Permissions and role

The HRM module uses a granular permission system to control who can view, create, edit, delete, and perform specific actions on each type of record. Permissions are assigned to roles, and each user is assigned one or more roles. This lets you tailor access precisely — for example, allowing an HR manager to approve leave and process payroll, while limiting employees to viewing their own records and submitting requests.

How Permissions Work

Permissions in the HRM module are organized into two categories:

1. CRUD Permissions — Control basic operations (create, view, edit, delete) on each resource type (Employees, Leave Requests, Timesheets, etc.).

2. Action Permissions — Control specific workflow actions like approving leave, processing payroll, or finalizing payslips.

Permissions are assigned to roles through the Settings > Permissions page. Each role gets a combination of permissions that define what users in that role can do.

Permission Checks on Actions

Many workflow actions in the HRM module require two conditions to be met:

1. The user must have the correct permission (e.g., "Approve Leave Requests").

2. The record must be in the correct status (e.g., the leave request must be in Pending status).

If either condition is not met, the action button will not appear. For example, even if you have the "Approve Leave Requests" permission, the Approve button will not show on a leave request that has already been approved.

CRUD Permissions (Create, View, Edit, Delete)

Each HRM resource automatically receives a set of CRUD permissions. These follow a consistent pattern across all resources.

View Permissions

Permission	What It Allows
View All	View every record of this type, regardless of who created it
View Own	View only records created by the logged-in user
View Team	View records created by members of teams you manage

Create Permissions

Permission	What It Allows
Create	Create new records of this type

Edit Permissions

Permission	What It Allows
Edit All	Edit any record of this type
Edit Own	Edit only records created by the logged-in user
Edit Team	Edit records created by members of teams you manage

Delete Permissions

Permission	What It Allows
Delete Any	Delete any record of this type
Delete Own	Delete only records created by the logged-in user
Delete Team	Delete records created by members of teams you manage
Bulk Delete	Delete multiple records at once using the bulk action

Resources That Have CRUD Permissions

CRUD permissions are generated for each of the following resources:

• Employees

• Leave Requests

• Leave Balances

• Leave Types

• Attendance

• Timesheets

• Payroll Runs

• Payroll Entries

• Payroll Components

• Payslips

• Salary Structures

The Own permission variant checks who created the record (the created_by field). For employees logged into the Employee Portal, "own" refers to records associated with their employee profile — not just records they personally created.

Action Permissions (Approve, Cancel, Finalize, etc.)

Beyond CRUD operations, the HRM module defines dedicated permissions for specific workflow actions. These must be explicitly granted — having edit access to a resource does not automatically grant the ability to perform its actions.

Leave Management Actions

Permission	Actions It Enables	Required Record Status
Approve Leave Requests	Approve Leave, Reject Leave	Leave request must be in Pending status
Cancel Leave Requests	Cancel Leave	Leave request must be in Pending or Approved status

The "Approve Leave Requests" permission covers both approving and rejecting. A user with this permission can do either action on pending leave requests.

Timesheet Actions

Permission	Actions It Enables	Required Record Status
Submit Timesheets	Submit Timesheet	Timesheet must be in Draft status
Approve Timesheets	Approve Timesheet, Reject Timesheet	Timesheet must be in Submitted status

Employees can also submit their own timesheets if they have the "Edit Own Timesheets" permission, even without the "Submit Timesheets" permission.

Payroll Actions

Permission	Actions It Enables	Required Record Status
Process Payroll	Process Payroll, Mark as Completed	Payroll run must be in Draft status (Process) or Processing status (Mark as Completed)
Approve Payroll	Approve Payroll	Payroll run must be in Completed status
Generate Payslips	Generate Payslips	Payroll run must be in Completed or Approved status

Payslip Actions

Permission	Actions It Enables	Required Record Status
Finalize Payslips	Finalize Payslip	Payslip must be in Draft status
Send Payslips	Send Payslip	Payslip must be Finalized (not Draft)

Export Permissions

Each resource also has a dedicated export permission:

Permission	What It Allows
Export Employees	Export employee data
Export Leave Requests	Export leave request data
Export Leave Types	Export leave type data
Export Attendance	Export attendance records
Export Timesheets	Export timesheet data
Export Payroll Runs	Export payroll run data
Export Payroll Entries	Export payroll entry data
Export Payroll Components	Export payroll component data
Export Payslips	Export payslip data
Export Salary Structures	Export salary structure data

Export permissions are separate from view permissions. A user may be able to view records on screen but not export them, depending on their role configuration.

Default Employee Role Permissions

The system includes a pre-configured Employee role designed for employees using the Employee Portal. This role provides self-service access while restricting administrative functions.

What Employees Can Do

Area	Permissions
Employee Profile	View and edit their own employee record
Leave Requests	Create, view, and edit their own leave requests; cancel their own pending or approved requests
Leave Balances	View their own leave balances (read-only)
Timesheets	Create, view, and edit their own timesheets; submit draft timesheets for approval
Attendance	Create, view, and edit their own attendance records
Payslips	View their own payslips (read-only)
Salary Structures	View their own salary structures (read-only)

What Employees Cannot Do

• View, edit, or delete other employees' records

• Approve or reject leave requests or timesheets

• Access payroll runs or payroll components

• Create or modify leave balances, payslips, or salary structures

• Export any data

• Access the administrative settings

Employee Portal Behavior

When an employee logs in through the Employee Portal, the interface automatically adjusts:

• The Employee field is hidden on forms — the system automatically associates records with the logged-in employee's profile.

• The Status field is hidden on timesheets — timesheets start as Draft and follow the normal approval workflow.

• Administrative fields like creator, approver, and internal notes are hidden.

• Navigation only shows resources the employee has permission to access.

The Employee role permissions can be customized through Settings > Permissions. The defaults described above are assigned when the role is first created and can be adjusted to fit your organization's needs.

Super Admin Bypass

Users designated as Super Admins bypass all permission checks entirely. The system grants them unrestricted access to every resource and every action, regardless of what permissions are assigned to their roles.

This means:

• Super admins can view, create, edit, and delete any record.

• Super admins can perform any action (approve, reject, process, finalize, etc.) on any record, as long as the record is in the correct status.

• Super admins see all action buttons, all fields, and all resources.

• Permission settings in Settings > Permissions do not affect super admin users.

Because super admins bypass all checks, be selective about who has this access. For most users, it is better to create a role with specific administrative permissions rather than granting super admin status.

Status Checks Still Apply

Even for super admins, record status requirements are still enforced. For example, a super admin still cannot approve a leave request that is already approved, or process a payroll run that has already been completed. These are business logic rules, not permission checks.

Setting Up Roles and Permissions

Creating a Custom Role

1. Navigate to Settings > Permissions.

2. Create a new role (e.g., "HR Manager", "Team Lead", "Payroll Officer").

3. Assign the appropriate permissions from the available list.

Example Role Configurations

HR Manager — Full access to all HRM resources and actions:

• All CRUD permissions (View All, Edit All, Create, Delete Any) for all resources

• Approve Leave Requests, Cancel Leave Requests

• Submit Timesheets, Approve Timesheets

• Process Payroll, Approve Payroll, Generate Payslips

• Finalize Payslips, Send Payslips

• All export permissions

Team Lead — Manage their team's leave and timesheets:

• View Team / Edit Team permissions for Employees, Leave Requests, Timesheets, Attendance

• Approve Leave Requests

• Approve Timesheets

• View Own permissions for Leave Balances, Payslips, Salary Structures

Payroll Officer — Process payroll but cannot approve:

• View All / Edit All for Payroll Runs, Payroll Entries, Payroll Components, Salary Structures

• Process Payroll

• Generate Payslips, Finalize Payslips, Send Payslips

• Export Payroll Runs, Export Payroll Entries, Export Payslips

For a separation of duties in payroll, consider giving the "Process Payroll" permission to one role and the "Approve Payroll" permission to a different role. This ensures no single person can both process and approve payroll.