Articles on: Settings, Security, and Data

Users & Roles

User Roles & Permissions


Evenpay uses role-based access control to determine what each user can see and do. Every user has exactly one role per organization, and every role comes with a defined set of capabilities and a data scope — whether the user sees the whole organization, only their team, or only their own data. Manage users and their roles via Settings → Users & Roles.


Roles at a Glance


Role

Best for

Data scope

Owner

The organization's primary account holder (primary contact person)

Entire organization

Administrator

IT admins and system administrators

Entire organization

HR Administrator

HR and Compensation & Benefits teams doing daily work

Entire organization

Manager

Team leads who review and approve their team's pay

Own org units and direct reports

Employee Representative

Worker representatives participating in a Joint Pay Assessment

Own data + JPA participation

Employee

Everyone else

Own data only


The Owner and Administrator roles are nearly identical — the difference is that only the Owner can transfer organization ownership, and the Owner role cannot be removed by anyone else.


What Each Role Can Do


Area

Owner

Admin

HR Admin

Manager

Emp. Rep.

Employee

Employee profiles

Edit all

Edit all

Edit all

View team, edit direct reports

Own only

Own only

Compensation data

Edit all

Edit all

Edit all

View team

Own only

Own only

Job architecture (positions, levels, salary bands)

Manage

Manage

Manage

View (own units)

Analytics & pay equity

Full

Full

Full

Merit cycles / comp reviews

Full

Full

Full

Propose for team, approve direct reports

Salary review approvals

Yes

Yes

Yes

Own units only

Pay information requests

Manage

Manage

Manage

Joint Pay Assessment (JPA)

Manage

Manage

Manage

View & participate

Performance reviews

Manage

Manage

Manage

View team, manage direct reports

Own only

Own only

Users & roles

Manage

Manage

Manage

Organization settings & integrations

Manage

Manage

Manage

Audit logs

View & export

View & export

View & export

Evenpay Copilot

Yes

Yes

Yes

Data deletion

Yes

Yes

Transfer ownership

Yes


How Manager Scoping Works


Managers never see the whole organization. Their access is resolved at query time from two sources:


Scope

What it covers

Assigned org units

Org units where the user is set as the unit manager, including all child units beneath them

Direct reports

Employees whose manager field points to this user, plus reports inherited through the reporting line


A manager's view is the combination of both. For example, a manager can view compensation for everyone in their org units, but can only edit profiles and approve merit proposals for their direct reports. Employees outside these scopes are never returned — the filtering happens on the server, not just hidden in the interface.


Employee Representative


The Employee Representative role exists for the Joint Pay Assessment process, where employee representatives participate alongside the employer (required under the EU Pay Transparency Directive when an unjustified gap of 5% or more is found). This role can view and participate in JPA workflows and see their own data — nothing else. It's also suitable for external audit participants who need JPA access without any employee data visibility.



Good to Know


One role per user per organization — permissions come from the role; there are no per-user permission edits. If someone needs broader access, change their role.


Audit trail — role changes, invitations, and impersonation sessions are written to the audit log, visible to admins under System → Audit Log.


Inviting users — Owners, Administrators, and HR Administrators can invite new users and assign their role at invitation. Roles can be changed later from Settings → Users & Roles.

Updated on: 12/06/2026

Was this article helpful?

Share your feedback

Cancel

Thank you!