The Get Employees request (and its derivatives) is controlled by the common configuration described in Standard Configuration Steps (Required). Additionally, a two-layer data security mechanism has been implemented for these requests because access authorizations (the first layer) handle security based on groupings of information, and it's very likely that some data elements included in a given grouping shouldn't be included in the results of a Get Employees request. For that reason, a second layer of data security has been added.
The second layer of data security for Get Employees requests is field-level access, which controls availability at the individual data elements level (no groupings) using a Can Read setting similar to access authorizations.
Email Notifications
Consumers receiving Event Notifications need to use Get Employees requests to act on the received notifications. Therefore, consumers using the following requests must be configured as noted in this section:
- Get Employees Request
- Get Employee XRefCodes Request
- Get Employees By XRefCode Request
- DF Notification Data Request (used to retrieve detailed information for a particular Notification Event)
Two-Layer Security Mechanism
The employee object (results set) returned by the Get Employees request always uses the same structure; that is, it contains the same data entities and elements. However, the two-layer security mechanism determines which data elements are populated with values when the response is returned to the consumer.
When the request is processed, access authorizations are applied in the first step and only the allowed values are included. In the second step, field-level access is applied, resulting in the population of the final employee object. All entities and fields are available to the consumer, but only those allowed by this two-layer security process will have resulting values.
Configure the Access Authorizations for Each Consumer’s Role
For the consumer’s role, select Read access for the access authorizations used by the required data elements.
Note: When you apply access authorization changes to a role, system caching can result in a wait time of up to one minute to become available in the web services feature. This is the same caching function that impacts reporting and other parts of the Dayforce application.
Configure Field-Level Data Access for Each Consumer’s Role
Field-level access must be configured for each role used by a consumer to control the specific data elements that are populated when that consumer requests data. This field-level data access is configured in the Web Services Field-Level Access tab of System Admin > Roles.
To access the Web Services Field-Level Access tab:
- Log in to Dayforce as an administrator that has access to the web services features.
- Go to System Admin > Roles and click the Web Services Field-Level Access tab.
The Web Services Field-Level Access tab provides a hierarchical view of the web services response types separated by the type of service (RESTful Services and SOAP Services) and the data entities and elements available within each. In order for the response object to return populated data for a given data element, the element must be selected (enabled) for the primary role of the user account being used by web services.
The DFNotificationEvent item controls access to the fields that are available in the Notification object, and it must be configured for applications using the DFNotificationsRequest to query for unacknowledged notifications. This normally applies to notification subscribers that are configured for Event Detection Only, and it usually doesn't apply to subscribers configured for notification receiver services.
The Documents item controls access to the documents attached to the employees, which are returned in the response for Get a List of Employee Documents and Get Document Details. Document retrieval is only available in the RESTful Services. Select the checkbox next to each data element that should be populated for these requests.
The Workforce Management item controls access to workforce management data such as availability, clock entries, schedules, and time away from work.
The Employee item controls access to the fields that are available in the Employee Object, which is the response for Get Employee and Get Employees By XRefCode requests. Select the checkbox next to each data element that should be populated for these requests.
Each of the subordinate employee HR data endpoints has a corresponding field-level role feature. For more information about the subordinate endpoints, see “RESTful Retrieving Employee HR Data” in the Dayforce Web Services Introduction Guide.
The EmployeeTimeAwayFromWork item controls access to the calendar of scheduled time away from work periods for the employee.
The EmployeePunch item controls access to employee worked shift timesheet data.
Note: Top parent items (such as Employee or Document) are automatically selected if any of their child items are selected. All child items can be selected or cleared by clicking the name of the parent item. In order for a child item to be included in the results, the parent item must be selected.
The GetEmployeeXRefCodesResponse item controls access to the fields that are available in the GetEmployeeXRefCodesResponse Object, which is specific to the Get Employee XRefCodes requests. If this request type will be used by the consumer, select the checkbox next to the GetEmployeeXRefCodesResponse item to ensure all of the values in the response are populated.
Access to the Employee response object for RESTful requests is separate from the access to the SOAP Employee response object for the following reasons:
- For security considerations, Dayforce cannot assume that a client means to allow access to the information from two different styles of requests; and
- the response objects aren't identical.