Skip to main content
Sign in

Overview

Until now, Keka used one global permission— Core HR Privileges.  Manage Data Imports—to control access to Data Imports. This single permission covered 35+ import actions, which made it difficult for admins to:

  • give only the required access,
  • audit who can do what,
  • avoid over-permissioning.

With this release, Keka introduces granular import privileges, where each import action has its own permission.

What’s new

1) Granular import privileges

Keka has broken down the monolithic import permission into single-purpose privileges, with:

  • one privilege per import operation
  • privilege naming in dot notation: coreHRPrivileges.<Module>.<Action>Import

This gives admins fine-grained control over which roles/users can perform specific imports.

2) Privilege assignment in Admin UI

Admins can now assign these new atomic import privileges individually in the Admin UI, alongside the legacy combined permission.

Admins will be able to:

  • select specific import privileges for roles/users,
  • clearly differentiate new atomic privileges from the legacy combined privilege.

Backward compatibility (no disruption)

To ensure there is zero disruption:

  • The existing combined privilege coreHRPrivileges.ManageDataImports remains functional after deployment.
  • Wherever CoreHR Privileges. Manage Data Imports was already enabled, Keka will also enable the new atomic import privileges so existing roles/users continue to work without any changes.

Access rule after this release 
A user can perform an import if they have either:

  • CoreHR Privileges Manage Data Imports (legacy)or
  • the relevant atomic import privilege (new).

Key benefits

  • Granular access: Give users access only to the import actions they need
  • Better auditability: Easier to review who can run which imports
  • Reduced risk: Avoids over-permissioning caused by a single broad permission
  • Zero disruption: Existing roles and permissions continue to work as-is

Release plan

This change follows a staged rollout:

  • Beta: Pilot with selected customers to validate Admin UI behavior, mapping, and access control.
  • GA (General Availability): Available to all customers once Beta exit criteria is met (atomic privileges live, backward compatibility confirmed, no unauthorized access, and critical feedback resolved).

Related articles

Comments

0 comments

Please sign in to leave a comment.

Powered by Zendesk