Skip to Content
SettingsSecurityRoles & Permissions

Roles & Permissions

Roles control what each user can see and do in RadixHR. A role is a named bundle of permissions; a permission is a single capability such as “view team leave” or “approve payroll”. You assign roles to employees, and the system grants them every permission inside those roles.

What you can do here:

  • See every role in the workspace and how many users hold each one
  • Create custom roles for job functions that don’t match the built-in ones
  • Edit the permissions inside a custom role
  • Assign roles to employees (or remove them)
  • Search by role name or description to find a specific one
Roles & Permissions Overview

Understanding Roles

When a user signs in, RadixHR collects the permissions from every role they hold and uses that combined set to decide what they can access. Permissions are additive — there is no “deny” flag. If any of a user’s roles grants a permission, they have it.

Role Types

The Type column on each row tells you where the role came from and how much you can change about it.

TypeWhat it isCan you edit it?Can you delete it?
SystemBuilt-in roles that ship with RadixHR (e.g., Workspace Owner, Employee). They define the foundational access levels every workspace needs.No — name, code, level, and permissions are all lockedNo
PositionRoles that are automatically assigned to employees based on their position in the org chart (e.g., everyone in the “Manager” position gets a Manager role).Permissions yes, assignments are automaticNo
CustomRoles you create yourself for the job functions in your organisation (e.g., “Recruiter”, “Finance Approver”, “Office Admin”).Yes — name, description, level, and permissions all editableYes, but only when no users are assigned

System roles can’t be modified because RadixHR depends on them internally. If you need behaviour that differs from a system role, create a custom role with the permissions you want and assign it instead.

Role Properties

Every role — system, position, or custom — has the same four core properties shown in the table:

PropertyDescription
RoleThe display name plus a short description. Names are what employees and admins see; descriptions help admins understand a role’s purpose at a glance.
TypeSystem, Position, or Custom (see above).
LevelA number from 0 to 99 representing the role’s seniority. Higher = more authority. Used to resolve conflicts when one approver delegates to another, or when sorting role lists.
UsersHow many employees currently hold this role. Click the count to open the Manage Users dialog for that role.

Priority Level — what it does

The Level number does not override permissions (permissions are always additive). It is used to:

  • Order the role list so higher-authority roles surface first
  • Resolve approval routing when an employee holds multiple roles — the highest-level role’s approver is preferred
  • Display the user’s “primary” role in places where only one badge is shown

A typical scale:

LevelUsed for
100Workspace Owner (system)
80–99Top-tier admins (HR Administrator, Finance Director)
50–79Mid-management (Department Heads, Senior Managers)
20–49Team leads, supervisors
0–19Self-service employee roles

The Roles List

The main page shows every role in the workspace. Each row contains:

ElementDescription
Role name + descriptionClick the row to focus it; the description appears just below the name
Type badgeSystem (filled) or Custom (outlined)
LevelThe numeric priority (0–99 for custom, may be 100 for Workspace Owner)
Users countAn icon + number; click it to open the Manage Users dialog directly
⋯ menuPer-row actions: Edit Permissions, Edit Role, Manage Users, Delete Role

Above the table you also have a search box (filters by role name or description) and the + Create Role button.

A reference card titled Role Types sits at the bottom of the page summarising the three types as a quick reminder.


How to Create a Custom Role

Custom roles let you grant access that doesn’t fit the built-in roles — for example, a “Recruiter” who needs hiring access but no payroll, or an “Office Admin” who manages documents and announcements but nothing else.

  1. Go to Settings > Security > Roles & Permissions
  2. Click + Create Role in the top-right
  3. Fill in the role details
  4. Click Create Role

The new role appears in the list immediately with 0 users and 0 permissions — you’ll add those in the next steps.

Create Role Form

Create Role Fields

FieldDescriptionRequired
Role NameThe display name shown everywhere (e.g., “Team Lead”, “Finance Approver”). Use a name that clearly describes the job function.Yes
Role CodeA unique machine identifier. Auto-generated from the name (e.g., “Team Lead” → team_lead). Lowercase letters, numbers, and underscores only. Cannot be changed after the role is created.Yes
DescriptionA short explanation of what this role grants and who should have it. Shown below the name in the list.No
Priority LevelNumber from 0 to 99 (default 50). Higher = more senior. See Priority Level — what it does above.Yes

Pick the Role Name carefully — the Role Code is locked once you save, but the Name can still be changed afterwards. The Code shows up in API/audit logs, so a clear code (e.g., recruiter rather than role_a) helps later.

Creating a role does not grant any access by itself. Open the role’s Edit Permissions dialog right after creating it and tick the permissions the role should have, otherwise users assigned to it will have no access through this role.


How to Edit a Role’s Permissions

Permissions are organised by module (Employees, Leave / Time Off, Attendance, Payroll, Documents, Approvals, Reports, Settings, News Feed, Workspace, Hiring / ATS). For each module you can tick individual permissions or use the module’s master checkbox to toggle everything in that module at once.

  1. Find the role in the list
  2. Click the menu and select Edit Permissions (for system roles this becomes View Permissions — read-only)
  3. Expand a module by clicking its header
  4. Tick or untick the permissions you want
  5. Click Save Permissions
Edit Role Permissions Dialog

Anatomy of the Permissions Dialog

ElementDescription
Module headerThe module name and a counter (e.g., 13/13 = 13 of 13 permissions in that module are selected). Click to expand or collapse the section.
Module checkboxMaster toggle that selects or clears every permission in that module in one click. Shows an indeterminate state when only some are selected.
Permission rowA single capability with its name, scope badge (own / team / department / all), short description, and the underlying code (e.g., employees:view:team).
Selected countFooter shows total permissions selected across all modules — useful sanity check before saving.
Save PermissionsPersists the change. Disabled when there are no unsaved changes.

For system roles this dialog opens in read-only mode — checkboxes are disabled and a System badge appears in the title indicating the permissions cannot be changed.

Permission codes follow the pattern module:action:scope — for example, leave:approve:team means “approve leave requests for members of the user’s team”. See Permission Definitions for the full catalogue and what each scope means.


How to Edit Role Details

To change the name, description, or priority level of a custom role:

  1. Click the menu on the role
  2. Select Edit Role
  3. Update Role Name, Description, or Priority Level
  4. Click Save Changes

The Role Code is greyed out — codes cannot be changed after creation because they are referenced by other parts of the system.

Role Actions Menu

The row menu offers:

ActionWhat it doesWhen it’s disabled
Edit PermissionsOpens the permissions selector (or View Permissions in read-only for system roles)Never — always available
Edit RoleOpens the role details form (Name, Description, Priority Level)For System roles
Manage UsersOpens the dialog to add or remove employees from this roleNever
Delete RolePermanently removes the roleFor System roles, or when the role still has users assigned

How to Assign or Remove Users on a Role

You can manage which employees hold a role from the Manage Users dialog.

  1. Click the users count badge on a role row (the icon + number), or open the menu and pick Manage Users
  2. To add: click + Add Employee, search and pick employees from the list, then click Assign
  3. To remove: click the red minus icon next to an employee’s row and confirm
Manage Users on a Role

The Manage Users dialog shows:

ColumnDescription
EmployeeAvatar, name, and email
DepartmentThe employee’s department (or if not set)
Remove iconRed minus icon — removes this user from the role after a confirmation prompt

The footer shows a live count of how many employees currently hold this role (after any search filter).

Add Employee Dialog

Assign Role to Employees
FieldDescription
Search employeesType to filter active employees by name. Pick one or more to assign in a single action.
Selected countFooter shows how many employees are currently selected.
Assign N employeesSubmits the selections; the dialog closes and the new users appear in the Manage Users list.

You can also assign a role from an employee’s profile (People > select employee > Access section). The Manage Users dialog here is faster when you’re rolling out a new role to multiple people at once.


How to Delete a Custom Role

  1. Make sure no employees are assigned to the role — if any are, the Delete Role option will be disabled. Use Manage Users to remove them or move them to a different role first.
  2. Click the menu and select Delete Role
  3. Confirm the deletion in the prompt

Deleting a role is permanent. If the role had any custom permission assignments, those mappings are lost — you cannot undo a deletion. Consider editing the role to remove all permissions instead if you want to keep the audit trail.

System roles cannot be deleted under any circumstances.


Permission Modules at a Glance

The permissions dialog groups capabilities into the following modules. The full list of permissions (with codes and scopes) is in Permission Definitions.

ModuleWhat it controls
EmployeesViewing and managing employee profiles, org data, imports/exports
Leave / Time OffLeave requests, balances, approvals, and policy management
AttendanceTime tracking, clock-in/out, attendance corrections and approvals
PayrollSalary, payslips, payroll runs, and processing
DocumentsUploading, viewing, signing, and managing documents and templates
ApprovalsApproval workflows, chains, delegations
ReportsViewing and exporting reports
SettingsSystem-wide configuration including security
News FeedCompany feed posts and announcements
WorkspaceWorkspace-level administration
Hiring / ATSHiring requests, jobs, candidates, interviews

Best Practices

  1. Start with the built-in roles. RadixHR ships with Workspace Owner, HR Administrator, and Employee — most workspaces only need a handful of additional custom roles on top of these.

  2. Name roles by function, not person. A role called “Recruiter” can outlive any individual recruiter. Avoid names like “Sara’s Permissions”.

  3. Follow least privilege. Grant the narrowest scope that lets the user do their job. Prefer leave:approve:team over leave:approve:all if a team-only scope is sufficient.

  4. Set the priority level deliberately. Use 0–19 for self-service-only roles, 20–49 for team leads, 50–79 for mid-management, 80–99 for top admins. Reserve 100 for the Workspace Owner.

  5. Document custom roles. Use the Description field — when an admin two years from now asks “what does the ‘Office Admin’ role do?”, a sentence in the description saves the conversation.

  6. Review annually. Periodically open the role list and confirm each custom role is still needed and that the people holding it are still the right ones.

  7. Test before deploying. When you create or significantly change a role, assign it to a test account and verify the access is what you intended before rolling it out to real users.


Troubleshooting Access Issues

If a user reports they can’t see or do something they expect to:

  1. Open Settings > Security > Users, find the user, and check the roles assigned to them.
  2. For each of those roles, click ⋯ > Edit/View Permissions and confirm the relevant permission is ticked at a wide enough scope (e.g., :team or :all).
  3. If multiple roles are assigned, remember permissions are additive — the user has the union of all roles’ permissions. The user is missing a permission only if none of their roles grants it.
  4. Check whether a delegation rule is rerouting their requests — they may have access but the system is sending the work elsewhere.

Last updated on