Permission Roles for Multi-Team and Full User Access

Our Cloud Help Center has a new home at https://help.tempo.io/cloud/

We will no longer be updating Cloud documentation in this space, so please be sure to check the new site for the latest documentation and learning content.

  • Creating multi-team and full permission roles requires the Tempo Team Administrator permission
  • Users must have Browse Projects (Jira) project permissions to access worklog data for multiple teams or their entire organization.


Tempo permission roles let you grant specific permissions to Tempo users. In cases where managers need access to multiple teams – or even to their entire organization – you can create permission roles to quickly give them
 the permission to view, manage, and/or approve all plans and timesheets, as well as manage teams. The Permission Roles page in Tempo Settings allows you to create these multi-team and/or full permission roles quickly and easily, as well as get a clear view of who has access to which teams' data. 

Within the context of these permission roles: 

  • Role users are the people who have access to the applicable groups.
  • Role access defines the teams or groups to which these people have access. Full access gives people access to the entire organization (including individuals who are not part of a team), while Restricted access limits access to specific teams.

Only users with Tempo Planner installed will see the permissions listed under Plans.

Creating permission roles for multiple teams

To grant managers access to data from users in multiple teams, you can create a separate permission role to define their access. These multi-team permission roles are helpful for managers who would like to see multiple teams' data in reports, as well as managers who need to approve timesheets and/or plans for multiple teams.



To create multi-team permission roles:

  1. Go to Tempo Settings  and select Permission Roles in the sidebar (under Data Access). This shows you all of the team permission groups in your organization.
  2. To add a new permission role, click + Add permission role in the upper-right.
  3. Enter a name for the permission role, and select the permissions this role should have.
  4. Click + Add users and select the Role users who should have these permissions. 
  5. Select which teams the role users can access by clicking Restricted and then Set Teams.
  6. When you're done, click the  to save.

When users are granted access to a team via a Permission Role on this page, this permission role will be visible on the respective team's Permissions page, but it can't be altered there. You can control access to and edit multi-team permission roles only from the Permission Roles page. 

Creating permission roles for full access

To grant a select group of managers full access to Tempo users, you can create a permission role to define their access. Full permission roles are intended in particular for your organization's upper management, such as your CEO and CFO, so that they can generate reports on Tempo data across your company.

To create full permission roles:

  1. Go to Tempo Settings  and select Permission Roles in the sidebar (under Data Access). This shows you all of the team permission groups in your organization.
  2. To add a new permission role, click + Add permission role in the upper-right.
  3. Enter a name for the permission role, and select the permissions this role should have.
  4. Click + Add users and select the Role users who should have these permissions. 
  5. Select Full, which gives the selected Role users full access to all Tempo teams and users.
  6. When you're done, click the  to save.

If you grant the Approve timesheets permission across your organization, administrators will only be able to approve timesheets for people who are members of teams. 

Managing permission roles

Since all teams' permission roles are displayed on the Permissions Roles page, it provides you with a powerful tool to manage and streamline permission roles across your organization. For example, if you see that the same permission role is shared across many teams, you can consolidate them all into a consolidated role.

Roles with the highest level of access appear first (farthest left), while roles with less access are displayed on the right. That means that global permission roles are displayed first, followed by multi-team permission roles and then single team permission roles.

Single team permission roles are displayed first by team (in alphabetical order) and then by role name (also by alphabetical order).



To manage permission roles:

  • Search by team name or permission role name using the search bar in the upper left.
  • Filter by user using the drop-down next to the search field.
  • Add or remove specific permissions for a permission role by checking or unchecking their boxes.
  • Add or remove users from a permission role by clicking on the user names in the Role users field, then adding or deleting users in the dialog box.

  • Change the type of access for a permission role by toggling between Restricted and Full.
  • Add or remove teams included in a Restricted permission role by clicking on the team names in the Role access field and adding a team or removing its access in the dialog box. 

  • Save all changes you made to a permission role by clicking its check mark .
  • Delete a permission role by clicking its red trashcan .

As noted above, when users are granted access to teams via the Permission Roles page, this permission role will be visible within the respective team's permissions page. However, it is only possible to control access and edit privileges for multi-team or full permission roles from within the Permission Roles page. 

Related Topics