Roles & Permissions
Roles & Permissions
Every user in BookYourPTO has exactly one role that determines what they can see and do. Two additional mechanisms refine access: the isApprover flag and department scoping. This page explains all three so admins can assign access correctly and users understand what they're allowed to do.
The four roles
| Role | In one line |
|---|---|
| Employee | Manages their own leave, time, and expenses. |
| Department Head | An employee who can also approve and manage their own department. |
| Administrator | Manages the whole organization except executive-exclusive actions. |
| Executive | Everything an admin can, plus audit/sign-in logs, security/branding, and org deletion. |
Employee
- Create and manage their own leave, time entries, and expenses.
- View their own data and edit personal settings (password, two-factor, profile).
- Cannot cancel their own approved leave — they must submit a cancellation request for an approver to action.
Department Head
Everything an employee can, scoped to their own department, plus:
- View users.
- Approve / reject / cancel leave, expenses, and time for users in their department.
- Create leave for themselves and same-department users.
- Author employee notes and see the Performance tab.
A department head cannot:
- Approve their own requests.
- Edit compensation (admin/executive only).
- Create administrators or executives.
- Publish schedules or override pay-period lockdown.
Administrator
- Manage users, departments, leave types, org settings, reporting structure, group bookings, and locked dates.
- Approve / cancel any leave (not just one department).
- Manage billing.
- Everything except the executive-exclusive actions below.
Executive
Everything an administrator can do, plus the exclusive abilities to:
- View and export audit logs and sign-in logs (see Audit & Monitoring).
- Manage branding and security settings.
- Delete the entire organization (see Account Deletion & Privacy).
The isApprover flag
isApprover is a per-user flag, independent of role. It grants approve / reject / queue access — even to a plain Employee — without changing their role.
isApprover on instead of promoting them.Department scoping
A Department Head's reach is bounded to users who share their department. They can only view and act on people in the same department — the server enforces this on every department-scoped action.
Capability matrix
| Capability | Employee | Dept Head | Admin | Executive |
|---|---|---|---|---|
| Manage own leave/time/expenses | Yes | Yes | Yes | Yes |
| Cancel own approved leave | No (request it) | No (request it) | Yes | Yes |
| Approve in own department | If isApprover | Yes | Yes | Yes |
| Approve any department | If isApprover* | No | Yes | Yes |
| View users | No | Yes | Yes | Yes |
| Edit compensation | No | No | Yes | Yes |
| Create admins/execs | No | No | Yes | Yes |
| Publish schedules | No | No | Yes | Yes |
| Manage billing | No | No | Yes | Yes |
| Manage org settings | No | No | Yes | Yes |
| View/export audit & sign-in logs | No | No | No | Yes |
| Branding & security settings | No | No | No | Yes |
| Delete the organization | No | No | No | Yes |
* isApprover grants approval access according to how the approver is assigned; department heads remain bound by department scoping.
Troubleshooting
| Symptom | Cause | Fix |
|---|---|---|
| "Request cancellation" instead of a Cancel button on approved leave | Employees/dept heads can't cancel their own approved leave. | Submit a cancellation request for an approver to action. |
| A dept head can't see a user | The user is in a different department. | Department scoping limits heads to their own department; an admin must act, or move the user. |
| Settings → Security returns 403 | Audit/sign-in logs are Executive-only. | Ask an executive, or have your role reviewed. |
| Can't edit a salary field | Compensation is admin/executive only. | An administrator or executive must make the change. |
| An employee needs to approve requests | They're an employee without approval rights. | Set their isApprover flag instead of promoting them. |