Workspace Gating

Not all workspaces are active for every company. Optserv uses workspace gating to ensure the right modules are accessible to the right companies.

Workspace availability

HR workspace

The HR workspace is always on. Every company gets access to people management, attendance, leave, overtime, and recruitment from day one.

Account Sharing workspace

Account Sharing is enabled per company by an Admin. When enabled:

• The /accounts route becomes accessible to all staff (Admin, HR, Manager, Employee)
• Per-item access lists control who can view each shared credential
• The workspace is hidden from the navigation when disabled

Only Admin can toggle Account Sharing on or off. The setting lives in company settings.

School (OptClass) workspace

School is gated by a user-level metadata claim (school_accessible). This claim is tied to the company, not the individual user — when School is activated for a company, all staff at that company receive the claim.

Activation requires contacting Optserv support. This is not self-serve.

When active:

• The /school route becomes accessible to all staff (Admin, HR, Manager, Employee)
• Students access a separate kiosk-style interface — they do not use the staff web app
• Students are actively blocked from the staff web application via metadata checks

Gating layers

Workspace gating uses defense in depth:

1. Navigation — workspace link is hidden if not enabled
2. Route guard — server-side check redirects non-eligible users on load
3. RLS — database queries return no rows if the workspace flag is false for the company
4. API / Edge Functions — write operations reject requests from companies without the workspace enabled

Disabling a workspace (e.g., turning off Account Sharing) does not delete data — it makes the workspace inaccessible until re-enabled.

For students

Students are a distinct user class and do not go through the staff workspace gating model. See OptClass Student Access for how student access works.