Roles & Permissions
The Roles module is accessible only to users with the Administrator role. HR users cannot view or modify roles.
The HRMS uses Role-Based Access Control (RBAC) — each user is assigned a role, and each role carries a set of permissions that determines what that user can see and do in the system.
Built-in Roles
The following roles exist in the system by default:
| Role | Scope | Key Capabilities |
|---|---|---|
| Administrator | Full system | Unrestricted access to everything, including role management. Protected — cannot be deleted or edited. |
| HR | Full system | Employee management, KPI cycles, probation reviews, notification settings. Cannot manage roles. |
| HOD | Department | KPI reviews and probation submissions for their department. Can view probation reviews. |
| Manager | Department | KPI reviewer for assigned evaluations, probation submitter for direct reports. |
| Employee | Own record only | View and update own profile, participate in KPI evaluations. |
Viewing Roles
Click Roles in the sidebar. The list shows all roles with a count of users currently assigned to each.
Click a role name to open its detail page, where you can see the full list of permissions assigned to that role.
Creating a Custom Role
If the built-in roles do not fit your needs, you can create custom roles with tailored permission sets.
- Click New Role.
- Enter a role name.
- Select the permissions to grant to this role from the permission matrix.
- Click Save.
The role is immediately available for assignment to employees.
Editing a Role
- Find the role in the list.
- Click Edit.
- Update the name or adjust the permissions.
- Click Save.
The Administrator role cannot be edited or deleted. Its permissions are fixed and always reflect full system access.
Assigning a Role to an Employee
Roles are assigned from the employee record, not from the Roles page.
- Open the employee's profile (Edit mode).
- Go to the Personal Details tab.
- Find the Role field.
- Select the desired role from the dropdown.
- Click Save & Next.
The change takes effect immediately on the employee's next page load.
Only Administrators can assign the Administrator role to another user. HR users can assign all other roles.
Permission Reference
The following permissions control access to the main features of the system:
| Permission | What It Controls |
|---|---|
entities.view | View the Entities page |
entities.manage | Create, edit, and delete entities |
departments.view | View the Departments page |
departments.manage | Create, edit, and delete departments |
employees.view | View the employee list and profiles |
employees.create | Create new employees |
employees.update | Edit any employee's record |
employees.update_own | Edit own employee profile (self-service) |
kpi-template.view | View KPI templates |
kpi-template.manage | Create, edit, delete, and import templates |
kpi-cycle.view | View KPI cycles |
kpi-cycle.manage | Create, edit, delete, and publish cycles |
kpi-evaluation.view | View evaluations scoped to role |
kpi-evaluation.review | Submit manager reviews |
kpi-evaluation.hr-review | Submit HR reviews and force-close |
rbac.manage | View and manage roles and permissions |
Tips
- Follow the principle of least privilege — assign each user only the permissions they genuinely need for their role.
- Audit role assignments periodically, especially when employees change departments or responsibilities.
- If you need a role that is "HR but without probation access" or "Manager with read-only employee access", create a custom role with the exact permission set required rather than assigning a built-in role that grants more than intended.