Before creating any role, understand Illizeo’s grammar: who sees what, who can do what, and how rights are inherited. Four concepts cover it: roles, scopes, permissions, dynamic rules.
The four concepts #
| Concept | Definition | Example |
|---|---|---|
| Role | Predefined business profile | Manager, HR, Admin, Employee |
| Scope | Data perimeter | My team, my department, the whole tenant |
| Permission | Allowed action | Read, create, update, delete, export |
| Dynamic rule | Business condition | See only permanents, see only same site |
Standard roles shipped #
-
Employee #
Self-service access to their own data: payslips, leaves, expenses, profile. No access to others.
-
Manager #
Everything the employee has, plus read/approval for their direct team: leaves, expenses, performance.
-
HR Ops #
Manage profiles, contracts, payroll. No access to system settings.
-
HR Admin #
All HR Ops + module, role, integration settings.
-
Tenant Admin #
Root level: security, SSO, subscription, tenant data. Restricted to 1-2 people.
FAQ #
Can I create custom roles?
Yes, starting from a standard role and adjusting permissions. Useful for business roles (Accounting, IT, Office Manager).
Can a user have multiple roles?
Yes. Permissions are unioned (user has the permission if at least one role grants it).
How to prevent over-privilege?
Annual role audit, principle of least privilege. The Rights per user report lists who can do what.
And temporary roles?
You can assign a role with an end date (e.g. for manager backup during maternity leave).
