Xoxoday enforces role-based access control (RBAC) with maker-checker approval workflows, ensuring only authorized personnel can manage notification campaigns or access sensitive engagement analytics.
Role-Based Access Control for Campaigns and Analytics
Xoxoday gives organizations precise control over who can interact with notification campaigns and engagement data. Through a granular RBAC model, administrators assign distinct permissions for creating, editing, approving, and viewing campaign reports — each independently configurable for individuals, teams, or entire departments. This means a campaign manager in one business unit can build and edit a notification while a department head holds approval rights without overlapping into creation workflows. HR operations teams can access analytics dashboards scoped to their own workforce segments, without visibility into data belonging to other groups.Maker-Checker Approval Workflows
Before any notification is published, Xoxoday’s maker-checker functionality enforces a structured multi-step approval process. A campaign created by one user must be reviewed and approved by a second authorized user before it goes live — preventing accidental or unauthorized communications from reaching employees. This is especially valuable for organizations running recognition programs integrated with HRIS platforms like Workday, SAP SuccessFactors, or Darwinbox, where notification triggers are tied to HR events such as onboarding completions, performance milestones, or anniversary dates. The maker-checker layer adds a governance checkpoint before those automated notifications are dispatched.Distributed Permissions Across Organizational Hierarchies
Xoxoday supports distributed permission models that mirror how large enterprises actually operate. Access rights can be allocated by department, geography, or functional team — so a regional HR manager in EMEA controls campaigns and analytics relevant to their region, while a global administrator retains oversight across all entities. For companies operating across multiple Slack workspaces or Microsoft Teams environments, this segmentation ensures notification reach and reporting access align with organizational boundaries rather than requiring a single centralized admin to manage everything.Security and Compliance Assurance
Restricting access to campaign management and analytics data is a core component of Xoxoday’s broader security posture. Xoxoday is certified under ISO 27001 and SOC 2 Type II, and the RBAC system directly supports compliance requirements by creating a clear audit trail of who made changes, when, and under what authorization. Only personnel with explicit permissions can access sensitive engagement metrics — such as participation rates, reward redemption data, or notification open rates — reducing the risk of data misuse or unauthorized campaign modifications. This level of access governance is critical in regulated industries where control over sensitive HR data must be demonstrable to auditors.Configuring User Management in Xoxoday
Role configuration begins in the Xoxoday admin console, where super-admins define role templates and assign them to users individually or in bulk. Permission changes take effect immediately, and all role assignments are logged for compliance purposes. Organizations with complex hierarchies can work with Xoxoday’s customer success team to map their org structure to the RBAC model before going live. Learn more: Xoxoday Help Centre — Technical requirementHow does Xoxoday handle data encryption and security standards?
Learn how Xoxoday protects data at rest and in transit through ISO 27001 and SOC 2 Type II certified infrastructure.
Does Xoxoday support single sign-on and multi-factor authentication?
Understand how Xoxoday integrates with enterprise identity providers to enforce secure, auditable user authentication.