Permission sets are available only for Enterprise plans.
Access levels can be further customized using permission sets. Super admins first need to create permission sets to define specific combinations of permissions, and then assign them to members to extend access without changing their primary Recruiting or HR access level.
To do this, Super admins must follow a two-step process: first, create permission sets, then assign them to members.
Creating permission sets
To create a permission set:
- Navigate to Settings > Roles and permissions.
- Select Add a new set in the 'Additional permission sets' section.
- The creation flow displays all available permissions grouped by category: Company, Recruiting, and HR, making it easy to review and select the right combination. Make sure you check our permissions glossary, which covers each permission and its meaning.
Permissions dependencies
Dependencies between permissions are handled automatically. Selecting a child permission enables its required parent permissions, while removing a parent deselects all dependent ones. Tooltips highlight these relationships for clarity.
Dependencies exist only where they’re essential for the flow to function. For example, 'View onboarding' data is a parent of 'Manage onboarding' because users can’t initiate onboarding without access to the onboarding dashboard. In other cases, permissions remain independent to give admins flexibility, meaning the system doesn’t enforce links unless they’re strictly necessary.
After creating a permission set, it appears in the Additional permission sets section. From this page, you can preview, edit, or delete a set.
Extra configuration step for profile field view/edit access
The "View/edit specific profile fields" permission requires an additional configuration step in the profile template settings to take effect.
After creating and saving a permission set with this permission, e.g., IT Admin, the permission set will appear in the profile template settings, from which you need to configure view and/or edit access to profile fields for the IT Admin permission set.
A user with this permission:
- When viewing the Information tab of an employee, will view the fields defined in the profile template as accessible to Other employees and any other permission sets (view access).
- When editing an employee's profile, they can edit the fields defined in the profile template that are accessible to the permission sets (edit access). The Edit profile option will be visible in the employee profile when at least one edit configuration is present in the profile template.
If there are multiple sets with this permission and each permission has a different configuration within the profile template, the user will access the combined set of these configurations.
The visibility and editability of fields selected under this permission will apply to all profiles the user can access (active profiles and, if the user has additional permissions, also draft and inactive/custom).
Managing permission sets
Under the Additional permission sets section, Super Admins can find the following options:
- Filter permissions sets based on Company, Recruiting, or HR permissions.
- Sort by: Default (A-Z) or by Last updated
- Preview
- Edit
- Delete
Previewing a set allows you to review the permissions it includes.
When a permission set is edited, any changes made are automatically applied to all members currently assigned to it.
If a permission set is deleted, it is removed from all assigned members, and they immediately lose the additional access it provided.
Assigning permission sets to members
To assign a permission set to a member:
- Access the Account members page.
- Select one or more permission sets from the dropdown list under the third wizard step (Additional permission set) while inviting a new user or when editing the membership of an existing active user.
When assigning a permission set to a member, compatibility rules apply between the selected access levels (Recruiting, HRIS, or both) and the Additional permission sets that can be assigned. The system automatically enforces these rules to ensure only permission sets relevant to the member’s access levels can be selected. The logic is as follows:
- If a permission set includes Recruiting permissions, the member must have a Recruiting access level assigned.
- If a permission set includes HRIS permissions, the member must have an HRIS access level assigned.
- If a permission set includes Company permissions, it can be assigned alongside any access level (Recruiting or HRIS).
Permission sets that require access the member does not have remain visible but are disabled, with clear tooltips indicating which access level is needed to enable them.
Common role & permission use cases
| Role | IT Admin | Payroll Management | HR Analyst | Advanced Recruiter | Marketing |
| Access level | Recruiting Restricted with no jobs assigned | HR Standard or Restricted | HR Standard | ATS Standard | Recruiting Standard |
| Primary scope | Account-wide configuration, integrations, user access, system reliability | Employee data, payroll, time-off & compensation | Help HR admins with specific HR related tasks | Recruiting Standard with access to setup recruiting processes | Employer branding, job posting, and career site management |
| Company permissions |
-Invite /manage account members -Manage roles & permissions - Manage billing/invoices - Manage subscription plan - Manage System, Recruiting & HRIS integrations - Manage API tokens - Manage company profile -Create /manage departments |
None | None | None | None |
| Recruiting permissions | None | None | None |
- Create and manage automated actions - Create and manage templates - Manage candidate surveys - View all Recruiting reports (for all jobs, candidates & requisitions) - Manage all requisitions |
- Manage Careers page - Create and manage templates (for job ads, email templates) - View recruiting reports (assigned jobs only) |
| HR permissions | None (Note: If full HRIS integration access for ADP and Xero, then members will also require some the HRIS permissions Manage profile templates and Manage time-off policies, types, and holiday calendars permissions.) |
- View /Create payroll reports Instead, the following can be used: - View HR reports (standard access) - View/edit specific profiles fields (and then choose view access to fields like salary, commission, bonus, shares, etc). - View/Export attendance & time-off reports - Manage company folders/files (for payroll exports) - View time-off balances and requests - View inactive/custom employee profile |
- Manage employee profiles -View/edit specific profiles fields (and then choose view/edit access to fields the member may need access) - Manage onboarding workflows - Manage employee time tracking policies - Manage employee time-off policies |
None | None |
| Hiring team role | None | None | None | Recruiter | Hiring Contributor / Candidate reviewer |
| Rationale / notes | Manages integrations (SSO, HRIS, API), user provisioning, and troubleshooting. Should not have day-to-day recruiting/HR visibility beyond setup. | Focus on post-hire data. Exclude access to candidates or offers to maintain compliance separation. | Handles job ad visibility, branding, and content without touching candidate or HR data. Keeps focus on careers page & external presence. |
FAQs
- What happens to my permission sets if I downgrade my plan?
When an account downgrades from a plan that includes Additional permission sets to one that does not, existing configurations are preserved, but the feature becomes read-only.
Admins can still view and manage their existing permission sets (including previewing, deleting, or removing them from members), but can no longer create new sets, edit existing ones, or assign sets to members who don’t already have them.
All existing assignments remain active to prevent access loss, ensuring data consistency and a smooth downgrade experience. Clear messaging is displayed across relevant pages to indicate that permission sets are available only on higher-tier plans.