Handbook

Bundle permissions cleanly and assign roles

Step-by-step guide for admins. How to use user groups in Jobilino: bundle permissions such as 'manual entry', 'approvals' and 'administration' into a group, assign a group to employees, and control who can see and do what in the system – including the distinction between teams (organisation) and project teams (booking permission).

How user groups work in Jobilino

  1. One group = one permission profile

    A user group bundles permissions: who may record time entries manually, who may approve requests, who may manage master data, and who may view reports. Instead of assigning rights to each employee individually, you assign the group – and if the rights change centrally, they take effect for all employees in that group.

    Tipp: Keep the number of groups small and descriptive. 'Administrator', 'Employee' and, where applicable, 'Team Leader' cover many cases. More groups = more maintenance effort.

  2. Exactly one group per employee

    Every employee belongs to exactly one user group. Multiple memberships do not exist – if you need an 'Employee who sometimes approves', simply create a dedicated group for that purpose.

    Tipp: Permissions are inherited additively: everything the group permits, the employee is allowed to do.

  3. Default groups are included

    When a new client is created, Jobilino automatically generates two groups: 'Administrator' (all rights, is_admin = true) and 'Employee' (standard rights for time tracking).

    Tipp: You can rename these groups and adjust their permissions, but we recommend keeping at least one 'Administrator' group always active and staffed.

  4. Permissions are grouped by topic

    In the permissions area you will find thematic groups such as 'Time Tracking', 'Profile Documents', and 'Working Time Planning'. Within each group there are individual toggles (e.g. 'can record manually', 'can add profile files').

    Tipp: Maintenance: see Administration → User Groups. The thematic grouping makes it easier to find what you need – e.g. all shift-planning rights are in the 'Working Time Planning' section.

  5. No inheritance between groups

    Groups do not inherit from one another. A 'Team Leader' group must have all the rights that a team leader requires explicitly enabled – including those that an 'Employee' already has.

    Tipp: Tip when creating a new group: use an existing group as a reference and only add the differences – this avoids any gaps.

  6. Distinction from Teams and Project Teams

    Three concepts often confused: User group = permission profile (what is someone allowed to do?). Team = organisational unit (department, line, lead, substitutions). Project team = who may book to a specific project.

    Tipp: An employee always belongs to exactly one user group, but can be a member of any number of teams and project teams. The three do not directly influence one another.

Overview of the Default Groups

  1. Administrator

    Has all rights: client management, user management, reports, contracts, leave policies, project management, shift planning, approvals, profile files of other employees, etc. In the background, the group has 'is_admin = true' set – this unlocks additional administration areas.

    Tipp: Assign this group sparingly – admin rights are far-reaching. A typical setup is 1 HR/personnel admin + 1–2 IT/org admins.

  2. Employee

    Standard rights for operational time tracking: log your own hours (live or manually), view your own profile, request your own leave, upload your own profile files. No administrative rights, no access to other people's data.

    Tipp: Most employees will be placed in this group.

  3. Custom groups (e.g. team leads)

    If you need a mixed role (e.g. the ability to approve, but not to manage master data), create a custom group – such as 'Team Lead', 'Shift Lead', 'HR' or 'Project Manager'.

    Tipp: Our recommendation: use 'Employee' as your baseline and only add the additional rights that are required.

Important permissions – in detail

  1. Time tracking: can record manually

    This permission makes the 'Create time entry' / 'New entry' button appear. Without this permission, employees can only book in real time via 'Start time' / 'Stop time'.

    Tipp: In practice: clock-in employees in production or warehouse often do NOT receive this permission so that they can only book in real time. Office employees do receive it.

  2. Time tracking: can edit / delete entries

    Controls whether an employee is permitted to subsequently edit or delete their own entries. For types with an approval process, a 'Deletion Request' button may appear instead of 'Delete'.

    Tipp: For strict payroll accounting, it is advisable to prevent the editing or deletion of past entries – corrections are then handled centrally by HR/Admin.

  3. Time tracking: can check out manually

    Who is permitted to stop another employee's live entry (e.g. a shift supervisor ending forgotten clock-in times at the end of the day).

  4. Time tracking: NFC scan

    Allows clocking in/out via NFC tag. Controls whether the NFC function is visible in the app.

  5. Time tracking: check in at any time / approvals / shift planning

    Various additional rights relating to approval processes, shift planning and special recording windows (e.g. outside of actual working hours).

    Tipp: Assign these rights selectively – they are generally reserved for team leaders and admins.

  6. Profile documents: add / remove own

    Controls whether employees may upload or delete their own profile files (contracts, certificates). Default: adding yes, deleting own files no – to keep the record audit-proof.

    Tipp: If employees should be able to delete their own documents (e.g. to replace self-uploaded sick notes), activate 'can remove own profile files'.

  7. Work schedule planning: create / view all / delete

    Three permissions related to shift planning: 'can create new schedules', 'can view all schedules', 'can delete schedules'. Employees without 'can view all' can only see their own slots.

    Tipp: Team leaders typically need all three. Employees usually need none at all.

  8. Reports and Administration

    Specific rights for reports (e.g. payroll reports), administration areas (projects, clients, statuses) and master data of other employees.

    Tipp: Most of these rights are typical for admins – check on a per-role basis whether you wish to grant them.

Create your own user group

admins

  1. Open administration

    Administration → User groups.

  2. Click Add

    Click on 'Add'. The form with the name and permission matrix will open.

  3. Assign meaningful names

    Choose a name that clearly describes the role (e.g. 'Team Lead Production', 'HR Admin', 'Project Manager'). Required field.

    Tipp: Avoid technical names such as 'Group 3'. Future admins must be able to recognise the purpose at a glance.

  4. Activate permissions

    Work through the thematic sections and enable what the role requires. Within a section (e.g. 'Time Tracking') you will see all toggles and their descriptions.

    Tipp: Recommendation: use 'Employee' as your starting point and only add the differences for the new role.

  5. Save

    Click 'Save'. The group appears immediately in the list and in the employee creation form for selection.

    Tipp: Before the first bulk assignment: Test the new group on a single test employee to ensure that all relevant functions appear as desired.

Edit existing group

admins

  1. Assess impact

    A change takes effect immediately for all employees in this group. An added permission expands their access; a removed permission restricts it.

    Tipp: For critical changes (e.g. removing 'can record manually'), please inform those affected beforehand – otherwise they will wonder why a button has disappeared.

  2. Open group

    Administration → User groups → Click on the group.

  3. Adjust values and save

    Toggle permissions on/off, change the name if required, and click 'Save'. The change takes effect immediately.

    Tipp: Employees who are currently logged in will see the new permissions after the next page change or at the latest upon logging in again.

Assign or change an employee's group

admins

  1. When creating

    When inviting a new employee, select the user group in the form (required field). See the manual chapter 'Inviting and managing employees'.

  2. Switching during ongoing operations

    Administration → Users → Open employee → Master data → Change user group → Save. From this moment on, the rights of the new group apply.

    Tipp: Practical example: Promoting an 'Employee' to 'Team Leader' = group change. The old rights are automatically replaced.

  3. Bulk change

    By default, you change employees individually. For larger restructurings (e.g. new role 'Shift Supervisor' for 8 people), please contact Support – an import option may be available depending on the client configuration.

Deactivate or delete group

admins

  1. Move all employees before deleting

    You cannot delete a user group as long as employees are assigned to it. Please assign those affected to a different group first.

    Tipp: You can view a list of 'active employees per group' directly in the user groups overview.

  2. Delete group

    Click 'Delete' in the edit view. Jobilino will first check the employee assignment – if no employees remain in the group, deletion is possible.

    Tipp: Tip: Instead of deleting, you can simply rename an unused group ('zzz_archive_old') and leave it empty. This way it is retained for historical purposes without causing any disruption.

  3. Administrator­gruppe nie ohne Mitglied lassen

    Achten Sie darauf, dass mindestens ein Administrator immer aktiv und der 'Administrator'-Gruppe zugeordnet ist – sonst kann niemand mehr verwalten.

    Tipp: Wir empfehlen mindestens zwei Administrator-Konten, um Krankheits-/Urlaubs­vertretung abzusichern.

Frequently asked questions

What is the difference between a user group, a team and a project team?
User group = permission profile (what is someone allowed to do?), exactly one per employee. Team = organisational unit (department, line, shift) with a lead and primary membership, any number per employee. Project team = who is allowed to book to a specific project, any number per employee. The three are independent of one another and complement each other.

How many user groups should I create?
As few as possible. 'Administrator' and 'Employee' already cover most clients. An additional 'Team Leader' group is common when you delegate approvals. More than 5–7 groups quickly become confusing in practice – each individual group must be maintained whenever permissions change.

Can I set a permission individually per employee?
No. Permissions are granted exclusively through the group. If you need a special combination for a single employee, create a dedicated group (e.g. 'HR-Special'). The advantage: such special roles are visible and traceable within the system.

What happens to an employee's data when I change their group?
Master data, contracts, time entries and leave bookings remain unchanged. Only the permissions change from the moment of the switch. The history of group assignments is recorded in the audit trail.

What does 'is_admin = true' mean in the background of a group?
The supplied 'Administrator' group additionally has the technical flag 'is_admin'. This flag unlocks certain administration areas that operate independently of individual permission switches. Custom groups generally cannot set this flag – if you need full admin access, assign the employee to the supplied 'Administrator' group (or a group you have derived from it).

What happens if I remove a permission in the middle of the day?
The change takes effect immediately. Employees who are currently in the app will see the change upon the next page transition, or at the latest on their next login. For security-critical changes (e.g. loss of administrative rights), affected sessions should be actively reopened by the employee.

Can a user group be set to 'read only'?
Yes – disable all 'Edit'/'Create'/'Delete' permissions and leave only viewing rights active. Example: a 'Reports Read' group for controllers who can only view evaluations but cannot make any changes.

How do I control whether someone can see other employees' profile records?
Via the corresponding permissions in the 'Profile Documents' and 'Administration' sections. By default, employees can only see their own record; admins can see all records. For HR roles, you can create a dedicated group with 'can view / add / remove other users' profile files'.

Can an employee exist without a user group?
No. When creating an employee, the group is a mandatory field. Any subsequent change also requires a valid group – you cannot leave the field empty.

What is the difference between 'Administrator' and the 'Lead' of a team?
'Administrator' is a user group with extensive system-wide rights. A 'Lead' is the organisational responsibility within a specific team (see the manual chapter 'Teams'). Both concepts can overlap, but do not have to: a Lead does not need to be an Administrator, and an Administrator does not need to be the Lead of any team.

How do I see who is currently in which group?
Administration → User Groups displays an overview showing the number of active employees per group. Clicking on a group opens the detail view and – depending on the client configuration – also a member list. Alternatively, filter by user group in Administration → Users.

What happens to permissions when an employee is set to inactive?
Inactive employees cannot log in – the permissions of their group are therefore effectively suspended. Once the employee is set to active again, the permissions of their current group automatically apply once more (which you may have changed in the meantime).

Still have questions? We are happy to help.

Try Jobilino for free or book a personal demo.

Try for free Book a demo

You might also be interested in

Developed & supported in Austria

GDPR-compliant data protection

Fast, personal support

Newsletter: practical know-how on time tracking

Legal updates, industry tips and product news – concise, a few times a year. Unsubscribe anytime.