical earnings statements and year-end tax forms after their employment has been terminated, only these features and authorizations should be assigned to the termination role. The termination role functionality relies on the User Account Employee Status Job to assign the role to terminated employees. See User Account Employee Status Job.
Reference Code	The cross-reference code for the role. Cross-reference codes are used to import and export data from Dayforce to other applications. See Cross-Reference Codes.
Onboarding Role	Identifies the role as an onboarding role. Onboarding roles allow new employees to access Dayforce before their first day. This functionality is especially useful in the Onboarding module, so that new hires can access these features before they officially start work. For more information, see the Onboarding Guide.
Allow Native Authentication for SSO Users	Allows users with this role to log in using the native login screen even if they have a single sign-on (SSO) login account. This setting allows you to override the Disable Native Authentication for SSO users client property for specific user roles. For more information about the client property, see General. Note: You can also allow native authentication for SSO users at the individual user level using the Allow Native Authentication for SSO Users checkbox in System Admin > User. See Edit User Accounts. If your organization uses SSO, this setting can be used in the following scenarios: If new hires use the First Time Access process for onboarding before their first day of work, you would select this checkbox for onboarding roles so that new hires can log in to Dayforce using their Dayforce-specific credentials. On the new hire’s first day, when their user role changes from an onboarding role to an employee role, they will be prompted to use SSO to log in, as long as their employee role doesn't have this option selected. If your organization needs to provide employees with Terminated status with access to limited features, you would select this checkbox for the termination role so that users can continue to access Dayforce using their Dayforce-specific credentials after their SSO account is removed. If your organization has the OData reporting feature enabled, users with access to OData must have this option enabled to retrieve data from Dayforce. OData doesn't support SSO users.
Exclude Employees with this Role from Delegation	Designates the user role as ineligible for delegation. With this option selected, users with this role aren't displayed when configuring delegation.
Anonymize TAFW for employees with this role	Select this checkbox and time away requests with the Is TAFW and Is Anonymized checkboxes selected for the code in Pay Setup > Pay Code appear as anonymous for this role in Multi-Week Calendar and Schedules.