After migrating to UKG Pro cloud, our managers can’t access succession planning reports even though they have the Manager role assigned. In on-prem, the Manager role automatically granted access to succession planning views for their direct reports, but in cloud they’re getting ‘Access Denied’ errors when trying to open talent review dashboards. HR admins can see everything fine. We have annual talent reviews starting next week and this is blocking 50+ managers from completing their assessments. I’ve verified the managers have the correct security group assignments and their organizational hierarchy is properly configured. What’s different about role-to-permission mapping in cloud that would cause this?
Yes, you need dual group membership in cloud. But there’s another layer-report access permissions are separate from module permissions. Even with the right role and security groups, managers need explicit report access grants for succession planning dashboards. Check the report configuration to ensure ‘Manager Self-Service Reports’ includes succession planning views.
Cloud uses a different permission inheritance model. On-prem had implicit permissions based on organizational hierarchy, but cloud requires explicit role-to-permission mappings. Check if the Manager role has the ‘View Succession Plans’ permission explicitly assigned in the cloud security configuration.
I checked the security groups and managers are in the ‘Managers’ group but not in ‘Succession Planning Users’ group. Should I add them to both? Also, when I look at the role permissions, the Manager role shows ‘View Direct Reports’ but doesn’t explicitly list succession planning reports.
I’ll provide a complete solution covering all aspects of role-to-permission mapping and security group configuration in cloud:
1. Role-to-Permission Mapping in Cloud:
Cloud uses a three-tier permission model that on-prem didn’t have:
Tier 1: Base Role Permissions
- Manager role grants organizational hierarchy view
- Does NOT automatically include module-specific permissions
- On-prem bundled module access with base roles; cloud separates them
Tier 2: Module Permissions
- Succession Planning module requires explicit permission assignment
- Key permissions needed for managers:
- View Succession Plans (read access)
- Update Succession Assessments (write access for talent reviews)
- View Talent Profiles (access to employee development data)
- Export Succession Reports (if managers need report downloads)
Tier 3: Report Access Permissions
- Cloud treats reports as separate security objects
- Each report requires explicit access grant
- Organizational hierarchy doesn’t automatically grant report visibility
2. Security Group Assignment Requirements:
Managers need membership in THREE security groups for succession planning access:
a) Organizational Security Group (e.g., ‘Managers’)
- Grants base organizational hierarchy access
- Defines scope of direct reports
b) Module Security Group (e.g., ‘Succession Planning Users’)
- Grants access to succession planning module
- Required for viewing talent review dashboards
c) Report Security Group (e.g., ‘Manager Self-Service Reports’)
- Grants access to specific succession planning reports
- Must include: Talent Review Dashboard, Succession Gap Analysis, Development Plans
On-prem only required (a); cloud requires all three.
3. Cloud Report Access Configuration:
Report access is configured separately from module access:
Steps to Configure:
- Navigate to: System Configuration > Security > Report Access
- Locate ‘Succession Planning Reports’ folder
- For each report, verify ‘Accessible By’ includes ‘Managers’ group
- Check ‘Data Filtering’ is set to ‘Direct Reports Only’ for managers
- Ensure ‘Inheritance’ is enabled so managers see subordinate manager’s reports
Critical Difference from On-Prem: On-prem used implicit filtering based on org hierarchy. Cloud requires explicit data filtering rules in report configuration.
4. Custom Role Inheritance in Cloud:
If you had custom manager roles in on-prem, they need to be recreated in cloud with explicit permission inheritance:
Migration Process:
- Export on-prem custom role definitions
- Map on-prem permissions to cloud permission structure
- Create composite role in cloud: Base Manager + Succession Planning + Report Access
- Assign composite role to manager population
Example Composite Role Structure:
Custom Manager Role (Cloud)
├── Base Permissions (inherited from Manager role)
│ ├── View Direct Reports
│ ├── Update Employee Data
│ └── Approve Time Off
├── Succession Planning Permissions (explicit)
│ ├── View Succession Plans
│ ├── Update Succession Assessments
│ ├── View Talent Profiles
│ └── Create Development Plans
└── Report Permissions (explicit)
├── Access Talent Review Dashboard
├── Access Succession Gap Analysis
└── Access Development Plan Reports
On-prem allowed implicit inheritance; cloud requires explicit definition of all permission branches.
Complete Solution Steps:
Step 1: Update Security Group Membership
- Navigate to: Security Configuration > Security Groups
- Add all managers to ‘Succession Planning Users’ group
- Add all managers to ‘Manager Self-Service Reports’ group
- Verify they remain in organizational ‘Managers’ group
Step 2: Create or Update Composite Role
- Go to: Security Configuration > Role Management
- Create new role: ‘Manager with Succession Planning’
- Inherit from: Base Manager role
- Add module permissions: All succession planning permissions
- Add report access: Manager succession planning reports
- Save and assign to manager population
Step 3: Configure Report Access
- Navigate to: System Configuration > Report Configuration
- For each succession planning report:
- Add ‘Managers’ to ‘Accessible By’ list
- Set data filter: ‘Direct Reports and Below’
- Enable ‘Hierarchical Inheritance’ for cascading access
Step 4: Validate Permissions
- Use ‘Test as User’ feature to impersonate a manager account
- Verify access to: Talent Review Dashboard, Succession Plans, Development Plans
- Check that data filtering shows only direct reports
- Test report export functionality
Step 5: Bulk Update (if needed) If you have many managers, use bulk security update:
- Export current manager security assignments
- Add required groups: Succession Planning Users, Manager Self-Service Reports
- Import updated assignments
- Run validation report to confirm all managers have correct access
Common Pitfalls to Avoid:
- Don’t rely on organizational hierarchy alone-cloud requires explicit group membership
- Don’t assume role inheritance works like on-prem-cloud requires explicit permission grants
- Don’t forget report-level permissions-module access doesn’t automatically grant report access
- Don’t skip data filtering configuration-managers will see all employee data without proper filters
Verification Checklist:
- [ ] Managers in three required security groups
- [ ] Composite role includes succession planning permissions
- [ ] Reports configured with manager access
- [ ] Data filtering limits view to direct reports
- [ ] Tested with actual manager account
After implementing these changes, your managers should have full access to succession planning reports. The key difference is that cloud requires explicit configuration at every layer (role, group, report, data filter) whereas on-prem inferred access from organizational hierarchy.
I encountered this during our migration last year. The issue is that cloud separates ‘Manager’ role from ‘Succession Planning Viewer’ role, whereas on-prem bundled them together. You need to create a composite role that includes both Manager base permissions and Succession Planning module permissions. Go to Security Configuration > Role Management > Create Composite Role, then assign it to your manager population. Also verify that the succession planning security group has the correct report access permissions-cloud doesn’t automatically grant report access based on organizational hierarchy like on-prem did.