Last updated 2026-04-25
Roles & access
OtiumWork separates org-hierarchy roles (who reports to whom, who approves timesheets) from module access (who sees Finance, HR, Legal). Roles live on a hierarchy; modules are independent on/off flags.
The three roles
Each employee has one role, set in Manage → Employees. Roles are about org hierarchy and approval rights — they do not unlock any module by themselves.
| Role | Sees own time | Sees team time | Approvals | Admin settings |
|---|---|---|---|---|
| employee | ✓ | ✗ | ✗ | ✗ |
| manager | ✓ | direct reports | ✓ for own team | ✗ |
| admin | ✓ | full company | ✓ | ✓ |
- Employee — the default. Captures their own time, taps tiles in My Day, edits their own events. Never sees dollar figures.
- Manager — leads a team. Approves timesheets, sees their direct reports' hours, billable %, capacity, scenarios, utilization. Full Team / Capacity / Scenario / Utilization / Reports access.
- Admin — owns the workspace. Full settings, employees, rules, integrations, billing. Implicitly has all three module flags.
The three module-access flags
Finance, HR, and Legal are gated by independent per-employee flags, not by role. Admin always has all three. Anyone else — manager or employee — sees the corresponding sidebar section (and can reach the routes) only if their flag is set.
| Flag | Unlocks |
|---|---|
| has_finance_access | Finance sidebar section: dashboard, profitability, departments, sales, commissions, R&D report, monthly snapshots, finance inbox, QuickBooks, entities & FX. Also: ability to edit hourly_cost on the employee form, and access to billing settings. |
| has_hr_access | HR sidebar section: dashboard, org chart, checklists, all per-employee HR tabs (docs, key dates, certs, reviews, goals, 1:1s, salary history, disciplinary). |
| has_legal_access | Legal sidebar section: dashboard, contracts, compliance, IP, insurance, litigation, DSR/GDPR, templates. |
The flags are fully independent: granting Finance does not grant HR or Legal. Someone with all three sees all three; someone with none sees none. Without a flag, the section is invisible in the sidebar and direct URL access returns 403.
Why flags instead of more roles
Roles encode the org hierarchy (who manages whom). Module access encodes responsibility areas (who handles money, people files, contracts). They are orthogonal: a manager might also handle HR, or a finance person might also be the legal contact. Flags compose; roles can't.
Setting a role and granting access
Admins manage both at Manage → Employees → [person] → Edit:
- Role — dropdown (employee / manager / admin).
- Module access (admin-only) fieldset — three checkboxes: "Grant Finance access", "Grant HR access", "Grant Legal access". Tick the ones this person needs. Save.
Managers can edit their direct reports' name, dept, etc. but cannot toggle the access flags or grant the admin role.
Sidebar by role + flags
| User | Sidebar sections shown |
|---|---|
| employee, no flags | Your work · Projects · Market intel |
| employee + Finance flag | Above · Team (incl. Utilization) · Reports · Finance |
| employee + HR flag | Your work · Projects · Market intel · HR |
| manager, no flags | Your work · Projects · Team · Reports · Market intel |
| manager + Finance flag | Above · Finance |
| manager + HR + Legal flags | Manager view · HR · Legal |
| admin | Everything: Manage, Finance, HR, Legal |
Common combinations
- CFO / controller — role =
employee(ormanagerif they lead an FP&A team),has_finance_accessonly. - HR director — role =
employeeormanager,has_hr_accessonly. - General counsel — role =
employee,has_legal_accessonly. - Operations lead handling money + people — role =
manager, bothhas_finance_accessandhas_hr_access. - Workspace owner — role =
admin. All three flags implicit.
See something wrong or outdated in this article? Report it →