File access control in employee profiles by permission groups

Until now, all files stored in an employee profile were automatically visible to every administrator of the Employees module. There was no way to restrict file access to a specific permission group — even if your company had multiple groups with administrative rights.

This caused issues when, for example, payroll documents (tax forms, payslips, contracts) added via API integration should only be visible to one of the administrative groups, not all of them.

What's changing?

A new option — "For permission groups" — is now available in the file access settings within the employee profile. You'll find it below the existing "For selected employees" field. It lets you select one or more permission groups that should have access to a given file.

How does it work?

When adding or editing a file in an employee profile, you select which permission groups can see it. By default, the system pre-selects groups where the Employees module has the Management permission set to Module Administrator — so existing behaviour remains unchanged.

The same applies to the API: if you don't specify groups when adding a file via the endpoint, the system automatically assigns access to groups with Employees module administrator permissions. The API documentation has been updated.

What does this change cover?

• New "For permission groups" field (multiselect) in file access settings
• One-time permission migration — existing files have been automatically assigned to groups matching current behaviour
• Updated API endpoint with support for the new parameter
• Updated API documentation