Roles & Permissions

The role-based access control (RBAC) system determines what users can see and do within Open Core Business Suite. This guide covers default roles, permission management, and creating custom roles.

Understanding RBAC

Key Concepts

Term	Description
Role	A named collection of permissions (e.g., Admin, Manager)
Permission	A specific action or access right (e.g., view_employees)
User	An individual account with one or more roles assigned
Scope	The extent of access (own, department, all)

How It Works

1. Permissions define atomic actions
2. Roles bundle related permissions together
3. Users are assigned roles
4. System checks role permissions for every action

Default Roles

Open Core Business Suite includes these pre-configured roles:

Super Admin

Full system access with no restrictions:

• All permissions enabled
• Cannot be deleted or disabled
• System configuration access
• User and role management
• Module activation control

Super Admin Access

Limit Super Admin accounts. This role has unrestricted access to all system functions and data.

Admin

Administrative access with most capabilities:

• Manage all employees
• Configure departments, shifts, holidays
• Approve requests
• Access all reports
• Limited system configuration
• Cannot manage other admins

HR Manager

Human resources management focus:

• Full employee management
• Recruitment and onboarding
• Leave management (all employees)
• Attendance configuration
• HR reports and analytics
• Cannot access payroll processing

Finance Manager

Financial operations access:

• Payroll processing
• Expense management
• Payment processing
• Financial reports
• Cannot manage employee records
• Read-only access to employee data

Department Manager

Team-focused management access:

• View own department employees
• Approve team leave requests
• View team attendance
• Assign tasks to team members
• Access department reports
• Cannot modify employee records

Team Lead

Limited supervisory access:

• View direct reports only
• Approve leave for direct reports
• View team attendance
• Task assignment to team
• Basic reporting access

Employee

Self-service access only:

• View own profile
• Apply for leave
• View own attendance
• Submit expense claims
• View own payslips
• Update personal information

Permission System

Permission Structure

Permissions follow a naming convention:

module_action_scope

Examples:

• employees_view_all - View all employees
• employees_edit_own - Edit own profile
• leave_approve_department - Approve department leave
• reports_view_hr - View HR reports

Permission Categories

Employee Permissions

Permission	Description
employees_view_all	View all employee records
employees_view_department	View department employees only
employees_view_own	View own profile
employees_create	Create new employees
employees_edit	Edit employee records
employees_delete	Delete/terminate employees
employees_export	Export employee data

Attendance Permissions

Permission	Description
attendance_view_all	View all attendance
attendance_view_department	View department attendance
attendance_view_own	View own attendance
attendance_mark	Mark attendance for others
attendance_edit	Edit attendance records
attendance_settings	Configure attendance settings

Leave Permissions

Permission	Description
leave_view_all	View all leave requests
leave_view_department	View department requests
leave_view_own	View own requests
leave_apply	Submit leave requests
leave_approve_all	Approve any request
leave_approve_department	Approve department requests
leave_types_manage	Manage leave types

Payroll Permissions

Permission	Description
payroll_view_all	View all payroll data
payroll_view_own	View own payslips
payroll_process	Run payroll processing
payroll_settings	Configure payroll settings
salary_view	View salary information
salary_edit	Edit salary details

System Permissions

Permission	Description
settings_manage	Access system settings
roles_manage	Create and edit roles
users_manage	Manage user accounts
modules_manage	Enable/disable modules
audit_view	View audit logs
backup_manage	Manage system backups

Creating Custom Roles

When to Create Custom Roles

• Existing roles don't match your structure
• Need specific permission combinations
• Different access levels required
• Compliance requirements

Add a New Role

1. Navigate to Settings > Roles
2. Click Add New Role
3. Enter role details
4. Select permissions
5. Save the role

Role Configuration

Field	Description	Required
Role Name	Display name for the role	Yes
Role Slug	System identifier (auto-generated)	Yes
Description	Purpose of the role	No
Status	Active or Inactive	Yes

Assigning Permissions

Method 1: Category Selection

Select entire permission categories:

1. Expand a category (e.g., "Employees")
2. Check "Select All" for full category access
3. Or select individual permissions

Method 2: Individual Selection

Pick specific permissions:

1. Expand each category
2. Select only needed permissions
3. Review the total selection
4. Save

Example: Project Manager Role

Role Name: Project Manager
Description: Manages projects and project teams

Permissions:
Employees:
  ✓ View all employees
  ✗ Create employees
  ✗ Edit employees

Projects:
  ✓ View all projects
  ✓ Create projects
  ✓ Edit own projects
  ✓ Delete own projects

Tasks:
  ✓ View all tasks
  ✓ Create tasks
  ✓ Assign tasks
  ✓ Edit tasks

Reports:
  ✓ View project reports

Assigning Roles to Users

During User Creation

1. Create a new user account
2. In the Role field, select the appropriate role
3. Save the user

Changing User Roles

1. Navigate to Users or the user's profile
2. Click Edit
3. Change the Role selection
4. Save changes

Role Changes

Role changes take effect immediately. The user may need to refresh their browser to see updated permissions.

Multiple Roles

If your system supports multiple roles per user:

1. Edit the user
2. Add multiple roles
3. User receives combined permissions
4. Most permissive access applies

Permission Scope

Scope Levels

Scope	Access
Own	Only their own records
Direct Reports	Their direct subordinates
Department	All in their department
All	Organization-wide access

Scope Examples

Manager viewing attendance:

• attendance_view_own: Only their attendance
• attendance_view_department: All department members
• attendance_view_all: Everyone in organization

Reporting Hierarchy

For "Direct Reports" scope:

• Based on the reporting manager field
• Includes all levels of subordinates
• Automatically updates when org chart changes

Role Inheritance

Understanding Inheritance

Some systems support role hierarchy:

Super Admin
    └── Admin
        └── HR Manager
            └── Employee

Child roles inherit parent permissions plus their own specific permissions.

Override Behavior

• Additive: Child roles add permissions
• Restrictive: Child roles can have fewer permissions
• Explicit Deny: Specific permission denial

Best Practices

Role Design

• Create roles based on job functions, not individuals
• Keep the number of roles manageable (5-10 typically)
• Use descriptive names
• Document role purposes

Permission Assignment

• Start with least privilege
• Add permissions as needed
• Review permissions periodically
• Audit access regularly

Security Considerations

• Limit Super Admin accounts (1-2 maximum)
• Separate duties (e.g., payroll vs. HR)
• Regular permission audits
• Remove unused roles

Maintenance

• Review roles quarterly
• Update when job functions change
• Remove terminated user access promptly
• Document changes

Troubleshooting Access Issues

User Cannot Access Feature

1. Check user's assigned role
2. Verify role has required permission
3. Check if module is enabled
4. Clear browser cache
5. Have user log out and back in

Permission Not Working

1. Verify permission name is correct
2. Check scope (own vs. all)
3. Ensure permission is saved
4. Check for conflicting roles

Audit Trail

Review access attempts:

1. Navigate to Audit Logs
2. Filter by user
3. Look for "Permission denied" entries
4. Identify missing permissions

---

Next: Learn about Settings to configure global application options.