Roles and permissions in AttendFirst: admin, manager

Every person in AttendFirst has one of two roles: Admin or Employee. On top of that, any employee with at least one direct report gets Manager capabilities automatically. This page explains what each permission set allows and how roles are managed.

The three permission sets

AttendFirst stores two formal roles on the user record: Admin and Employee. Manager is not a stored role. It’s derived from the reporting structure, so you never set “manager” anywhere.

Admin

Admins have full access to everything in AttendFirst.

• Configure the company, timezone, work schedule, and all settings.
• Add, edit, deactivate, and exit employees.
• Approve or reject any leave request, for anyone.
• Review and approve join requests from the public link.
• Backfill attendance for any date and any employee.
• Export reports for the whole company.
• Promote another employee to admin or demote an admin.
• Change their own login email.

Admins see the full sidebar: Dashboard, Employees, Attendance, Leaves, Reports, and an Approvals group (Join Requests and WFH Requests). Below that, a My Activity group has the same personal pages every employee sees (Attendance, Leaves, On Leave, Holidays, WFH Address). A Setup group holds all configuration: Company, Locations, Departments, Designations, Shifts, Leave Types, Check-in Types, Holidays, QR Codes, and Join Link. Billing and Support sit at the bottom. If the admin also has direct reports, a Team group appears with Attendance and Leaves under it.

Manager (employee with direct reports)

Any employee can be a manager by having one or more direct reports assigned to them. Managers see everything an employee sees, plus a Team surface.

• See their direct reports’ attendance under Team → Attendance.
• Approve or reject their direct reports’ leave requests under Team → Leaves.
• See their reports’ leave on the Team Leaves calendar tab.
• Quickly act on pending requests from the mobile /m/team tab.

Managers cannot:

• See other managers’ teams.
• Approve requests outside their reporting line.
• Change company settings.
• Add or edit employees.

If an admin also has reports (by being assigned as someone’s manager), they get the Team surface in addition to the Admin surface. In practice most admins skip this and approve from the Leaves page directly.

Employee (everyone else)

Employees are the default role. They manage only their own data.

• Check in and check out from desktop or mobile.
• View their own attendance history under My Attendance.
• Submit, cancel, and view their own leave requests.
• View their own profile, change their photo, enable push notifications.
• See the company-wide leave calendar if the admin has turned that on.
• See the company holiday list.

Permissions matrix

Capability	Admin	Manager	Employee
Check in and out	Yes	Yes	Yes
See own attendance history	Yes	Yes	Yes
Submit own leave request	Yes	Yes	Yes
View own profile	Yes	Yes	Yes
View company holidays	Yes	Yes	Yes
View org-wide leave calendar	Yes	Yes	Conditional*
See direct reports’ attendance	Yes	Yes	No
Approve or reject direct reports’ leave	Yes	Yes	No
See every employee’s attendance	Yes	No	No
Approve or reject any leave	Yes	No	No
Review join requests	Yes	No	No
Add or edit employees	Yes	No	No
Backfill attendance (manual entry)	Yes	No	No
Export reports	Yes	No	No
Change company settings	Yes	No	No
Promote another admin	Yes	No	No
Change own login email	Yes	No	No

* Employees see the calendar only if the admin has enabled Org-wide Leave Calendar under Company settings.

How managers are created

There is no “Make manager” action. To give someone manager capabilities:

1. Go to Employees.
2. Edit any employee who should report to the new manager.
3. Set the Manager field to the person you want to promote.
4. Save.

The moment an employee points to them, the sidebar grows a Team group with Attendance and Leaves under it.

To remove manager capabilities, clear the Manager field on every employee who reports to them. Once they have zero reports, the Team group disappears.

How admins are created

Every company starts with the person who registered the account as the only admin. The data model supports multiple admins per company, but UI-driven admin promotion isn’t exposed yet. If you need a second admin, contact AttendFirst support with the employee’s email and we’ll grant admin rights manually.

Frequently asked questions

Why is manager not a separate role?

Reporting lines change more often than roles. Deriving manager capability from the Manager field on the report’s record means no separate permission flag to keep in sync.

Can a manager see leave history beyond their team?

No. Managers only see requests from employees directly reporting to them. The org-wide leave calendar shows approved leaves company-wide when enabled by the admin.

Can a manager approve their own leave?

No. The system blocks self-approval. A manager’s leave requests route to the company admin.

Can an admin have a manager?

Yes. Admins can be assigned a manager (for reporting-line display), but it has no effect on their permissions. Admins can always approve their own leave.

Is there a limit on admins?

No. Promote as many employees as you want. In practice two or three is common: one founder, one operations person, one HR.

Can I create custom roles?

Not today. The two-role model with implicit manager covers almost every Indian SMB structure. Fine-grained permissions are not on the current roadmap.

Related docs

• Managing employees. Adding, editing, and deactivating employees. Setting the Manager field.
• Admin account. Changing the admin login email.
• Leave approvals. The admin-side leave queue.
• Company settings. Global rules admins configure for everyone.