What Employees Can See & Do
The Employee Portal adjusts what data, fields, and actions are visible based on the user's role. This page details exactly what employees see on each page and what actions are available to them.
Timesheets
Employees can create, edit, and submit their own weekly timesheets.
Available Actions
| Action | Available | Condition |
|---|---|---|
| Log Time | Yes | Requires create timesheets permission |
| Submit Timesheet | Yes | Only for draft timesheets |
| Approve / Reject | No | Requires approve timesheets permission (admin only) |
| Edit | Yes | Only own draft timesheets |
| Delete | Yes | Only own records, with delete permission |
Workflow for Employees
- Create a timesheet for a week period.
- Log time entries against projects.
- Submit the timesheet for approval.
- Track the status (Submitted -> Approved or Rejected).
- If rejected, review the rejection reason, make changes, and resubmit.
Leave Requests
Employees can submit, track, and cancel their own leave requests.
Available Actions
| Action | Available | Condition |
|---|---|---|
| Cancel Leave | Yes | Only for own pending or approved requests |
| Approve / Reject | No | Requires approve leave requests permission |
| Edit | Yes | Only own pending requests |
| Delete | Yes | Only own records, with delete permission |
Validation
- Overlap detection: The system prevents submitting leave requests that overlap with existing approved or pending requests.
- Days validation: The number of days must match the date range (full days or half days).
Attendance
Employees can log their own daily attendance.
Available Actions
| Action | Available | Condition |
|---|---|---|
| Create Attendance | Yes | Requires create attendance permission |
| Edit | Yes | Only own records |
| Delete | Yes | Only own records, with delete permission |
Leave Balances
Employees can view their leave entitlements and usage. This is a read-only view for employees.
Available Actions
| Action | Available |
|---|---|
| Create | No — only administrators can allocate leave balances |
| Edit | No |
| Delete | No |
Payslips
Employees can view and download their own payslips.
Available Actions
| Action | Available | Condition |
|---|---|---|
| View Payslip | Yes | Opens payslip in browser |
| Download Payslip | Yes | Downloads payslip as PDF |
| Finalize / Send | No | Admin-only actions |
Data Scoping Summary
All data is automatically filtered, so employees see only their own records:
| Resource | Scoping Method |
|---|---|
| Leave Requests | Filtered by employee_id via global scope |
| Leave Balances | Filtered by employee_id via global scope |
| Attendance | Filtered by employee_id via global scope |
| Timesheets | Filtered by employee_id via global scope |
| Payslips | Filtered through payroll_entry.employee_id via global scope |
| Salary Structures | Filtered by employee_id via global scope |
| Payroll Entries | Filtered by employee_id via global scope |
Resources not filtered (visible to all):
- Leave Types — employees need to see all leave types when creating requests
- Employee — the model itself is not scoped (employee's own record is accessible via policy)
Configuring the Employee Role
The Employee role is the cornerstone of the portal experience. It determines which users get the portal interface, what data they can access, and which actions they can perform. The role is automatically created when the HRM module is activated, with a default set of permissions.
Default Permissions
When the module is enabled, the Employee role is created with the following permissions:
Employee Profile
| Permission | Description |
|---|---|
view own employees | View their own employee record |
edit own employees | Edit their own profile (name, phone, address, etc.) |
Leave Requests
| Permission | Description |
|---|---|
view own leave-requests | View their own leave requests |
create leave-requests | Submit new leave requests |
edit own leave-requests | Edit own pending requests |
cancel leave requests | Cancel own pending or approved requests |
Leave Balances
| Permission | Description |
|---|---|
view own leave-balances | View their own leave entitlements and usage |
Timesheets
| Permission | Description |
|---|---|
view own timesheets | View their own timesheets |
create timesheets | Create new timesheets |
edit own timesheets | Edit own draft timesheets |
submit timesheets | Submit draft timesheets for approval |
Attendance
| Permission | Description |
|---|---|
view own attendance | View their own attendance records |
create attendance | Log daily attendance |
edit own attendance | Edit own attendance entries |
Payslips
| Permission | Description |
|---|---|
view own payslips | View and download their own payslips |
Salary Structures
| Permission | Description |
|---|---|
view own employee-salary-structures | View their own salary breakdown |
Permissions NOT Granted to Employees
The following permissions are intentionally excluded from the Employee role:
| Category | Excluded Permissions |
|---|---|
| View All / Team | view all *, view team * — employees see only own data |
| Edit All / Team | edit all *, edit team * — employees edit only own records |
| Delete | All delete and bulk delete permissions |
| Create (restricted) | create employees, create leave-balances, create payslips, create payroll-*, create employee-salary-structures |
| Approve / Reject | approve leave requests, approve timesheets, approve payroll |
| Payroll Operations | process payroll, finalize payslips, send payslips, generate payslips |
| Export | All export permissions |
Customizing the Role
Adding Permissions
To grant additional permissions to employees, navigate to Settings > Roles & Permissions, find the Employee role, and toggle the desired permissions.
For example, to allow employees to delete their own leave requests:
- Go to Settings > Roles & Permissions.
- Edit the Employee role.
- Enable
delete own leave-requests. - Save.
Removing Permissions
Similarly, you can restrict employees further by removing permissions. For example, to prevent employees from editing their own attendance:
- Edit the Employee role.
- Disable
edit own attendance. - Save.
Changing the Role Name
The role name defaults to "Employee" but can be changed via configuration:
// modules/HRM/config/employee-portal.php
'employee_role_name' => env('EMPLOYEE_ROLE_NAME', 'Employee'),
Or via environment variable:
EMPLOYEE_ROLE_NAME=Staff
If you change the role name, the module activation (or re-running the seeder) will create a role with the new name. Existing users with the old role name will need to be reassigned manually.
Re-Syncing Permissions
If you need to reset the Employee role permissions to their defaults (e.g., after an update), you can re-run the seeder:
php artisan db:seed --class="Modules\HRM\Database\Seeders\EmployeeRoleSeeder"
This will recreate the role (if it doesn't exist) and sync it with the default permission set. Any custom permission modifications you've made will be overwritten.
Alternatively, disabling and re-enabling the HRM module from Settings > HRM Configuration > Activation will also re-sync the Employee role permissions.
How Permissions Interact with the Portal
The Employee Portal uses a layered access control system:
Layer 1: Menu Filtering
-- Hides sidebar items not in allowed_menu_items config
Layer 2: Route Protection
-- Frontend guard blocks navigation to unauthorized routes
Layer 3: Data Scoping
-- Global scope filters queries to employee's own records
Layer 4: Field Visibility
-- Resource fields hidden via isEmployeeUser() checks
Layer 5: Permissions & Policies
-- Spatie permissions control CRUD and action access
Layer 6: Super Admin Bypass
-- Gate::before returns true for super-admins, bypassing all layers
Each layer provides defense in depth. Even if an employee somehow bypasses the menu filtering, the data scoping ensures they can only see their own records, and the permission system prevents unauthorized actions.