Authorization Objects and Roles

Last updated on 2025-07-21

Overview

Access to the Pillar 2 workspaces can be tailored in a detailed manner in the Roles workspace, ensuring that not every user has access to all of them. Roles with specific authorization objects can be set up to manage which workspaces and entities/jurisdictions each user can interact with.

For example, customers might create a P2 Expert role that grants comprehensive rights across all Pillar 2 workspaces or a P2 Entity User who can only access and edit the entity data collection of a particular constituent entity (CE).

Authorization Levels
General Authorization Levels

Every section of the Pillar 2 module listed below allows for an individual authorization level:

  • Users with read access can open dialogs and view the data in that section
  • Users with edit rights can also input or modify data. 

Note: Edit access does not contain read access, i.e. if a user needs edit access, both access types need to be activated.

Specific Rights

Some sections also use execute or bulk change rights that enable users to execute certain functions of the Pillar 2 module. Execute rights are divided into three levels:

  • Increase - Exec enables a user to increase the status of a milestone up to the level finished.
  • Review - Exec enables a user to increase the status of a milestone from finished to checked.
  • Decrease - Exec enables a user to decrease the status of a milestone from checked to finished and from finished to in progress.
Superuser Rights

Users with Superuser rights have universal access to all dialogs and settings, bypassing regular authorization restrictions.

To grant superuser rights, activate All objects - all values in the Roles workspace.

Available Options per Section

You can administrate user rights for the following Pillar 2 workspaces or functional areas:

Workspace

Roles

Status Monitoring

  • Read: Open the workspace and view the status of milestones
  • Bulk Change - Execute: Update milestone status of multiple constituent entities 

Administration

  • Read: Open the workspace and view settings
  • Edit: Modify settings

Import | Income Taxes

  • Read: Open the workspace
  • Execute: Import data from the income tax module for an individual constituent entity
  • Bulk Change - Execute: Import data from the income tax module for multiple constituent entities

Import | Allocations

  • Read: Open the workspace
  • Execute: Import tax allocations and FTE/PE allocations

Import | Transfer Values

  • Read: Open the workspace
  • Execute: Import data from questionnaires or the CbCR module for an individual constituent entity
  • Bulk Change - Execute: Import data from questionnaires or the CbCR module for multiple constituent entities

Import | External

  • Read: Open the workspace
  • Execute: Import data from external sources (e.g. SAP, csv files) for an individual constituent entity
  • Bulk Change - Execute: Import data from external sources (e.g. SAP, csv files) for multiple constituent entities

The workspaces Group Data Collection, Jurisdictional Data Collection, and Jurisdictional Elections, as well as the workspaces under the Entity Data Collection functional area each have the same pair of rights: read enables the users to view data within the workspace in question, and edit enables the user the modify data therein.

Workspace

Roles

Home

  • Read: Open the workspace, view settings and snapshots
  • Edit: Edit snapshots and settings
  • Delete snapshot - Execute: Delete snapshots
  • Global snapshot - Read: View global snapshots
  • Global snapshot - Execute: Create global snapshots
  • Limited snapshot - Read: View limited country snapshots (based on jurisdictional rights)
  • Limited snapshot - Execute: Create limited country snapshots (based on jurisdictional rights)

Remaining workspaces

Read: Open the workspace

For more information on how to administrate roles, see Roles.

Related articles

Contact Us