Ad Hoc Reporting Data Security

The ad hoc reporting features are designed so that users can't access sensitive data if they don’t have the required permissions. Dayforce applies the following levels of security to the data in ad hoc reports: role-level security, which controls access to data in fields based on your user role, and row-level security, which is specific to each user and controls access to data about employees in the organization. The following sections contain more information about the types of security.

Role-Level Security

At the user-role level, access to report data is controlled by the following:

Reporting doesn’t follow the role feature access restrictions that limit which feature screens users can see in Dayforce. Users with access to Reporting might be able to see data in fields from Dayforce features they don’t otherwise have access to, unless the fields have access authorizations or People role security applied.

Access authorizations control which data users can see in Dayforce, based on their user role. When a user runs or previews a report, Dayforce masks (****) data in the fields that the user doesn’t have Can Read access authorizations for. With access authorization restrictions, data is masked for the whole column if the user doesn’t have access.

People role security restricts which data users can see about other users based on their user roles. For example, users with the Manager role might be able to see contact phone numbers and emergency contacts for other users with the Manager role, but not performance or pay information. With people role security, field values for individual employees are blank when the user doesn’t have access.

Important: To apply People role security to report output, you must enable the Enable People Role Security in Reports client property in System Admin > Client Properties.

Access authorizations and People role security are already configured in the fields that are available in Reporting. For custom fields, you need to specify which settings you want to apply. You can see which access authorizations and People role security settings are applied to a field in the report designer by clicking the column header to view the field details:

You can also find this information in the Reporting Reference Guide, in the Reporting Data Dictionary tab.

Row-Level Security

Row-level security determines which records, or rows, are included in the output when a user generates a report. The report only shows records that the user has access to elsewhere in Dayforce.

The following are the basic rules for how row-level security is applied to reports and topics:

• Payroll Security: One or more of the following payroll security types can be applied simultaneously.
• Pay Group security is applied only when one of the following entities is in the topic and the report contains fields or filters from those entities:
• Payroll Register by Date Range Custom
• Payroll Register by Pay Run Custom
• Multi-State Threshold Taxation Custom
• Import Quick Entry security is applied only when one of the following entities is in the topic:
  • Payroll Pay Entry Batch Deduction Data Stage
  • Payroll Pay Entry Batch Deduction Data Stage Audit
  • Payroll Pay Entry Batch Earning Data Stage
  • Payroll Pay Entry Batch Earning Data Stage Audit
  • Payroll Pay Entry Batch Tax Data Stage
  • Payroll Pay Entry Batch Tax Data Stage Audit
  • Payroll Pay Entry Batch Wage Attachment Data Stage
  • Payroll Pay Entry Batch Wage Attachment Data Stage Audit
• Import Payroll Election security is applied only when one of the following entities is in the topic:
• Employee Deduction Limit Stage
• Employee Deduction Limit Stage Audit
• Employee Deduction Param Stage
• Employee Deduction Param Stage Audit
• Employee Deduction Payee Parameter Stage
• Employee Deduction Payee Parameter Stage Audit
• Employee Deduction Stage
• Employee Deduction Stage Audit
• Employee Earning Limit Stage
• Employee Earning Limit Stage Audit
• Employee Earning Param Stage
• Employee Earning Param Stage Audit
• Employee Earning Payee Parameter Stage
• Employee Earning Payee Parameter Stage Audit
• Employee Earning Stage
• Employee Earning Stage Audit
• Workflow security is applied only when the Workflow Data and Employee entities are both in the topic, and the report contains fields or filters from both entities.
• Job Requisition and Candidate security is applied only when Job Requisition or Candidate entities are in the topic and the report contains fields or filters from either of the two entities.
• Performance security is applied only when any of the following entities are in the topic: Employee Review Cycle View, Performance Goals View, Employee Review Competency View, Performance Conversation Custom View, Employee Performance Rating View, Employee Review Questions View.
• Employee security is applied when EmployeeID is found as a primary key or foreign key in any entity that is in the topic, unless another security type is found first and the report contains fields or filters from the Employee entity or the entity that has Employee ID as a foreign key.
• Location security is applied when LocationID is found as a primary key or foreign key in any entity that is in the topic unless another security type is found first and report contains fields or filters from the Location entity or the entity that has Location ID as a foreign key.
• Employee Hierarchy security is applied to reports based on the HR Profile – Direct and Indirect employees included topic. It shows which employees are your direct and indirect reports to be displayed in the following standard reports: Active Employee Headcount for My Organization and Employee Listing for My Organization.
• Succession Plan security is applied to the Succession Plans - Details report template to determine which data can be viewed in the report template.

The following topics have a specific security clause applied. The security on reports based on these topics never changes, even if you add entities and fields to the reports that would normally cause a change to the security:

Topics with specific security clauses

Topic Name	Security Clause
HR Compliance	Employee
HR Profile – Direct and Indirect employees included	Employee Hierarchy
Employee Turnover	Employee
Current Flight Risk and Performance Review	Employee
Performance Review - Additional Questions	Performance
Workflow Details	Workflow
Document Management	Employee
HR Events	Employee
Payroll Multi-State Threshold Taxation	Pay Group
Pay Wage Change	Employee

Report Row Level Security Configuration

You can configure report row level security by using the Report Row Level Security Configuration drop-down list in the Security tab of the Report Properties dialog box in the Report Designer. This lets you share reports with a wider range of users without compromising the integrity of the report.

Role feature access: Reporting and Analytics > Reporting > Report Designer > Report Row Level Security Configuration

The following report security options are available from the Report Row Level Security Configuration drop-down:

• Employee security is applied when EmployeeID is found as a primary key or foreign key in any entity that is in the topic, unless another security type is found first and the report contains fields or filters from the Employee entity or the entity that has Employee ID as a foreign key.  
• Employee Hierarchy security is applied to HR reports that have Employee as the primary entity. It shows which employees are your direct and indirect reports.
• Location security is applied when LocationID is found as a primary key or foreign key in any entity that is in the topic unless another security type is found first and report contains fields or filters from the Location entity or the entity that has Location ID as a foreign key.
• Pay Group security is applied only when one of the following entities is in the topic and the report contains fields or filters from those entities:
• Payroll Register by Date Range Custom
• Payroll Register by Pay Run Custom
• Multi-Sate Threshold Taxation Custom