Be Restricted by Company or Group Affiliation - Xoxoday

Xoxoday Plum supports role-based access control (RBAC) that restricts user views and access based on company affiliation, organisational hierarchy, or custom business unit groupings, ensuring each user sees only the data relevant to their scope.

Xoxoday Plum’s RBAC model is built to handle the access governance needs of complex organisations. Administrators can restrict what each user views and interacts with based on where they sit in the company — whether that is a specific legal entity, a regional group, or a custom business unit defined within the rewards programme. Access restrictions in Xoxoday Plum operate at three distinct levels: organisational hierarchy, company groupings, and custom business units. Hierarchy-based restrictions follow the reporting structure synced from your HR system, so a regional HR manager in APAC sees only the redemption data and budgets for their region. Company groupings work well for enterprises running multiple subsidiaries or brands under a single Plum account, keeping each entity’s data cleanly separated from the others. Custom business unit groupings give administrators additional flexibility. Rather than relying purely on the org chart imported from Workday, SAP SuccessFactors, or Darwinbox, administrators can define groupings that reflect commercial realities — a cross-functional programme team, a newly launched market entity, or a project-specific cohort. Xoxoday Plum applies the same RBAC restrictions to these custom groups as it does to standard hierarchy nodes. A practical example: an organisation running a global sales incentive programme alongside a separate employee wellness programme can configure Xoxoday Plum so that sales managers view only the incentive leaderboard and points data for their direct reports, while HR business partners view wellness redemptions across their assigned territories. Neither group accesses data outside their defined scope, even though both programmes run within the same Plum account. This segmentation approach supports broader compliance requirements. Xoxoday Plum is certified to ISO 27001 and SOC 2 Type II standards, and the RBAC architecture is designed to uphold the principle of least privilege — a control routinely required during enterprise security reviews. Access logs are available to super-admins for full audit trail visibility, giving IT and compliance teams the oversight they need. For organisations provisioning users programmatically — via SCIM integrations with identity providers or HR platforms — RBAC group assignments can be passed as attributes at the point of provisioning. This means access is configured automatically as employees join, change teams, or offboard, removing manual overhead for administrators and reducing the risk of orphaned access. Xoxoday Plum’s access governance capabilities scale with organisational complexity. Whether you are managing a single business unit or a multi-entity group with hundreds of programme administrators across regions, the RBAC model ensures users see exactly what they need — and nothing more. Learn more: [Xoxoday Plum Help Centre — Product requirement](

Managing Roles and Permissions in Xoxoday Plum

Learn how to define and assign roles within Xoxoday Plum to control what each user can view and do across programmes.

User Management and Provisioning

Understand how to add, edit, and organise users across departments and business units in Xoxoday Plum.