Roles & permissions: admin, manager, employee

Every person in AttendFirst has exactly one role and, separately, may also have manager capabilities depending on whether they have reports. This doc explains what each permission set unlocks and how roles are managed.

The three permission sets

AttendFirst has two formal roles stored on the user record: Admin and Employee. On top of that, any employee with at least one direct report automatically gets Manager capabilities. You do not set “manager” anywhere. It is implied by the reporting structure.

Admin

Admins run the company in AttendFirst. They have full access to everything.

• Configure the company, timezone, work schedule, and all settings.
• Add, edit, deactivate, and exit employees.
• Approve or reject any leave request, for anyone.
• Review and approve join requests from the public link.
• Backfill attendance for any date and any employee.
• Export reports for the whole company.
• Promote another employee to admin or demote an admin.
• Change their own login email.

Admins see an Admin menu in the top nav with Dashboard, Employees, Attendance, Leaves, Reports, Billing, Join Requests, and a Settings dropdown.

Manager (employee with direct reports)

Any employee can be a manager by having one or more direct reports assigned to them. Managers see everything an employee sees, plus a Team surface.

• See their direct reports’ attendance under Team → Attendance.
• Approve or reject their direct reports’ leave requests under Team → Leaves.
• See their reports’ leave on the Team Leaves calendar tab.
• Quickly act on pending requests from the mobile /m/team tab.

Managers cannot:

• See other managers’ teams.
• Approve requests outside their reporting line.
• Change company settings.
• Add or edit employees.

If an admin also has reports (by being assigned as someone’s manager), they get the Team surface in addition to the Admin surface. In practice most admins skip this and approve from the Admin → Leaves page directly.

Employee (everyone else)

Employees are the default role. They manage only their own data.

• Check in and check out from desktop or mobile.
• View their own attendance history under My Attendance.
• Submit, cancel, and view their own leave requests.
• View their own profile, change their photo, enable push notifications.
• See the company-wide leave calendar if the admin has turned that on.
• See the company holiday list.

Permissions matrix

Capability	Admin	Manager	Employee
Check in and out	Yes	Yes	Yes
See own attendance history	Yes	Yes	Yes
Submit own leave request	Yes	Yes	Yes
View own profile	Yes	Yes	Yes
View company holidays	Yes	Yes	Yes
View org-wide leave calendar	Yes	Yes	Conditional*
See direct reports’ attendance	Yes	Yes	No
Approve or reject direct reports’ leave	Yes	Yes	No
See every employee’s attendance	Yes	No	No
Approve or reject any leave	Yes	No	No
Review join requests	Yes	No	No
Add or edit employees	Yes	No	No
Backfill attendance (manual entry)	Yes	No	No
Export reports	Yes	No	No
Change company settings	Yes	No	No
Promote another admin	Yes	No	No
Change own login email	Yes	No	No

* Employees see the calendar only if the admin has enabled Org-wide Leave Calendar under Company settings.

How managers are created

There is no “Make manager” action. To give someone manager capabilities:

1. Go to Admin → Employees.
2. Edit any employee who should report to the new manager.
3. Set the Manager field to the person you want to promote.
4. Save.

The moment an employee points to them, they automatically see a Team menu in the nav with Attendance and Leaves.

To remove manager capabilities, clear the Manager field on every employee who reports to them. Once they have zero reports, the Team menu disappears.

How admins are created

Every company starts with the person who registered the account as the only admin. To add more admins:

1. Make sure the person already exists as an employee (add them first if not).
2. Go to Admin → Employees.
3. Click the three-dot menu on the employee’s row.
4. Pick Make admin.

That employee now has full admin access on their next page load. They keep their manager capabilities (if any) on top.

To demote an admin back to a regular employee, use the same three-dot menu and pick Remove admin. You cannot remove admin from yourself. At least one admin must remain in the company at all times.

Frequently asked questions

Why is manager not a separate role?

Because reporting lines change more often than roles. Treating manager as a derived capability means promoting, demoting, and reassigning happens with one field (Manager on the report’s record) instead of a separate permission flag that drifts out of sync.

Can a manager see leave history beyond their team?

No. Managers only see requests from employees directly reporting to them. The org-wide leave calendar shows approved leaves company-wide when enabled by the admin.

Can a manager approve their own leave?

No. The system blocks self-approval. A manager’s leave requests route to the company admin.

Can an admin have a manager?

Yes. Admins can be assigned a manager (for reporting-line display), but it has no effect on their permissions. Admins can always approve their own leave.

Is there a limit on admins?

No. Promote as many employees as you want. In practice two or three is common: one founder, one operations person, one HR.

Can I create custom roles?

Not today. The two-role model with implicit manager covers almost every Indian SMB structure. Fine-grained permissions are not on the current roadmap.

Related docs

• Managing employees. Adding, editing, and deactivating employees. Setting the Manager field.
• Admin account. Changing the admin login email.
• Leave approvals. The admin-side leave queue.
• Company settings. Global rules admins configure for everyone.