Skip to Content
SettingsSecurityPermission Definitions

Permission Definitions

Permissions are the smallest unit of access control in RadixHR. Each one represents a single capability — for example, “view team leave” or “approve all payroll” — and they’re combined into Roles, which are then assigned to employees.

This page lists every permission that exists in your workspace, lets you filter by module, and lets you create or edit custom permissions when the built-in ones don’t cover a specific need.

What you can do here:

  • Browse the full catalogue of permissions, with the count of roles using each one
  • Filter by module (Employees, Leave, Attendance, Payroll, etc.)
  • Search by name, code, description, module, or action
  • Create custom permissions for specialised access needs
  • Edit a permission’s display name, description, and category
  • Delete a custom permission (only when no roles use it)
Permission Definitions Overview

Understanding the Permission Code

Every permission has a machine-readable code that follows a strict three-part pattern:

module:action:scope

For example, leave:approve:team reads as “approve leave requests for team members”. This pattern lets you predict what a permission does just from its code, and it makes audit logs and API responses self-explanatory.

ComponentWhat it specifiesExamples
ModuleThe feature area or data type the permission belongs toemployees, leave, payroll, ats
ActionWhat kind of operation is allowedview, create, update, delete, approve, manage
ScopeWhich records the action applies toown, subordinates, team, department, all

Permissions in RadixHR are additive — there is no “deny” flag. A user gets the union of permissions across every role assigned to them. If any of their roles grants a permission, they have it.


Actions — what each one means

Actions describe the kind of operation the permission allows. RadixHR uses a consistent set of actions across modules:

ActionWhat it allows
viewRead or see the data without making changes
createAdd new records
updateModify existing records
deleteRemove records
approveApprove pending requests (leave, expenses, etc.)
rejectReject or deny pending requests
exportDownload data to external formats (CSV, PDF, etc.)
importUpload data from external sources
manageFull administrative control — typically implies view + create + update + delete + configuration of that area

The manage action is shorthand for “everything in this module”. If a role has payroll:manage:all, you typically don’t need to add the individual view, create, update, delete, and approve payroll permissions to it.


Scopes — who the permission applies to

Scopes determine which records a user can act on. The same action can exist with different scopes (e.g., leave:view:team vs. leave:view:all), letting you grant the same capability at different levels of reach.

ScopeApplies toTypical user
ownOnly the user’s own recordsSelf-service for every employee
subordinatesThe user’s direct reportsLine managers
teamAll members of the user’s teamTeam leads, supervisors
departmentAll members of the user’s departmentDepartment heads
allEvery record in the workspaceHR admins, executives

Scope hierarchy

Scopes broaden in this order — each one typically includes the narrower scopes that came before:

own → subordinates → team → department → all

So a user with employees:view:department can also see their team members and their own profile (because both are subsets of “department”). This is why you usually only need to grant the widest scope a user requires, not every narrower scope below it.

Follow the principle of least privilege — give the narrowest scope that allows the user to do their job. A team lead probably needs :team, not :all.


The Permissions List

The main page is a table of every permission in your workspace, with these columns:

ColumnDescription
PermissionDisplay name on the first line, the code in monospace just below, and the description on a third line. An Inactive badge appears next to the name if the permission has been deactivated.
ModuleThe module this permission belongs to (Employees, Leave, etc.)
ActionThe action verb (View, Create, Update, etc.)
ScopeThe scope badge (Own, Team, Department, All, etc.)
RolesShield icon + count of roles that currently include this permission
⋯ menuPer-row actions: Edit Permission, Delete Permission

A footer below the table shows a live count: “Showing N of M permissions”.

Filtering by Module

Above the table is a horizontal row of module tabs. Each tab shows the module name and the count of permissions in that module. Click a tab to filter the table to just that module’s permissions; click All to see everything. Use the ‹ › arrows on either side of the tab strip to scroll if your workspace has many modules.

The search box (top-left) lets you free-text search across name, code, description, module, and action — combine it with a module filter for fast lookups (e.g., select Leave, then type “approve” to see only the four “Approve … Leave” permissions).

The 11 modules

ModuleWhat it covers
EmployeesViewing and managing employee profiles, org data, imports/exports
LeaveLeave requests, balances, approvals, and policy management
AttendanceTime tracking, clock-in/out, attendance corrections and approvals
PayrollSalary, payslips, payroll runs, processing and approvals
DocumentsUploading, viewing, deleting, and managing documents
ReportsViewing and exporting reports
SettingsSystem-wide configuration
FeedCompany feed posts and announcements
ApprovalsVisibility into pending approvals across modules
WorkspaceWorkspace-level administration including billing
ATSApplicant Tracking System — jobs, candidates, interviews

Default Permission Catalogue

These are the permissions that ship with every RadixHR workspace. Counts on the right show how many you’ll see on each module tab.

Employees (13)

CodeDescription
employees:view:ownView own employee profile
employees:view:subordinatesView direct reports’ profiles
employees:view:teamView team members’ profiles
employees:view:departmentView department employees
employees:view:allView all employees in the workspace
employees:create:allCreate new employee records
employees:update:ownUpdate own profile information
employees:update:subordinatesUpdate direct reports’ profiles
employees:update:departmentUpdate department employees
employees:update:allUpdate any employee record
employees:delete:allDelete employee records
employees:import:allImport employee data from external files
employees:manage:allFull employee management access

Leave (20)

CodeDescription
leave:view:ownView own leave requests and balances
leave:view:subordinatesView direct reports’ leave
leave:view:teamView team leave requests
leave:view:departmentView department leave requests
leave:view:allView all leave requests
leave:create:ownSubmit own leave requests
leave:create:subordinatesCreate leave for direct reports
leave:create:allCreate leave for any employee
leave:update:ownUpdate own pending requests
leave:approve:subordinatesApprove direct reports’ leave
leave:approve:teamApprove team leave requests
leave:approve:departmentApprove department leave
leave:approve:allApprove any leave request
leave:reject:subordinatesReject direct reports’ leave
leave:reject:teamReject team leave requests
leave:reject:departmentReject department leave
leave:reject:allReject any leave request
leave:manage:allFull leave management including configuration
leave:balance:allAdd, deduct, and adjust employee leave balances

Attendance (9)

CodeDescription
attendance:view:ownView own attendance records
attendance:view:subordinatesView direct reports’ attendance
attendance:view:teamView team attendance
attendance:view:departmentView department attendance
attendance:view:allView all attendance records
attendance:create:ownRecord own attendance (clock in/out)
attendance:manage:subordinatesManage direct reports’ attendance
attendance:manage:departmentManage department attendance
attendance:manage:allFull attendance management

Payroll (7)

CodeDescription
payroll:view:ownView own salary and payslips
payroll:view:departmentView department payroll data
payroll:view:allView all payroll data
payroll:create:allCreate and process payroll runs
payroll:update:allUpdate payroll data
payroll:approve:allApprove payroll runs
payroll:manage:allFull payroll management

Payroll permissions are highly sensitive — restrict them to a small group of authorised finance/HR staff. Even payroll:view:all exposes everyone’s salary.

Documents (8)

CodeDescription
documents:view:ownView own documents
documents:view:departmentView department documents
documents:view:allView all employee documents
documents:create:ownUpload own documents
documents:create:allUpload documents for any employee
documents:delete:ownDelete own documents
documents:delete:allDelete any documents
documents:manage:allFull document management

Reports (5)

CodeDescription
reports:view:ownView own reports
reports:view:departmentView department reports
reports:view:allView all reports
reports:export:departmentExport department reports
reports:export:allExport any reports

Approvals (4)

Visibility into the global approvals queue, scoped by who the requester is.

CodeDescription
approvals:view:subordinatesView pending approvals for direct reports
approvals:view:teamView pending team approvals
approvals:view:departmentView pending department approvals
approvals:view:allView all pending approvals

ATS — Hiring (7)

Applicant Tracking System: jobs, candidates, interviews.

CodeDescription
ats:view:ownView own job applications and referrals
ats:view:teamView ATS data for team members
ats:view:departmentView ATS data for department
ats:view:allView all ATS data (jobs, candidates, interviews)
ats:create:allCreate job postings, candidates, and interviews
ats:delete:allDelete job postings, candidates, and interviews
ats:manage:allFull ATS management

Settings (4)

CodeDescription
settings:view:allView workspace settings
settings:update:allUpdate workspace settings
settings:manage:allFull settings management

Feed (2)

CodeDescription
feed:view:allView company feed
feed:create:allCreate feed posts

Workspace (3)

CodeDescription
workspace:view:allView workspace information
workspace:update:allUpdate workspace settings
workspace:manage:allFull workspace management including billing

Your workspace may show additional custom permissions that someone created for special access needs — these will appear alongside the defaults in the same module tabs.


How to Create a Custom Permission

Most workspaces don’t need custom permissions — the default catalogue covers nearly every typical access pattern. Create a custom permission only when none of the existing ones fit a real, recurring need.

  1. Go to Settings > Security > Permission Definitions
  2. Click + Create Permission (top-right)
  3. Fill in the form
  4. Click Create Permission

The new permission appears in the list immediately and can then be added to any custom role through Settings > Security > Roles & Permissions > ⋯ > Edit Permissions.

Create Permission Form

Create Permission Fields

FieldDescriptionRequired
Permission CodeThe unique machine identifier. Must start with a lowercase letter and contain only lowercase letters, digits, and underscores (max 100 chars). Convention is module:action:scope (e.g., recruiter:interview:team), but the code is just a string — use the convention so admins can read it. Cannot be changed after creation.Yes
Display NameThe human-readable name shown in lists and the role permissions dialog (max 200 chars). Example: “Interview Candidates”.Yes
DescriptionA short explanation of what this permission grants and when to use it (max 500 chars). Highly recommended — appears in tooltips and helps future admins.No
ModuleThe module this permission belongs to. Pick from: Employees, Leave, Attendance, Payroll, Documents, Reports, Settings, Feed, Approvals, Workspace. Cannot be changed after creation.Yes
ActionThe verb: View, Create, Update, Delete, Approve, Reject, Export, Import, or Manage. Cannot be changed after creation.Yes
ScopeOwn, Subordinates, Team, Department, or All. Cannot be changed after creation.Yes
CategoryAn optional sub-grouping label (e.g., “People”, “Compliance”). Useful for organising large catalogues.No

Code, Module, Action, and Scope are locked once you save. Pick them carefully — to change any of them you’d need to delete the permission and create a new one (and any role currently using it must be updated to point to the new one).

Before creating a custom permission, double-check whether an existing one already does what you need. Custom permissions add complexity and need to be remembered when training new admins. The default catalogue is more comprehensive than it first appears — use the search box to look across name, code, and description.


How to Edit a Permission

You can update a permission’s display name, description, and category at any time. The Code, Module, Action, and Scope are read-only after creation because they form the permission’s identity in role assignments.

  1. Find the permission in the list (use the search box or module tabs)
  2. Click the menu at the right of the row
  3. Select Edit Permission
  4. Update the editable fields
  5. Click Save
Permission Row Actions

The row’s menu offers:

ActionWhat it doesWhen it’s disabled
Edit PermissionOpens the form with name/description/category editableNever
Delete PermissionPermanently removes the permissionWhen the permission is in use by any role — the menu shows “(in use)” next to the action

How to Delete a Custom Permission

To delete a permission, no role may currently include it. If any role does, the Delete Permission option is disabled and shows (in use).

  1. First remove the permission from every role that uses it: go to Settings > Security > Roles & Permissions, open each role’s Edit Permissions dialog, untick the permission, and save. Use the Roles count column on the permissions list to see exactly how many roles you need to update.
  2. Once the count drops to 0, return to Permission Definitions.
  3. Click ⋯ > Delete Permission and confirm.

Deletion is permanent and cannot be undone. If you might want the permission again later, consider editing its description to flag it as deprecated and simply removing it from all roles instead of deleting.


How Permissions Combine into Roles

This page is just the catalogue. To grant access, you assign permissions to roles, then assign roles to employees:

  1. Pick or create a role in Roles & Permissions
  2. Open the role’s Edit Permissions dialog
  3. Tick the permissions the role should have
  4. Save, then assign the role to the relevant employees

A typical mapping:

RoleKey permissions
Employeeemployees:view:own, leave:view:own, leave:create:own, attendance:view:own, attendance:create:own, documents:view:own
Team LeadAll Employee permissions + employees:view:team, leave:view:team, leave:approve:subordinates, attendance:view:team
HR Manageremployees:manage:all, leave:manage:all, attendance:manage:all, documents:manage:all, reports:view:all
Financepayroll:manage:all, payroll:view:all, reports:view:all, reports:export:all
Recruiterats:manage:all, ats:view:all, employees:view:all

Best Practices

  1. Default first. RadixHR ships with ~80 well-designed permissions covering the typical needs. Browse them before creating custom ones.

  2. Use the search box. With dozens of permissions per workspace, scrolling is slow — type a few characters of the action or module to jump straight to the one you want.

  3. Mind the scopes. Granting :all is rarely correct. If a manager only needs visibility over their team, give them :team and let them grow into wider scopes if their role expands.

  4. Audit the Roles count. Permissions used by many roles are critical — be especially cautious editing or deactivating them, since changes ripple to every role that includes them.

  5. Keep custom permissions documented. Always fill in Description and Category for custom permissions. Future admins (and future-you) will thank you.

  6. Use manage actions sparingly. They’re powerful but coarse — :manage:all typically grants every CRUD operation in a module. Prefer narrower verb+scope combinations when you can.


Troubleshooting Access Issues

If a user is missing access they expect:

  1. Open Settings > Security > Users, find the user, and list their roles.
  2. For each of those roles, open Edit/View Permissions and confirm the relevant permission is ticked at a wide enough scope.
  3. Permissions are additive — the user only lacks a permission if none of their roles grants it.
  4. If the permission exists in a role but the user still can’t perform the action, check whether a delegation rule is rerouting their requests to a different approver.

Last updated on