Users & Roles
User Roles & Permissions
Evenpay uses role-based access control to determine what each user can see and do. Every user has exactly one role per organization, and every role comes with a defined set of capabilities and a data scope — whether the user sees the whole organization, only their team, or only their own data. Manage users and their roles via Settings → Users & Roles.
Roles at a Glance
Role | Best for | Data scope |
|---|---|---|
Owner | The organization's primary account holder (primary contact person) | Entire organization |
Administrator | IT admins and system administrators | Entire organization |
HR Administrator | HR and Compensation & Benefits teams doing daily work | Entire organization |
Manager | Team leads who review and approve their team's pay | Own org units and direct reports |
Employee Representative | Worker representatives participating in a Joint Pay Assessment | Own data + JPA participation |
Employee | Everyone else | Own data only |
The Owner and Administrator roles are nearly identical — the difference is that only the Owner can transfer organization ownership, and the Owner role cannot be removed by anyone else.
What Each Role Can Do
Area | Owner | Admin | HR Admin | Manager | Emp. Rep. | Employee |
|---|---|---|---|---|---|---|
Employee profiles | Edit all | Edit all | Edit all | View team, edit direct reports | Own only | Own only |
Compensation data | Edit all | Edit all | Edit all | View team | Own only | Own only |
Job architecture (positions, levels, salary bands) | Manage | Manage | Manage | View (own units) | — | — |
Analytics & pay equity | Full | Full | Full | — | — | — |
Merit cycles / comp reviews | Full | Full | Full | Propose for team, approve direct reports | — | — |
Salary review approvals | Yes | Yes | Yes | Own units only | — | — |
Pay information requests | Manage | Manage | Manage | — | — | — |
Joint Pay Assessment (JPA) | Manage | Manage | Manage | — | View & participate | — |
Performance reviews | Manage | Manage | Manage | View team, manage direct reports | Own only | Own only |
Users & roles | Manage | Manage | Manage | — | — | — |
Organization settings & integrations | Manage | Manage | Manage | — | — | — |
Audit logs | View & export | View & export | View & export | — | — | — |
Evenpay Copilot | Yes | Yes | Yes | — | — | — |
Data deletion | Yes | Yes | — | — | — | — |
Transfer ownership | Yes | — | — | — | — | — |
How Manager Scoping Works
Managers never see the whole organization. Their access is resolved at query time from two sources:
Scope | What it covers |
|---|---|
Assigned org units | Org units where the user is set as the unit manager, including all child units beneath them |
Direct reports | Employees whose manager field points to this user, plus reports inherited through the reporting line |
A manager's view is the combination of both. For example, a manager can view compensation for everyone in their org units, but can only edit profiles and approve merit proposals for their direct reports. Employees outside these scopes are never returned — the filtering happens on the server, not just hidden in the interface.
Employee Representative
The Employee Representative role exists for the Joint Pay Assessment process, where employee representatives participate alongside the employer (required under the EU Pay Transparency Directive when an unjustified gap of 5% or more is found). This role can view and participate in JPA workflows and see their own data — nothing else. It's also suitable for external audit participants who need JPA access without any employee data visibility.
Good to Know
One role per user per organization — permissions come from the role; there are no per-user permission edits. If someone needs broader access, change their role.
Audit trail — role changes, invitations, and impersonation sessions are written to the audit log, visible to admins under System → Audit Log.
Inviting users — Owners, Administrators, and HR Administrators can invite new users and assign their role at invitation. Roles can be changed later from Settings → Users & Roles.
Updated on: 12/06/2026
Thank you!
