<link rel="stylesheet" href="/assets/css/marquee.css" /> <link rel="stylesheet" href="/assets/css/page.css" />

Securitate-acces

← Back to services

Security & access: RBAC, audit, SSO

RBAC roles and permissions, a full audit log, two-factor authentication and SSO/SAML — fine-grained control of who sees what in employee data, per GDPR.

Personnel data is among the most sensitive a company holds: salaries, medical records, reviews, personal data. Uncontrolled access to it is both a GDPR compliance risk and an internal risk. 4mystaff provides an enterprise-grade security layer: role-based access control (RBAC), so each person sees only what they need; an audit log that records who accessed or changed what and when; two-factor authentication (2FA) and SSO/SAML sign-in with the company identity; plus tools for employees’ GDPR rights (access, export, erasure). Security is not an add-on at the end — it is the foundation the whole digital HR stack stands on.

  • RBAC — fine-grained roles and permissions: employee, team manager, HR, admin, with visibility limited to their own structure.
  • Full audit log: every access, change and export of personnel data is recorded with author and timestamp.
  • Two-factor authentication (2FA) via an authenticator app or code, for all accounts.
  • SSO / SAML: sign-in with corporate identity (Google Workspace, Microsoft Entra ID / Azure AD).
  • Provisioning and deprovisioning: when an employee leaves, access is revoked immediately and logged.
  • Restricted access to special data (medical, salary) — separate from the general file.
  • GDPR tools: respond to access requests, export a person’s data, erase per retention policies.
  • Password and session policies, plus alerts on unusual access.

RBAC: each person sees exactly what they need, nothing more

Role-based access control (RBAC) is the principle 4mystaff is built on: you define roles — employee, team manager, HR, admin — and each role gets exactly the permissions it needs. An employee sees only their own file; a manager sees the people on their team, per the org chart; HR sees the whole company; the admin manages configuration. Highly sensitive data (salaries, medical information) carries an extra restriction level. This “least privilege” principle dramatically reduces the risk surface — no one has access to data they don’t need for the job.

The audit log: full traceability

For sensitive data, controlling access is not enough — you must also be able to prove it. 4mystaff keeps an audit log that records actions on personnel data: who viewed a file, who changed a salary, who exported an employee list, with author, timestamp and detail. This log answers directly to the GDPR accountability principle and is invaluable when investigating an incident, at a security audit, or in a labour dispute when you must show who changed what and when.

2FA and SSO/SAML: authentication at corporate standard

A password alone is no longer enough for sensitive data. 4mystaff supports two-factor authentication (2FA), via an authenticator app or code, to prevent access with a compromised password. For organisations with centralised corporate identity, SSO/SAML sign-in (Google Workspace, Microsoft Entra ID / Azure AD) means employees use the same account as for the rest of the company’s apps, and IT applies security policies from one place. When an employee leaves, disabling the account in the identity provider automatically revokes their 4mystaff access too.

GDPR compliance: employees’ rights, in practice

GDPR gives employees concrete rights over their data — access, rectification, portability, erasure — and the firm must be able to honour them. 4mystaff provides the tools: on an access request, you export the person’s data in a structured format; you apply retention policies per document type (payroll records 50 years, other documents per law) and erase what no longer has a basis; you document the processing basis for each data category. Combined with RBAC and the audit log, these tools let you demonstrate compliance, not just assert it.

Legal references

  • Regulamentul (UE) 2016/679 — GDPR (art. 5 principii, art. 25 protecția datelor by design, art. 32 securitatea prelucrării)
  • Regulamentul (UE) 2016/679 — GDPR, art. 15–20 (drepturile persoanei vizate: acces, rectificare, portabilitate, ștergere)
  • Legea nr. 190/2018 — măsuri de aplicare a GDPR în România
  • Legea nr. 53/2003 — Codul Muncii (confidențialitatea datelor angajaților)

Frequently asked questions

What is RBAC and why does it matter for personnel data?

RBAC (Role-Based Access Control) means granting permissions based on each user’s role, on the least-privilege principle. For personnel data — salaries, files, reviews — it means each person sees only what they need for the job, which reduces leak risk and meets GDPR requirements.

Can I connect 4mystaff with our SSO system?

Yes. 4mystaff supports SSO/SAML with providers such as Google Workspace and Microsoft Entra ID (Azure AD). Employees use the same corporate identity, and IT applies security policies centrally. When the account is disabled in the identity provider, 4mystaff access is revoked automatically.

What exactly does the audit log record?

Actions on personnel data: file views, changes (for example to salary or role), data exports — each with the author, timestamp and detail. It is a requirement of the GDPR accountability principle and an essential tool at audits and investigations.

How do we respond to an employee’s GDPR access request?

You export the person’s data in a structured format directly from 4mystaff. There you also apply retention policies and erase data that no longer has a basis, documenting the processing basis for each category — so you can demonstrate compliance.

Is employees’ medical data protected differently?

Yes. Sensitive categories, such as information from sick leave, have an extra restriction level, separate from the general file and visible only to authorised roles, with every access logged in the audit trail.

What happens to access when an employee leaves?

Access is revoked immediately (deprovisioning) and the action is logged. If you use SSO, disabling the account in the identity provider automatically revokes access. Data remains archived per retention policies but is no longer accessible to the former employee.

Related resources

Protect personnel data at enterprise standard

We configure RBAC roles, enable 2FA and connect your company SSO — fine-grained access control and demonstrable GDPR compliance.

4b2b.net
Business Ecosystem
4conta.ro
Accounting
4invoices.net
Invoicing App
4notify.net
Notifications
4hosting.net
Hosting
4buildsite.net
Website Builder
4softcrm.net
CRM Platform
4softerp.net
ERP System
4softhr.net
HR Management
4mystaff.net
Staff Portal
4myprojects.net
Project Manager
4mycontracts.net
Contracts
4appointments.net
Appointments
4marketingonline.net
Marketing
4insurance.net
Insurance
4property.net
Real Estate
4lawyers.net
Legal Software
4mygarage.net
Auto Service
4myevents.net
Events
4therapy.net
Therapy
4clinics.net
Clinics
4beautify.net
Beauty Salon
4marketplace.net
Marketplace
4shopy.net
Online Store
4salefood.net
Food Delivery
4rentify.net
Rentals
4transports.net
Transport
4agencytravel.net
Travel Agency
4b2b.net
Business Ecosystem
4conta.ro
Accounting
4invoices.net
Invoicing App
4notify.net
Notifications
4hosting.net
Hosting
4buildsite.net
Website Builder
4softcrm.net
CRM Platform
4softerp.net
ERP System
4softhr.net
HR Management
4mystaff.net
Staff Portal
4myprojects.net
Project Manager
4mycontracts.net
Contracts
4appointments.net
Appointments
4marketingonline.net
Marketing
4insurance.net
Insurance
4property.net
Real Estate
4lawyers.net
Legal Software
4mygarage.net
Auto Service
4myevents.net
Events
4therapy.net
Therapy
4clinics.net
Clinics
4beautify.net
Beauty Salon
4marketplace.net
Marketplace
4shopy.net
Online Store
4salefood.net
Food Delivery
4rentify.net
Rentals
4transports.net
Transport
4agencytravel.net
Travel Agency
Security & access: RBAC, audit, SSO — 4mystaff