Skip to main content

Troubleshooting

Common issues in The One People and how to resolve them.

1. Users Cannot Log In to People

Symptom: Clicking the People link from Hub redirects correctly but the user sees an authentication error or is sent back to Hub login.

Causes and Fixes:

  • PORTAL_SSO_SECRET mismatch — The secret used to sign Hub SSO tokens must match the secret People expects. Verify both Hub and People are using the same value. Contact your administrator to check the Key Vault secret.
  • Session cookie blocked — People uses a session cookie set on the People domain. If the user's browser blocks third-party cookies or has strict cookie policies, the session may not persist. Try a different browser or disable enhanced tracking protection for the People domain.
  • User not provisioned — The user must have a Hub account with a People role assigned. Go to Hub > Users, find the user, and assign a People role.
  • JTI replay — Hub SSO tokens are single-use. If the user clicks the login link twice (e.g., browser back button), the second request fails. Instruct the user to return to Hub and click People again.

2. Employee Not Appearing in Directory

Symptom: An employee was added but does not appear in the directory search.

Causes and Fixes:

  • Status filter — The directory defaults to showing Active employees. Check if the employee has a different status (On Leave, Suspended, etc.) and adjust the status filter.
  • Wrong tenant — Verify the user is logged in to the correct organization. The People URL includes the organization slug.
  • Record soft-deleted — If someone accidentally deleted the employee record, it is soft-deleted (hidden). Contact support to restore it — soft-deletes can be reversed.
  • Propagation delay — New records are available immediately. If the employee was just added and is still not showing, try a hard refresh (Ctrl+Shift+R / Cmd+Shift+R).

3. PTO Accrual Is Incorrect

Symptom: An employee's PTO balance appears lower or higher than expected.

Causes and Fixes:

  • Accrual rate not set — If the accrual rate is blank on the employee's Compensation tab, no accrual occurs. Set the accrual rate and note that it only applies going forward — add a manual adjustment for any missed accrual.
  • Start date wrong — Accrual calculates from the employee's Start Date. If the start date is incorrect, fix it and request a manual recalculation from support.
  • Pending requests reducing Available balance — The Available balance deducts pending (not yet approved) requests. If the employee sees a lower balance than expected, check for pending requests they may have forgotten about.
  • Year-end carryover — At year start, hours above the carryover limit are forfeited. If the employee expected to carry more hours than they did, review the carryover policy on their record.
💡The daily PTO accrual timer runs at 1 AM UTC. A discrepancy seen on the same day a policy was changed may resolve after the next accrual run.

4. Manager Cannot Approve Time Off

Symptom: A manager clicks Approve on a time off request but sees a permission error.

Causes and Fixes:

  • Role too low — Managers can only approve time off for their direct reports. Verify the requesting employee has this manager set as their Manager in their employee record.
  • Manager role not assigned — The user must have the Manager role (or higher) in People. Go to Hub > Users and verify their People role.
  • Wrong employee — If the request is for an employee who does not report to this manager, only HR Staff and above can approve it.

5. Onboarding Tasks Not Sent to Assignees

Symptom: An onboarding was started but the assigned IT team member or manager did not receive a notification.

Causes and Fixes:

  • Email not configured — People sends notifications via AWS SES. Verify SES_FROM_ADDRESS and SES configuration is active.
  • Assignee not mapped — Onboarding tasks assign to a role type (HR, IT, Manager, Employee). Verify the employee's Manager field is set, and that IT tasks have a specific user assigned in the template (or the task defaults to HR).
  • Spam filter — Task notification emails may be in the recipient's spam folder. Ask them to check and add People's sender address to their safe list.
  • Onboarding not started — Verify the onboarding status is In Progress, not Not Started. If it was created but never started, click Start Onboarding.

Symptom: The employee clicks the signing link in the email but sees an "Invalid or expired link" error.

Causes and Fixes:

  • Link expired — Signing links are valid for 7 days (or the configured expiry date). If expired, void the document and send a new one.
  • Link already used — Each signing link is single-use. If the employee opened it once and navigated away without signing, the link may appear expired on the second open. Check the document status in E-Sign — if it shows Viewed, the employee did open it. Create a new document and send a fresh link.
  • Document voided — If the document was voided, the link immediately becomes invalid. Create a new document.
  • Incorrect email — Verify the employee's work email address is correct in their People record.

7. Policy Compliance Dashboard Shows No Policies

Symptom: The Policies section in People is empty even though policies exist in Legal.

Causes and Fixes:

  • LEGAL_API_URL not set — The People API needs LEGAL_API_URL pointing to the Legal API endpoint. Verify this environment variable is set.
  • LEGAL_INTEGRATION_KEY mismatch — The integration key must match what Legal expects. Verify both services are using the same key.
  • No active policies in Legal — Policies must have an Active status in Legal to appear in People. Check Legal for any policies in Draft status.
  • Legal API unavailable — If the Legal Function App is down or misconfigured, People cannot fetch policies. Check Legal API health via Hub.

8. Insider Threat Signals Not Appearing

Symptom: An employee is on an active offboarding list but no insider threat signals appear, even though Defend is deployed.

Causes and Fixes:

  • Defend agent not on endpoint — Defend can only monitor endpoints where an agent is installed. Verify the employee has a Defend agent installed on their device via Defend > Devices.
  • DEFEND_SERVICE_KEY mismatch — The key on People must match the key on the Defend API. Verify both.
  • Offboarding not started via workflow — If the employee's status was changed directly to Terminated without starting an offboarding workflow, Defend was never notified. Start a new offboarding workflow to activate monitoring going forward.
  • Below detection threshold — Defend's behavioral AI requires a baseline period. If the employee joined recently, the anomaly threshold may not have been established. Lower-severity activity may not trigger a notification.

9. Performance Review Stuck in Wrong Stage

Symptom: A review appears to be in the wrong stage and cannot be advanced.

Causes and Fixes:

  • Self-assessment not submitted — A review cannot advance from Self Review to Manager Review until the employee submits their self-assessment. Have the employee submit or, if they are unavailable, an HR Manager can skip self-assessment by advancing the review manually.
  • Manager assessment not complete — The review cannot be completed until the manager submits their assessment including an overall rating.
  • Insufficient role — Only the reviewer or an HR Manager/Admin can advance a review. HR Staff cannot change review stages.

10. Org Chart Shows Employees in Wrong Department

Symptom: The org chart places employees under the wrong department or manager.

Causes and Fixes:

  • Employee record not updated — The org chart is built from the Department and Manager fields on each employee record. If a reorganization happened, the employee records must be updated. Use bulk actions to update multiple employees at once.
  • Department deleted — If a department was deleted without reassigning employees, those employees lose their department association. Reassign them to an active department.
  • Manager field blank — Employees without a manager set appear at the top of the org chart as root nodes. Set their manager to place them correctly in the hierarchy.

When to Contact Support

Contact The One Stack support ([email protected]) for:

  • Audit records that need to be recovered or exported
  • Employee records that need to be undeleted
  • PTO balance corrections requiring backdated recalculation
  • Any data inconsistency that cannot be resolved by configuration changes
  • SSO failures that persist after verifying all environment variables

Self-service resolution covers most issues in People — check the relevant configuration before opening a support ticket.