What Employees Can See & Do
The Employee Portal adjusts what data, fields, and actions are visible based on the user's role. This page details exactly what employees see on each page and what actions are available to them.
Timesheetsโ
Employees can create, edit, and submit their own weekly timesheets.
Available Actionsโ
| Action | Available | Condition |
|---|---|---|
| Log Time | Yes | Requires create timesheets permission |
| Submit Timesheet | Yes | Only for draft timesheets |
| Approve / Reject | No | Requires approve timesheets permission (admin only) |
| Edit | Yes | Only own draft timesheets |
| Delete | Yes | Only own records, with delete permission |
Workflow for Employeesโ
- Create a timesheet for a week period.
- Log time entries against projects.
- Submit the timesheet for approval.
- Track the status (Submitted -> Approved or Rejected).
- If rejected, review the rejection reason, make changes, and resubmit.
Leave Requestsโ
Employees can submit, track, and cancel their own leave requests.
Available Actionsโ
| Action | Available | Condition |
|---|---|---|
| Cancel Leave | Yes | Only for own pending or approved requests |
| Approve / Reject | No | Requires approve leave requests permission |
| Edit | Yes | Only own pending requests |
| Delete | Yes | Only own records, with delete permission |
Validationโ
- Overlap detection: The system prevents submitting leave requests that overlap with existing approved or pending requests.
- Days validation: The number of days must match the date range (full days or half days).
Attendanceโ
Employees can log their own daily attendance.
Available Actionsโ
| Action | Available | Condition |
|---|---|---|
| Create Attendance | Yes | Requires create attendance permission |
| Edit | Yes | Only own records |
| Delete | Yes | Only own records, with delete permission |
Leave Balancesโ
Employees can view their leave entitlements and usage. This is a read-only view for employees.
Available Actionsโ
| Action | Available |
|---|---|
| Create | No โ only administrators can allocate leave balances |
| Edit | No |
| Delete | No |
Payslipsโ
Employees can view and download their own payslips.
Available Actionsโ
| Action | Available | Condition |
|---|---|---|
| View Payslip | Yes | Opens payslip in browser |
| Download Payslip | Yes | Downloads payslip as PDF |
| Finalize / Send | No | Admin-only actions |
Data Scoping Summaryโ
All data is automatically filtered, so employees see only their own records:
| Resource | Scoping Method |
|---|---|
| Leave Requests | Filtered by employee_id via global scope |
| Leave Balances | Filtered by employee_id via global scope |
| Attendance | Filtered by employee_id via global scope |
| Timesheets | Filtered by employee_id via global scope |
| Payslips | Filtered through payroll_entry.employee_id via global scope |
| Salary Structures | Filtered by employee_id via global scope |
| Payroll Entries | Filtered by employee_id via global scope |
Resources not filtered (visible to all):
- Leave Types โ employees need to see all leave types when creating requests
- Employee โ the model itself is not scoped (employee's own record is accessible via policy)
Configuring the Employee Roleโ
The Employee role is the cornerstone of the portal experience. It determines which users get the portal interface, what data they can access, and which actions they can perform. The role is automatically created when the HRM module is activated, with a default set of permissions.
Default Permissionsโ
When the module is enabled, the Employee role is created with the following permissions:
Employee Profileโ
| Permission | Description |
|---|---|
view own employees | View their own employee record |
edit own employees | Edit their own profile (name, phone, address, etc.) |
Leave Requestsโ
| Permission | Description |
|---|---|
view own leave-requests | View their own leave requests |
create leave-requests | Submit new leave requests |
edit own leave-requests | Edit own pending requests |
cancel leave requests | Cancel own pending or approved requests |
Leave Balancesโ
| Permission | Description |
|---|---|
view own leave-balances | View their own leave entitlements and usage |
Timesheetsโ
| Permission | Description |
|---|---|
view own timesheets | View their own timesheets |
create timesheets | Create new timesheets |
edit own timesheets | Edit own draft timesheets |
submit timesheets | Submit draft timesheets for approval |
Attendanceโ
| Permission | Description |
|---|---|
view own attendance | View their own attendance records |
create attendance | Log daily attendance |
edit own attendance | Edit own attendance entries |
Payslipsโ
| Permission | Description |
|---|---|
view own payslips | View and download their own payslips |
Salary Structuresโ
| Permission | Description |
|---|---|
view own employee-salary-structures | View their own salary breakdown |
Permissions NOT Granted to Employeesโ
The following permissions are intentionally excluded from the Employee role:
| Category | Excluded Permissions |
|---|---|
| View All / Team | view all *, view team * โ employees see only own data |
| Edit All / Team | edit all *, edit team * โ employees edit only own records |
| Delete | All delete and bulk delete permissions |
| Create (restricted) | create employees, create leave-balances, create payslips, create payroll-*, create employee-salary-structures |
| Approve / Reject | approve leave requests, approve timesheets, approve payroll |
| Payroll Operations | process payroll, finalize payslips, send payslips, generate payslips |
| Export | All export permissions |
Customizing the Roleโ
Adding Permissionsโ
To grant additional permissions to employees, navigate to Settings > Roles & Permissions, find the Employee role, and toggle the desired permissions.
For example, to allow employees to delete their own leave requests:
- Go to Settings > Roles & Permissions.
- Edit the Employee role.
- Enable
delete own leave-requests. - Save.
Removing Permissionsโ
Similarly, you can restrict employees further by removing permissions. For example, to prevent employees from editing their own attendance:
- Edit the Employee role.
- Disable
edit own attendance. - Save.
Changing the Role Nameโ
The role name defaults to "Employee" but can be changed via configuration:
// modules/HRM/config/employee-portal.php
'employee_role_name' => env('EMPLOYEE_ROLE_NAME', 'Employee'),
Or via environment variable:
EMPLOYEE_ROLE_NAME=Staff
If you change the role name, the module activation (or re-running the seeder) will create a role with the new name. Existing users with the old role name will need to be reassigned manually.
Re-Syncing Permissionsโ
If you need to reset the Employee role permissions to their defaults (e.g., after an update), you can re-run the seeder:
php artisan db:seed --class="Modules\HRM\Database\Seeders\EmployeeRoleSeeder"
This will recreate the role (if it doesn't exist) and sync it with the default permission set. Any custom permission modifications you've made will be overwritten.
Alternatively, disabling and re-enabling the HRM module from Settings > HRM Configuration > Activation will also re-sync the Employee role permissions.
How Permissions Interact with the Portalโ
The Employee Portal uses a layered access control system:
Layer 1: Menu Filtering
-- Hides sidebar items not in allowed_menu_items config
Layer 2: Route Protection
-- Frontend guard blocks navigation to unauthorized routes
Layer 3: Data Scoping
-- Global scope filters queries to employee's own records
Layer 4: Field Visibility
-- Resource fields hidden via isEmployeeUser() checks
Layer 5: Permissions & Policies
-- Spatie permissions control CRUD and action access
Layer 6: Super Admin Bypass
-- Gate::before returns true for super-admins, bypassing all layers
Each layer provides defense in depth. Even if an employee somehow bypasses the menu filtering, the data scoping ensures they can only see their own records, and the permission system prevents unauthorized actions.