Roles & Permissions (RBAC)
The HRMS uses Spatie Laravel Permission for role-based access control. The backend is the source of truth for all authorization decisions.
Roles
| Role | Description |
|---|---|
| Admin | Full system access. Can manage RBAC, entities, departments, and all employees. |
| HR | Full Module-1 access plus KPI template/cycle management and KPI workflow admin actions. |
| Manager | Read-only access to departments. Can view all employees. Reviews assigned KPI evaluations and probation reviews. |
| TeamLead | Read-only access to departments. Can view employees in their led departments. Reviews assigned evaluations. |
| Employee | Can view own employee record only. Submits own self-evaluations. |
Permission Matrix
| Permission | Admin | HR | Manager | TeamLead | Employee |
|---|---|---|---|---|---|
entities.view | ✅ | ✅ | |||
entities.create | ✅ | ✅ | |||
entities.update | ✅ | ✅ | |||
entities.delete | ✅ | ✅ | |||
departments.view | ✅ | ✅ | ✅ | ✅ | |
departments.create | ✅ | ✅ | |||
departments.update | ✅ | ✅ | |||
departments.assign_managers | ✅ | ✅ | |||
departments.assign_team_leads | ✅ | ✅ | |||
employees.view | ✅ | ✅ | ✅ | ✅ | ✅ |
employees.view_all | ✅ | ✅ | ✅ | ||
employees.create | ✅ | ✅ | |||
employees.update | ✅ | ✅ | |||
employees.deactivate | ✅ | ✅ | |||
rbac.manage | ✅ | ||||
kpi-template.view | ✅ | ✅ | |||
kpi-template.create | ✅ | ✅ | |||
kpi-template.update | ✅ | ✅ | |||
kpi-template.delete | ✅ | ✅ | |||
kpi-cycle.view | ✅ | ✅ | |||
kpi-cycle.create | ✅ | ✅ | |||
kpi-cycle.update | ✅ | ✅ | |||
kpi-cycle.delete | ✅ | ✅ | |||
kpi-cycle.publish | ✅ | ✅ | |||
kpi-evaluation.view | ✅ | ✅ | ✅ | ✅ | ✅ |
kpi-evaluation.update | ✅ | ✅ | ✅ | ||
kpi-evaluation.review | ✅ | ✅ | ✅ | ✅ | |
kpi-evaluation.assign-reviewer | ✅ | ✅ | |||
kpi-evaluation.force-close | ✅ | ✅ |
How RBAC Is Enforced
Backend (Source of Truth)
- Policies — Each controller action checks authorization via Laravel Policies using
$user->can('permission.name'). - FormRequest
authorize()— Mutation requests include permission checks in the request class. - Team-scoped access — Managers see employees in their managed departments; TeamLeads see employees in their led departments.
Frontend (UI-Level)
GET /api/mereturns the user's roles and permissions array.- The
AuthProvidercontext exposescan()andhasRole()helpers. - Sidebar menu items are conditionally shown/hidden based on permissions.
- Action buttons (create, edit, delete) are hidden when the user lacks the required permission.
note
The frontend permission checks are for UI convenience only. All actual authorization is enforced by the backend. Removing a button from the UI does not bypass the server-side check.
Employee Visibility Rules
| Role | What They See |
|---|---|
| Admin / HR | All employees across all entities |
| Manager | All employees (read-only) |
| TeamLead | Employees in departments where they are a team lead, plus their own record |
| Employee | Their own record only |
KPI Evaluation Visibility
| Role | Scope |
|---|---|
| Admin / HR | All evaluations across all cycles |
| Manager | Evaluations assigned to them as reviewer (within their managed departments) |
| TeamLead | Evaluations assigned to them as reviewer (within their led departments) |
| Employee | Only their own evaluations |