What Employees Can See & Do

The Employee Portal adjusts what data, fields, and actions are visible based on the user's role. This page details exactly what employees see on each page and what actions are available to them.

---

Timesheets

Employees can create, edit, and submit their own weekly timesheets.

Available Actions

Action	Available	Condition
Log Time	Yes	Requires create timesheets permission
Submit Timesheet	Yes	Only for draft timesheets
Approve / Reject	No	Requires approve timesheets permission (admin only)
Edit	Yes	Only own draft timesheets
Delete	Yes	Only own records, with delete permission

Workflow for Employees

1. Create a timesheet for a week period.

2. Log time entries against projects.

3. Submit the timesheet for approval.

4. Track the status (Submitted → Approved or Rejected).

5. If rejected, review the rejection reason, make changes, and resubmit.

---

Leave Requests

Employees can submit, track, and cancel their own leave requests.

Available Actions

Action	Available	Condition
Cancel Leave	Yes	Only for own pending or approved requests
Approve / Reject	No	Requires approve leave requests permission
Edit	Yes	Only own pending requests
Delete	Yes	Only own records, with delete permission

Validation

• Overlap detection: The system prevents submitting leave requests that overlap with existing approved or pending requests.

• Days validation: The number of days must match the date range (full days or half days).

---

Attendance

Employees can log their own daily attendance.

Available Actions

Action	Available	Condition
Create Attendance	Yes	Requires create attendance permission
Edit	Yes	Only own records
Delete	Yes	Only own records, with delete permission

---

Leave Balances

Employees can view their leave entitlements and usage. This is a read-only view for employees.

Available Actions

Action	Available
Create	No — only administrators can allocate leave balances
Edit	No
Delete	No

---

Payslips

Employees can view and download their own payslips.

Available Actions

Action	Available	Condition
View Payslip	Yes	Opens payslip in browser
Download Payslip	Yes	Downloads payslip as PDF
Finalize / Send	No	Admin-only actions

---

Data Scoping Summary

All data is automatically filtered, so employees see only their own records:

Resource	Scoping Method
Leave Requests	Filtered by employee_id via global scope
Leave Balances	Filtered by employee_id via global scope
Attendance	Filtered by employee_id via global scope
Timesheets	Filtered by employee_id via global scope
Payslips	Filtered through payroll_entry.employee_id via global scope
Salary Structures	Filtered by employee_id via global scope
Payroll Entries	Filtered by employee_id via global scope

Resources not filtered (visible to all):

• Leave Types — employees need to see all leave types when creating requests

• Employee — the model itself is not scoped (employee's own record is accessible via policy)

---

Configuring the Employee Role

The Employee role is the cornerstone of the portal experience. It determines which users get the portal interface, what data they can access, and which actions they can perform. The role is automatically created when the HRM module is activated, with a default set of permissions.

---

Default Permissions

When the module is enabled, the Employee role is created with the following permissions:

Employee Profile

Permission	Description
view own employees	View their own employee record
edit own employees	Edit their own profile (name, phone, address, etc.)

Leave Requests

Permission	Description
view own leave-requests	View their own leave requests
create leave-requests	Submit new leave requests
edit own leave-requests	Edit own pending requests
cancel leave requests	Cancel own pending or approved requests

Leave Balances

Permission	Description
view own leave-balances	View their own leave entitlements and usage

Timesheets

Permission	Description
view own timesheets	View their own timesheets
create timesheets	Create new timesheets
edit own timesheets	Edit own draft timesheets
submit timesheets	Submit draft timesheets for approval

Attendance

Permission	Description
view own attendance	View their own attendance records
create attendance	Log daily attendance
edit own attendance	Edit own attendance entries

Payslips

Permission	Description
view own payslips	View and download their own payslips

Salary Structures

Permission	Description
view own employee-salary-structures	View their own salary breakdown

---

Permissions NOT Granted to Employees

The following permissions are intentionally excluded from the Employee role:

Category	Excluded Permissions
View All / Team	view all *, view team * — employees see only own data
Edit All / Team	edit all *, edit team * — employees edit only own records
Delete	All delete and bulk delete permissions
Create (restricted)	create employees, create leave-balances, create payslips, create payroll-*, create employee-salary-structures
Approve / Reject	approve leave requests, approve timesheets, approve payroll
Payroll Operations	process payroll, finalize payslips, send payslips, generate payslips
Export	All export permissions

---

Customizing the Role

Adding Permissions

To grant additional permissions to employees, navigate to Settings > Roles & Permissions, find the Employee role, and toggle the desired permissions.

For example, to allow employees to delete their own leave requests:

1. Go to Settings > Roles & Permissions.

2. Edit the Employee role.

3. Enable delete own leave-requests.

4. Save.

Removing Permissions

Similarly, you can restrict employees further by removing permissions. For example, to prevent employees from editing their own attendance:

1. Edit the Employee role.

2. Disable edit own attendance.

3. Save.

---

Changing the Role Name

The role name defaults to "Employee" but can be changed via configuration:

// modules/HRM/config/employee-portal.php
'employee_role_name' => env('EMPLOYEE_ROLE_NAME', 'Employee'),

Or via environment variable:

EMPLOYEE_ROLE_NAME=Staff

Important: If you change the role name, the module activation (or re-running the seeder) will create a role with the new name. Existing users with the old role name will need to be reassigned manually.

---

Re-Syncing Permissions

If you need to reset the Employee role permissions to their defaults (e.g., after an update), you can re-run the seeder:

php artisan db:seed --class="Modules\HRM\Database\Seeders\EmployeeRoleSeeder"

This will recreate the role (if it doesn't exist) and sync it with the default permission set. Any custom permission modifications you've made will be overwritten.

Alternatively, disabling and re-enabling the HRM module from Settings > HRM Configuration > Activation will also re-sync the Employee role permissions.

---

How Permissions Interact with the Portal

The Employee Portal uses a layered access control system:

Layer 1: Menu Filtering └─ Hides sidebar items not in allowed_menu_items config

Layer 2: Route Protection └─ Frontend guard blocks navigation to unauthorized routes

Layer 3: Data Scoping └─ Global scope filters queries to employee's own records

Layer 4: Field Visibility └─ Resource fields hidden via isEmployeeUser() checks

Layer 5: Permissions & Policies └─ Spatie permissions control CRUD and action access

Layer 6: Super Admin Bypass └─ Gate::before returns true for super-admins, bypassing all layers

Each layer provides defense in depth. Even if an employee somehow bypasses the menu filtering, the data scoping ensures they can only see their own records, and the permission system prevents unauthorized actions.