Roles & Permissions
Roles and permissions control who can see what and who can do what within Udyamo HRMS. A well-designed role structure protects sensitive data such as salary information, limits accidental changes, and ensures that approval workflows function correctly. This chapter covers default roles, custom role creation, permission categories, and best practices for access control.
What You Will Learn
- How the role and permission system works in Udyamo HRMS
- What default roles are available and what each can do
- How to create custom roles with specific permissions
- How to assign roles to employees
- How to design a permission matrix for your organization
- Best practices for role management and the principle of least privilege
Prerequisites
Required: You must be logged in with an Administrator role to create, edit, or assign roles.
Required: Complete Chapter 6: Departments & Designations and Chapter 7: Offices & Locations before configuring roles. Understanding your organizational structure helps you design appropriate access levels.
How Roles and Permissions Work
Udyamo HRMS uses a Role-Based Access Control (RBAC) model. Here is how the components relate:
| Component | Description |
|---|---|
| Permission | A specific action on a specific module (e.g., "View Employee", "Create Leave Request", "Approve Payrun") |
| Role | A named collection of permissions (e.g., "HR Manager" includes permissions to view employees, manage leave, run payroll) |
| Employee Role (Assignment) | The link between an employee and a role, granting that employee all permissions in the role |
An employee can be assigned one or more roles. The effective permissions are the union of all permissions from all assigned roles.
Navigating to Roles
- Log in to Udyamo HRMS.
- Click Settings in the navigation sidebar.
- Click Roles.
The Roles page displays a list of all roles in your organization, both default and custom.
Default Roles
Udyamo HRMS ships with four default roles that cover the most common organizational structures. These roles are pre-configured with sensible permissions.
Admin
The Admin role provides unrestricted access to all features and settings.
| Permission Area | Access Level |
|---|---|
| Organization Settings | Full (create, read, update, delete) |
| Employee Management | Full |
| Attendance | Full |
| Leave Management | Full |
| Payroll | Full |
| Loans / Advances / Reimbursements | Full |
| Reports | Full |
| Roles & Permissions | Full |
| Feature Toggles | Full |
Warning: The Admin role should be assigned sparingly. Only organization owners and senior IT/HR personnel should have Admin access. Every additional admin increases the risk of accidental misconfiguration.
HR
The HR role provides broad access to employee management and HR operations, but excludes system configuration that belongs to administrators.
| Permission Area | Access Level |
|---|---|
| Organization Settings | Read only |
| Employee Management | Full (create, read, update) |
| Attendance | Full (manage for all employees) |
| Leave Management | Full (manage for all employees) |
| Payroll | Full (process payroll, view payslips) |
| Loans / Advances / Reimbursements | Full (manage for all employees) |
| Reports | Full (generate and view all reports) |
| Roles & Permissions | Read only |
| Feature Toggles | No access |
Manager
The Manager role provides access to team-level data. Managers can view and approve requests from their direct reports but cannot access data from other teams.
| Permission Area | Access Level |
|---|---|
| Organization Settings | No access |
| Employee Management | Read (own team only) |
| Attendance | Read (own team); Approve attendance corrections |
| Leave Management | Read (own team); Approve/reject leave requests |
| Payroll | No access (or read own payslip only) |
| Loans / Advances / Reimbursements | Approve requests from team members |
| Reports | Team-level reports only |
| Roles & Permissions | No access |
Employee
The Employee role is the default self-service role with access only to the user's own data.
| Permission Area | Access Level |
|---|---|
| Own Profile | Read and update (limited fields) |
| Attendance | Check in/out, view own records |
| Leave | Apply for leave, view own balances |
| Payroll | View own payslips |
| Loans / Advances | Submit requests |
| Reimbursements | Submit claims, view own claims |
| Reports | No access |
| Settings | No access |
Permission Categories
Permissions in Udyamo HRMS are organized by module. Within each module, permissions are broken down by action type.
Module-Based Permission Categories
| Category | Description | Examples |
|---|---|---|
| Employees | Managing employee records | View employee, Create employee, Update employee, Delete employee |
| Attendance | Attendance tracking and management | View attendance, Mark attendance, Approve corrections, Export attendance |
| Leave | Leave request management | View leave, Apply for leave, Approve leave, Configure leave policies |
| Payroll | Salary and payrun management | View payslips, Run payroll, Approve payrun, Configure salary components |
| Loans | Loan management | View loans, Create loan, Approve loan, Process repayments |
| Advances | Salary advance management | View advances, Request advance, Approve advance |
| Reimbursements | Expense claim management | View claims, Submit claims, Approve claims |
| Reports | Report generation and viewing | View reports, Export reports |
| Settings | System configuration | View settings, Modify settings |
| Announcements | Company announcements | View announcements, Create announcements |
Action-Based Permissions
Within each module, the following action types are available:
| Action | Description | Typical Roles |
|---|---|---|
| View | Read access to data | All roles |
| Create | Ability to add new records | Admin, HR |
| Update | Ability to modify existing records | Admin, HR |
| Delete | Ability to remove records | Admin only (in most cases) |
| Approve | Ability to approve pending requests | Admin, HR, Manager |
| Export | Ability to download data as CSV/PDF | Admin, HR |
| Configure | Ability to change settings and policies | Admin |
Creating a Custom Role
When the default roles do not match your organization's needs, create custom roles.
Step-by-Step: Create a Custom Role
- Navigate to Settings > Roles.
- Click the Add Role button.
- Enter a Role Name (e.g., "Finance Manager", "Shift Supervisor", "Department Head").
- In the permissions section, you will see a matrix of modules and actions.
- Check or uncheck each permission as needed.
- Click Save or Create.
Role Name Guidelines
| Practice | Good Example | Avoid |
|---|---|---|
| Descriptive name | "Finance Manager" | "Role 1" |
| Reflects function | "Shift Supervisor" | "Level 3 User" |
| Concise | "Payroll Admin" | "Person Who Processes Payroll" |
Example Custom Roles
Here are common custom roles that organizations create.
Finance Manager
Access to payroll and financial reports, but not employee personal data.
| Module | Permissions |
|---|---|
| Employees | View (limited to name, department, salary details) |
| Payroll | View, Run payroll, Approve payrun, Export |
| Statutory Compliance | View, Configure |
| Reports | View financial reports, Export |
| Everything else | No access |
Shift Supervisor
Manages attendance for a team but has no access to leave, payroll, or employee management.
| Module | Permissions |
|---|---|
| Attendance | View (own team), Mark attendance, Approve corrections |
| Employees | View (own team, limited fields) |
| Everything else | No access |
Department Head
Extended manager permissions with access to department-level reports.
| Module | Permissions |
|---|---|
| Employees | View (own department) |
| Attendance | View (own department), Approve corrections |
| Leave | View (own department), Approve/reject |
| Reports | Department-level reports |
| Announcements | Create department announcements |
| Everything else | No access |
Recruiter
Access to add new employees and send invitations, but no access to payroll or attendance.
| Module | Permissions |
|---|---|
| Employees | View, Create |
| Everything else | No access |
Editing a Role
- Navigate to Settings > Roles.
- Find the role you want to edit in the list.
- Click the Edit button (pencil icon).
- Modify the role name or adjust permissions.
- Click Save or Update.
Warning: Editing a role's permissions affects all employees currently assigned to that role. The changes take effect immediately. Review the employee list for the role before making changes.
Note: Default roles (Admin, HR, Manager, Employee) may have restrictions on editing. Some core permissions on default roles cannot be removed to ensure system stability.
Deleting a Role
- Navigate to Settings > Roles.
- Find the role you want to delete.
- Click the Delete button (trash icon).
- Confirm the deletion.
Warning: You cannot delete a role that has employees assigned to it. Reassign those employees to a different role first.
Warning: Default roles cannot be deleted. Only custom roles can be removed.
Assigning Roles to Employees
Roles are assigned to employees through the employee profile. This creates an EmployeeRole record linking the employee to the role.
Assigning a Role During Employee Creation
- Navigate to Employees > Add Employee.
- In the employee form, locate the Role field.
- Select the appropriate role from the dropdown.
- Complete the rest of the form and click Save.
Changing an Employee's Role
- Navigate to Employees and find the employee.
- Click on the employee's name to open their profile.
- Click Edit on the role or access section.
- Change the Role dropdown selection.
- Click Save or Update.
Assigning Multiple Roles
An employee can hold multiple roles simultaneously. The effective permissions are the combination (union) of all assigned roles.
| Employee | Roles | Effective Access |
|---|---|---|
| Priya Sharma | HR + Payroll Admin | All HR permissions + all payroll permissions |
| Rahul Verma | Manager + Shift Supervisor | Team management + attendance management |
| Anita Desai | Employee | Self-service only |
Tip: Use multiple roles when an employee's responsibilities span two distinct areas. This is cleaner than creating a new combined role for every unique combination.
Warning: Be careful when assigning multiple roles. Permissions are additive — there is no way to explicitly deny a permission through a second role. If one role grants "View all employee salaries" and another grants limited access, the broader permission takes effect.
Permission Matrix
The following table shows a typical permission matrix for default roles. Use this as a starting point and adjust for your organization.
Employee Management Permissions
| Permission | Admin | HR | Manager | Employee |
|---|---|---|---|---|
| View all employees | Yes | Yes | Team only | Own only |
| Create employee | Yes | Yes | No | No |
| Update employee | Yes | Yes | No | Own profile (limited) |
| Delete employee | Yes | No | No | No |
| Send invitation | Yes | Yes | No | No |
| View salary details | Yes | Yes | No | Own only |
Attendance Permissions
| Permission | Admin | HR | Manager | Employee |
|---|---|---|---|---|
| View all attendance | Yes | Yes | Team only | Own only |
| Mark attendance (for others) | Yes | Yes | No | No |
| Mark own attendance | Yes | Yes | Yes | Yes |
| Approve corrections | Yes | Yes | Team only | No |
| Export attendance | Yes | Yes | No | No |
| Configure shifts | Yes | Yes | No | No |
Leave Permissions
| Permission | Admin | HR | Manager | Employee |
|---|---|---|---|---|
| View all leave requests | Yes | Yes | Team only | Own only |
| Apply for leave | Yes | Yes | Yes | Yes |
| Approve/reject leave | Yes | Yes | Team only | No |
| Configure leave policies | Yes | No | No | No |
| View all leave balances | Yes | Yes | Team only | Own only |
Payroll Permissions
| Permission | Admin | HR | Manager | Employee |
|---|---|---|---|---|
| View all payslips | Yes | Yes | No | Own only |
| Run payroll | Yes | Yes | No | No |
| Approve payrun | Yes | No | No | No |
| Configure salary components | Yes | No | No | No |
| Export payroll data | Yes | Yes | No | No |
Settings Permissions
| Permission | Admin | HR | Manager | Employee |
|---|---|---|---|---|
| View settings | Yes | Yes (limited) | No | No |
| Modify settings | Yes | No | No | No |
| Manage roles | Yes | No | No | No |
| Manage feature toggles | Yes | No | No | No |
Designing Roles for Your Organization
The Principle of Least Privilege
Grant each role only the permissions it needs to perform its function. No more, no less.
| Principle | Explanation |
|---|---|
| Start minimal | Begin with the Employee role and add permissions as needed |
| Function-specific | Each role should map to a specific job function |
| Review regularly | Audit role assignments quarterly to remove unnecessary access |
| Separate duties | Ensure no single role can both create and approve sensitive transactions |
Separation of Duties Examples
| Sensitive Operation | Should Be Separated Between |
|---|---|
| Creating employees + Approving payroll | HR role (creates employees) + Admin/Finance (approves payroll) |
| Submitting reimbursement + Approving reimbursement | Employee (submits) + Manager (approves) |
| Running payroll + Disbursing funds | Payroll Admin (runs payroll) + Finance (processes bank transfer) |
Role Design Process
- List all job functions in your organization that interact with HRMS.
- Map each function to required permissions (what does this person need to see and do?).
- Check if a default role matches. If yes, use the default role.
- Create custom roles for functions that do not match any default role.
- Assign roles to employees based on their job function, not their seniority.
- Test each role by logging in as an employee with that role and verifying access.
Auditing Role Assignments
Periodically review who has which roles to ensure the access structure remains correct.
When to Audit
| Trigger | Action |
|---|---|
| Employee promotion or transfer | Review and update their role |
| Employee departure | Remove all roles (done automatically if the employee is offboarded) |
| New module enabled | Review which roles need access to the new module |
| Organizational restructuring | Review all role assignments against new structure |
| Quarterly schedule | Routine audit of all admin and HR role holders |
Audit Checklist
| Check | Action If Issue Found |
|---|---|
| Number of Admin users | Reduce to minimum necessary |
| Inactive users with active roles | Deactivate or remove roles |
| Roles with unused permissions | Tighten permissions |
| Employees with multiple roles | Verify each role is still needed |
| Custom roles not assigned to anyone | Consider deleting unused roles |
Troubleshooting Permission Issues
| Problem | Possible Cause | Solution |
|---|---|---|
| Employee cannot see a module | Module feature toggle is off, or role lacks permission | Check feature toggle in Settings > Organization; check role permissions |
| Employee cannot approve leave | Role does not include "Approve leave" permission | Edit the role and add the approval permission |
| Manager sees all employees, not just their team | Role grants organization-wide view instead of team view | Check the role's scope settings; use the Manager default role which limits to team |
| HR cannot run payroll | HR role may not include payroll permissions by default | Edit the HR role to add payroll permissions, or create a combined HR+Payroll role |
| New employee has no access | Role not assigned during employee creation | Edit the employee profile and assign the appropriate role |
Tips & Best Practices
Tip: Start with the default roles and customize only when necessary. The four default roles cover the needs of most small and medium organizations.
Tip: Name custom roles after job functions, not people. "Payroll Manager" is better than "Priya's Role" because the role persists even if the person changes.
Warning: Avoid creating an excessive number of custom roles. Each additional role increases administrative complexity. If you find yourself creating more than 8-10 roles, consider whether some can be consolidated.
Tip: Test custom roles before assigning them to employees in production. Log in as a user with the new role (or use a test account) and verify that the permissions work as expected.
Warning: Never grant Admin access as a quick fix for a permission issue. Instead, identify the specific permission the user needs and add it to their role.
Tip: Document your role structure — which roles exist, what each is for, and who holds each role. Store this documentation outside of Udyamo HRMS (e.g., in a shared internal document) so it is accessible even if HRMS access is disrupted.
Tip: When an employee changes departments or positions, review their role assignment. A developer promoted to engineering manager may need the Manager role in addition to (or instead of) the Employee role.
Quick Reference
| Action | Navigation Path | Permission |
|---|---|---|
| View all roles | Settings > Roles | Admin |
| Create custom role | Settings > Roles > Add Role | Admin |
| Edit role permissions | Settings > Roles > Edit (pencil icon) | Admin |
| Delete custom role | Settings > Roles > Delete (trash icon) | Admin |
| Assign role to employee | Employees > [Employee] > Edit > Role | Admin |
| View own role/permissions | Profile > My Profile | All users |
| Audit role assignments | Settings > Roles > View employees per role | Admin |