Roles & Access Overview

How Optserv controls access: four staff roles (Admin, HR, Manager, Employee), workspace gating, and the separate student model.

Optserv uses role-based access control (RBAC) to determine what each person can see and do. There are four staff roles, each with progressively narrower scope.

The four staff roles

Role	Who it's for	Scope
Admin	Founders, ops leads	Full company access — settings, billing, all workspaces, all data
HR	HR managers	Company-wide people operations — no billing access
Manager	Team leads	Department-scoped — approvals and visibility for their team only
Employee	Everyone else	Self-service — their own data, requests, and personal info

Students (OptClass) are not a staff role. They operate in a separate model — see OptClass Student Access.

How roles are enforced

Access control is applied at multiple layers — this is defense in depth, not just UI gating:

UI gating — navigation items and features are hidden based on role
Route checks — server-side validation on every page load
Row-Level Security (RLS) — database queries are automatically scoped to what the user is allowed to see
Edge Functions / RPC — write operations enforce role checks at the API layer

Roles are not just cosmetic. A Manager cannot query HR-level data even by manipulating the URL or API calls directly.

Access by module

Module	Admin	HR	Manager	Employee
Company settings	✅ Full	❌	❌	❌
People (view all)	✅	✅	Team only	Self only
Attendance (view all)	✅	✅	Team only	Self only
Leave (approve)	✅	✅	Team only	❌
Overtime (approve)	✅	✅	Team only	❌
Recruitment	✅	✅	❌	❌
Account Sharing	✅	✅	By share	By share
School (staff view)	✅	✅	✅	✅
Billing	✅	❌	❌	❌

Key pages in this section

Staff RBAC — full permission table per module
Workspace Gating — how Account Sharing and School get enabled
Recruitment Access — why hiring data is Admin/HR only
OptClass Student Access — how students are separated from staff

Next →OptClass Student Access