Last updated 2026-06-25

Roles & access

OtiumWork separates org-hierarchy roles (who reports to whom, who approves timesheets) from module access (who sees Finance, HR, Legal). Roles live on a hierarchy; modules are independent on/off flags.

The three roles

Each employee has one role, set in Manage → Employees. Roles are about org hierarchy and approval rights — they do not unlock any module by themselves.

Role Sees own time Sees team time Approvals Admin settings
employee
manager direct reports ✓ for own team
admin full company
  • Employee — the default. Captures their own time, taps tiles in My Day, edits their own events. Never sees dollar figures.
  • Manager — leads a team. Approves timesheets, sees their direct reports' hours, billable %, capacity, scenarios, utilization. Full Team / Capacity / Scenario / Utilization / Reports access.
  • Admin — owns the workspace. Full settings, employees, rules, integrations, billing. Implicitly has all three module flags.

The three module-access flags

Finance, HR, and Legal are gated by independent per-employee flags, not by role. Admin always has all three. Anyone else — manager or employee — sees the corresponding sidebar section (and can reach the routes) only if their flag is set.

Flag Unlocks
has_finance_access Finance sidebar section: dashboard, profitability, departments, sales, commissions, R&D report, monthly snapshots, finance inbox, QuickBooks, entities & FX. Also: ability to edit hourly_cost on the employee form, and access to billing settings.
has_hr_access HR sidebar section: dashboard, org chart, checklists, all per-employee HR tabs (docs, key dates, certs, reviews, goals, 1:1s, salary history, disciplinary).
has_legal_access Legal sidebar section: dashboard, contracts, compliance, IP, insurance, litigation, DSR/GDPR, templates.

The flags are fully independent: granting Finance does not grant HR or Legal. Someone with all three sees all three; someone with none sees none. Without a flag, the section is invisible in the sidebar and direct URL access returns 403.

Why flags instead of more roles

Roles encode the org hierarchy (who manages whom). Module access encodes responsibility areas (who handles money, people files, contracts). They are orthogonal: a manager might also handle HR, or a finance person might also be the legal contact. Flags compose; roles can't.

Setting a role and granting access

Admins manage both at Manage → Employees → [person] → Edit:

  • Role — dropdown (employee / manager / admin).
  • Module access (admin-only) fieldset — three checkboxes: "Grant Finance access", "Grant HR access", "Grant Legal access". Tick the ones this person needs. Save.

Managers can edit their direct reports' name, dept, etc. but cannot toggle the access flags or grant the admin role.

Sidebar by role + flags

User Sidebar sections shown
employee, no flags Your work · Projects · Market intel
employee + Finance flag Above · Team (incl. Utilization) · Reports · Finance
employee + HR flag Your work · Projects · Market intel · HR
manager, no flags Your work · Projects · Team · Reports · Market intel
manager + Finance flag Above · Finance
manager + HR + Legal flags Manager view · HR · Legal
admin Everything: Manage, Finance, HR, Legal

Developer accounts

A developer account is a special login for the Otium engineering team to debug and support the product. Tick Account type → Developer account on the employee form (admin-only). It is not a fourth role — it's a flag layered on top of admin:

  • Admin-equivalent read + act across this workspace — sees and can edit almost everything an admin can.
  • Full integration visibility — Salesforce, Outlook/MS Graph, and company-API data and config pages, so integration bugs can be reproduced. Secret values (client secrets, API keys) stay masked, same as for everyone.
  • Never sees any financial data — Finance, billing, invoices, quotes, expenses, commissions, and every cost / rate / $ column (reports, team, projects, customer P&L) are blocked, even though the account is technically an admin.
  • Excluded from people analytics — does not count toward utilization, headcount, org-chart, or survey response rates, and never appears in team rosters or people pickers (a developer is a real login, not real staff).
  • No platform owner access — can never reach the /ops platform area (Stripe / Anthropic keys, cross-tenant billing), even if its email is on the owner allowlist.

Ticking the box forces the role to admin and clears any Finance flag. Do not also add a developer's email to the platform owner allowlist (OPS_ACCESS_EMAILS).

Common combinations

  • CFO / controller — role = employee (or manager if they lead an FP&A team), has_finance_access only.
  • HR director — role = employee or manager, has_hr_access only.
  • General counsel — role = employee, has_legal_access only.
  • Operations lead handling money + people — role = manager, both has_finance_access and has_hr_access.
  • Workspace owner — role = admin. All three flags implicit.

See something wrong or outdated in this article? Report it →