Staff RBAC
Full permission matrix for Optserv's four staff roles: Admin, HR, Manager, and Employee across all modules.
This page documents the full role-based access model for staff. For workspace enablement (Account Sharing, School), see Workspace Gating.
Role definitions
Admin — Company owner-level access. Can configure the company, manage billing, invite people, and access all workspaces.
HR — Manages people operations across the entire company. Can view and act on all employee records, attendance, leave, and overtime. Cannot access billing.
Manager — Department-scoped access. Can view and approve requests for people in their department only. Cannot see other departments.
Employee — Self-service only. Can view and manage their own records, submit requests, and see their own status across modules.
HR Workspace
| Action | Admin | HR | Manager | Employee |
|---|---|---|---|---|
| View all employees | ✅ | ✅ | Dept only | Self only |
| Invite/remove employees | ✅ | ✅ | ❌ | ❌ |
| Assign roles | ✅ | ✅ | ❌ | ❌ |
| Manage departments | ✅ | ✅ | ❌ | ❌ |
| View all attendance | ✅ | ✅ | Dept only | Self only |
| Approve attendance corrections | ✅ | ✅ | Dept only | ❌ |
| View all leave requests | ✅ | ✅ | Dept only | Self only |
| Approve leave | ✅ | ✅ | Dept only | ❌ |
| View all overtime | ✅ | ✅ | Dept only | Self only |
| Approve overtime | ✅ | ✅ | Dept only | ❌ |
| Create job postings | ✅ | ✅ | ❌ | ❌ |
| View all applications | ✅ | ✅ | ❌ | ❌ |
Account Sharing Workspace
Account Sharing access is per-item (each shared credential has its own access list), layered on top of the staff role.
| Action | Admin | HR | Manager | Employee |
|---|---|---|---|---|
| Create shared items | ✅ | ✅ | ✅ | ✅ |
| View items shared with them | ✅ | ✅ | ✅ | ✅ |
| Manage item access lists | Owner or Admin | Owner or Admin | Owner | Owner |
| View all company items | ✅ | ✅ | ❌ | ❌ |
| Revoke access on offboarding | ✅ | ✅ | ❌ | ❌ |
Note: a "Manager" or "Employee" can own a shared credential and grant/revoke access for that specific item only.
School (OptClass) Workspace
The School workspace is staff-accessible. All four staff roles can access it (if the workspace is enabled). Students access the system separately and are not staff.
| Action | Admin | HR | Manager | Employee |
|---|---|---|---|---|
| Manage students | ✅ | ✅ | ✅ | ✅ |
| Manage teachers | ✅ | ✅ | ✅ | ✅ |
| Create/edit schedules | ✅ | ✅ | ✅ | ✅ |
| Record attendance | ✅ | ✅ | ✅ | ✅ |
| View session balances | ✅ | ✅ | ✅ | ✅ |
Company settings
| Action | Admin | HR | Manager | Employee |
|---|---|---|---|---|
| Edit company profile | ✅ | ❌ | ❌ | ❌ |
| Manage billing | ✅ | ❌ | ❌ | ❌ |
| Enable/disable workspaces | ✅ | ❌ | ❌ | ❌ |
| View audit logs | ✅ | ✅ | ❌ | ❌ |
Security note
Role enforcement is not just UI-level. Every data query is scoped by RLS policies at the database layer, and every write operation goes through role-checked Edge Functions. A Manager who removes themselves from a department in the UI cannot suddenly query all-company data.
See Tenant Isolation & RLS for technical details.