Permissions and Roles
The HRM module uses a granular permission system to control who can view, create, edit, delete, and perform specific actions on each type of record. Permissions are assigned to roles, and each user is assigned one or more roles. This lets you tailor access precisely — for example, allowing an HR manager to approve leave and process payroll, while limiting employees to viewing their own records and submitting requests.
How Permissions Work
Permissions in the HRM module are organized into two categories:
- CRUD Permissions — Control basic operations (create, view, edit, delete) on each resource type (Employees, Leave Requests, Timesheets, etc.).
- Action Permissions — Control specific workflow actions like approving leave, processing payroll, or finalizing payslips.
Permissions are assigned to roles through the Settings > Permissions page. Each role gets a combination of permissions that define what users in that role can do.
Permission Checks on Actions
Many workflow actions in the HRM module require two conditions to be met:
- The user must have the correct permission (e.g., "Approve Leave Requests").
- The record must be in the correct status (e.g., the leave request must be in Pending status).
If either condition is not met, the action button will not appear. For example, even if you have the "Approve Leave Requests" permission, the Approve button will not show on a leave request that has already been approved.
CRUD Permissions (Create, View, Edit, Delete)
Each HRM resource automatically receives a set of CRUD permissions. These follow a consistent pattern across all resources.
View Permissions
| Permission | What It Allows |
|---|---|
| View All | View every record of this type, regardless of who created it |
| View Own | View only records created by the logged-in user |
| View Team | View records created by members of teams you manage |
Create Permissions
| Permission | What It Allows |
|---|---|
| Create | Create new records of this type |
Edit Permissions
| Permission | What It Allows |
|---|---|
| Edit All | Edit any record of this type |
| Edit Own | Edit only records created by the logged-in user |
| Edit Team | Edit records created by members of teams you manage |
Delete Permissions
| Permission | What It Allows |
|---|---|
| Delete Any | Delete any record of this type |
| Delete Own | Delete only records created by the logged-in user |
| Delete Team | Delete records created by members of teams you manage |
| Bulk Delete | Delete multiple records at once using the bulk action |
Resources That Have CRUD Permissions
CRUD permissions are generated for each of the following resources:
- Employees
- Leave Requests
- Leave Balances
- Leave Types
- Attendance
- Timesheets
- Payroll Runs
- Payroll Entries
- Payroll Components
- Payslips
- Salary Structures
The Own permission variant checks who created the record (the created_by field). For employees logged into the Employee Portal, "own" refers to records associated with their employee profile — not just records they personally created.
Action Permissions (Approve, Cancel, Finalize, etc.)
Beyond CRUD operations, the HRM module defines dedicated permissions for specific workflow actions. These must be explicitly granted — having edit access to a resource does not automatically grant the ability to perform its actions.
Leave Management Actions
| Permission | Actions It Enables | Required Record Status |
|---|---|---|
| Approve Leave Requests | Approve Leave, Reject Leave | Leave request must be in Pending status |
| Cancel Leave Requests | Cancel Leave | Leave request must be in Pending or Approved status |
The "Approve Leave Requests" permission covers both approving and rejecting. A user with this permission can do either action on pending leave requests.
Timesheet Actions
| Permission | Actions It Enables | Required Record Status |
|---|---|---|
| Submit Timesheets | Submit Timesheet | Timesheet must be in Draft status |
| Approve Timesheets | Approve Timesheet, Reject Timesheet | Timesheet must be in Submitted status |
Employees can also submit their own timesheets if they have the "Edit Own Timesheets" permission, even without the "Submit Timesheets" permission.
Payroll Actions
| Permission | Actions It Enables | Required Record Status |
|---|---|---|
| Process Payroll | Process Payroll, Mark as Completed | Payroll run must be in Draft status (Process) or Processing status (Mark as Completed) |
| Approve Payroll | Approve Payroll | Payroll run must be in Completed status |
| Generate Payslips | Generate Payslips | Payroll run must be in Completed or Approved status |
Payslip Actions
| Permission | Actions It Enables | Required Record Status |
|---|---|---|
| Finalize Payslips | Finalize Payslip | Payslip must be in Draft status |
| Send Payslips | Send Payslip | Payslip must be Finalized (not Draft) |
Export Permissions
Each resource also has a dedicated export permission:
| Permission | What It Allows |
|---|---|
| Export Employees | Export employee data |
| Export Leave Requests | Export leave request data |
| Export Leave Types | Export leave type data |
| Export Attendance | Export attendance records |
| Export Timesheets | Export timesheet data |
| Export Payroll Runs | Export payroll run data |
| Export Payroll Entries | Export payroll entry data |
| Export Payroll Components | Export payroll component data |
| Export Payslips | Export payslip data |
| Export Salary Structures | Export salary structure data |
Export permissions are separate from view permissions. A user may be able to view records on screen but not export them, depending on their role configuration.
Default Employee Role Permissions
The system includes a pre-configured Employee role designed for employees using the Employee Portal. This role provides self-service access while restricting administrative functions.
What Employees Can Do
| Area | Permissions |
|---|---|
| Employee Profile | View and edit their own employee record |
| Leave Requests | Create, view, and edit their own leave requests; cancel their own pending or approved requests |
| Leave Balances | View their own leave balances (read-only) |
| Timesheets | Create, view, and edit their own timesheets; submit draft timesheets for approval |
| Attendance | Create, view, and edit their own attendance records |
| Payslips | View their own payslips (read-only) |
| Salary Structures | View their own salary structures (read-only) |
What Employees Cannot Do
- View, edit, or delete other employees' records
- Approve or reject leave requests or timesheets
- Access payroll runs or payroll components
- Create or modify leave balances, payslips, or salary structures
- Export any data
- Access the administrative settings
Employee Portal Behavior
When an employee logs in through the Employee Portal, the interface automatically adjusts:
- The Employee field is hidden on forms — the system automatically associates records with the logged-in employee's profile.
- The Status field is hidden on timesheets — timesheets start as Draft and follow the normal approval workflow.
- Administrative fields like creator, approver, and internal notes are hidden.
- Navigation only shows resources the employee has permission to access.
The Employee role permissions can be customized through Settings > Permissions. The defaults described above are assigned when the role is first created and can be adjusted to fit your organization's needs.
Super Admin Bypass
Users designated as Super Admins bypass all permission checks entirely. The system grants them unrestricted access to every resource and every action, regardless of what permissions are assigned to their roles.
This means:
- Super admins can view, create, edit, and delete any record.
- Super admins can perform any action (approve, reject, process, finalize, etc.) on any record, as long as the record is in the correct status.
- Super admins see all action buttons, all fields, and all resources.
- Permission settings in Settings > Permissions do not affect super admin users.
Because super admins bypass all checks, be selective about who has this access. For most users, it is better to create a role with specific administrative permissions rather than granting super admin status.
Status Checks Still Apply
Even for super admins, record status requirements are still enforced. For example, a super admin still cannot approve a leave request that is already approved, or process a payroll run that has already been completed. These are business logic rules, not permission checks.
Setting Up Roles and Permissions
Creating a Custom Role
- Navigate to Settings > Permissions.
- Create a new role (e.g., "HR Manager", "Team Lead", "Payroll Officer").
- Assign the appropriate permissions from the available list.
Example Role Configurations
HR Manager — Full access to all HRM resources and actions:
- All CRUD permissions (View All, Edit All, Create, Delete Any) for all resources
- Approve Leave Requests, Cancel Leave Requests
- Submit Timesheets, Approve Timesheets
- Process Payroll, Approve Payroll, Generate Payslips
- Finalize Payslips, Send Payslips
- All export permissions
Team Lead — Manage their team's leave and timesheets:
- View Team / Edit Team permissions for Employees, Leave Requests, Timesheets, Attendance
- Approve Leave Requests
- Approve Timesheets
- View Own permissions for Leave Balances, Payslips, Salary Structures
Payroll Officer — Process payroll but cannot approve:
- View All / Edit All for Payroll Runs, Payroll Entries, Payroll Components, Salary Structures
- Process Payroll
- Generate Payslips, Finalize Payslips, Send Payslips
- Export Payroll Runs, Export Payroll Entries, Export Payslips
For a separation of duties in payroll, consider giving the "Process Payroll" permission to one role and the "Approve Payroll" permission to a different role. This ensures no single person can both process and approve payroll.