Roles and Permissions (RBAC)
4 min readTalinoHR uses Role-Based Access Control (RBAC) with 7 predefined system roles. Each role has a specific set of permissions that determine what the user can see and do in the system.
Role Hierarchy Overview
| Role | Description | Primary Access |
|---|---|---|
| SUPER_ADMIN | Full system access | Everything |
| HR_ADMIN | Senior HR management | HR + Performance + Reports + Settings |
| HR_STAFF | Day-to-day HR operations | HR operations (no payroll process) |
| PAYROLL_ADMIN | Payroll management and approval | Payroll + Reports + Gov reports |
| PAYROLL_STAFF | Payroll processing | Payroll processing (no approval) |
| MANAGER | Team management | Team attendance/leaves/performance |
| EMPLOYEE | Self-service only | ESS portal |
Detailed Role Permissions
SUPER_ADMIN
Full access to all system features. This is the only role that can:
- Manage company settings (
company.manage) - Manage user accounts (
users.manage) - Override payroll approval steps (can always approve any step regardless of chain configuration)
All permissions: company.manage, users.manage, employees.create, employees.read, employees.update, employees.delete, employees.read_all, attendance.manage, attendance.read, leaves.approve, leaves.apply, payroll.process, payroll.approve, payroll.view, payslips.view_all, payslips.view_own, performance.manage_cycles, performance.write_reviews, performance.self_assess, reports.view, reports.generate_gov, ai.analytics, settings.compliance, personnel.manage, personnel.approve, personnel.view, performance.provide_feedback
HR_ADMIN
Senior HR role with broad access to employee management, performance, and reporting. Cannot manage company settings or user accounts directly.
Key permissions: employees.create/read/update/delete, employees.read_all, attendance.manage, leaves.approve, payroll.view (view only, not process), payslips.view_all, performance.manage_cycles, performance.write_reviews, reports.view, reports.generate_gov, ai.analytics, settings.compliance, personnel.manage, personnel.approve
Cannot: Manage company settings, manage user accounts, process payroll, approve payroll
HR_STAFF
Day-to-day HR operations role. More limited than HR_ADMIN.
Key permissions: employees.create/read/update (no delete), employees.read_all, attendance.manage, leaves.approve, performance.write_reviews, reports.view, personnel.manage, personnel.view
Cannot: Delete employees, view all payslips, manage performance cycles, generate government reports, access AI analytics, change compliance settings, approve payroll
PAYROLL_ADMIN
Full payroll management including processing and approval authority.
Key permissions: employees.read, employees.read_all, attendance.read, payroll.process, payroll.approve, payroll.view, payslips.view_all, reports.view, reports.generate_gov
Cannot: Create/update/delete employees, manage attendance, approve leaves, manage performance, manage personnel actions, access AI analytics, change settings
PAYROLL_STAFF
Payroll processing role without approval authority.
Key permissions: employees.read, employees.read_all, attendance.read, payroll.process, payroll.view, payslips.view_all, reports.view
Cannot: Approve payroll, approve leaves, manage employees, manage performance, generate government reports
MANAGER
Team management role focused on direct reports.
Key permissions: employees.read (own team), attendance.read, leaves.approve (for direct reports), performance.write_reviews, reports.view, personnel.view
Cannot: Create/update/delete employees, manage attendance, process payroll, view all payslips, manage performance cycles
Special behavior: Managers can only access employees who report directly to them (based on the reportingTo relationship).
EMPLOYEE
Self-service only role with minimal permissions.
Key permissions: employees.read (self only), attendance.read (own), leaves.apply, payslips.view_own, performance.self_assess, personnel.view (own actions), performance.provide_feedback
Cannot: Access admin interface, view other employees' data, approve anything, process payroll
Employee Data Access Rules
Beyond permissions, TalinoHR enforces data access rules based on role:
- SUPER_ADMIN, HR_ADMIN, HR_STAFF: Can access all employee records.
- MANAGER: Can access their own record and records of direct reports (employees whose
reportingTomatches the manager's user ID). - EMPLOYEE: Can only access their own record.
Permission Checks in the System
Permissions are checked at two levels:
-
API routes: Each API endpoint verifies the user's role has the required permission before processing the request. The user's role is set in the
x-user-roleheader by the authentication middleware. -
UI navigation: The sidebar and page components conditionally show/hide features based on the user's role.
Assigning Roles
Roles are assigned to users at the User level (not Employee level). A single user has one role that determines their access throughout the system.
To change a user's role:
- Navigate to Settings → Users (
/settings/users) (SUPER_ADMIN only). - Find the user and edit their role.
- The new role takes effect on the next login or page refresh.
Common Role Assignments
| User Type | Recommended Role |
|---|---|
| Company owner / IT admin | SUPER_ADMIN |
| HR Manager | HR_ADMIN |
| HR Assistant / Coordinator | HR_STAFF |
| Accounting Manager | PAYROLL_ADMIN |
| Payroll Clerk | PAYROLL_STAFF |
| Department Head / Supervisor | MANAGER |
| Regular employee | EMPLOYEE |
Important Notes
- A user can only have one role at a time.
- SUPER_ADMIN is the only role that can bypass payroll approval chain requirements.
- Managers only see employees in their direct reporting line, not the entire organization.
- The EMPLOYEE role restricts users to the ESS portal only.
- Permission definitions are in
lib/rbac.ts. Modifying roles or permissions requires code changes and should be done carefully since all API routes reference these definitions.