Security & Privacy

Roles & Permissions

The four BookYourPTO roles — Employee, Department Head, Administrator, Executive — what each can do, the isApprover flag, and department scoping.

Roles & Permissions

Every user in BookYourPTO has exactly one role that determines what they can see and do. Two additional mechanisms refine access: the isApprover flag and department scoping. This page explains all three so admins can assign access correctly and users understand what they're allowed to do.

The server is authoritative. Every permission shown in the UI is re-checked and enforced on the backend. Hiding a button is a convenience, not a security boundary — the API rejects an action the caller isn't entitled to.

The four roles

RoleIn one line
EmployeeManages their own leave, time, and expenses.
Department HeadAn employee who can also approve and manage their own department.
AdministratorManages the whole organization except executive-exclusive actions.
ExecutiveEverything an admin can, plus audit/sign-in logs, security/branding, and org deletion.

Employee

  • Create and manage their own leave, time entries, and expenses.
  • View their own data and edit personal settings (password, two-factor, profile).
  • Cannot cancel their own approved leave — they must submit a cancellation request for an approver to action.

Department Head

Everything an employee can, scoped to their own department, plus:

  • View users.
  • Approve / reject / cancel leave, expenses, and time for users in their department.
  • Create leave for themselves and same-department users.
  • Author employee notes and see the Performance tab.

A department head cannot:

  • Approve their own requests.
  • Edit compensation (admin/executive only).
  • Create administrators or executives.
  • Publish schedules or override pay-period lockdown.

Administrator

  • Manage users, departments, leave types, org settings, reporting structure, group bookings, and locked dates.
  • Approve / cancel any leave (not just one department).
  • Manage billing.
  • Everything except the executive-exclusive actions below.

Executive

Everything an administrator can do, plus the exclusive abilities to:

The isApprover flag

isApprover is a per-user flag, independent of role. It grants approve / reject / queue access — even to a plain Employee — without changing their role.

Use it for a senior team member who should approve requests but shouldn't gain admin powers. Flip isApprover on instead of promoting them.

Department scoping

A Department Head's reach is bounded to users who share their department. They can only view and act on people in the same department — the server enforces this on every department-scoped action.

Capability matrix

CapabilityEmployeeDept HeadAdminExecutive
Manage own leave/time/expensesYesYesYesYes
Cancel own approved leaveNo (request it)No (request it)YesYes
Approve in own departmentIf isApproverYesYesYes
Approve any departmentIf isApprover*NoYesYes
View usersNoYesYesYes
Edit compensationNoNoYesYes
Create admins/execsNoNoYesYes
Publish schedulesNoNoYesYes
Manage billingNoNoYesYes
Manage org settingsNoNoYesYes
View/export audit & sign-in logsNoNoNoYes
Branding & security settingsNoNoNoYes
Delete the organizationNoNoNoYes

* isApprover grants approval access according to how the approver is assigned; department heads remain bound by department scoping.

Billing is admin or executive — not executive-only. Either role can manage the subscription. See Plans.

Troubleshooting

SymptomCauseFix
"Request cancellation" instead of a Cancel button on approved leaveEmployees/dept heads can't cancel their own approved leave.Submit a cancellation request for an approver to action.
A dept head can't see a userThe user is in a different department.Department scoping limits heads to their own department; an admin must act, or move the user.
Settings → Security returns 403Audit/sign-in logs are Executive-only.Ask an executive, or have your role reviewed.
Can't edit a salary fieldCompensation is admin/executive only.An administrator or executive must make the change.
An employee needs to approve requestsThey're an employee without approval rights.Set their isApprover flag instead of promoting them.