Standard roles cover 80% of cases. For the remaining 20% — read-only accounting, Office Manager FlexOffice + Documents, IT support — create your own roles with a precise permission grid.
Step-by-step #
-
Start from a template #
Settings → Roles → New. Pick a standard role as base or start empty.
-
Set permissions per module #
For each module (Payroll, Attendance, Documents…): Read, Create, Update, Delete, Export, Approve.
-
Define the scope #
Whole tenant, my department, my team, or dynamic rule. E.g. “all permanents on my site”.
-
Add business rules #
Conditional logic: “cannot see salaries > 100k”, “cannot approve own expenses”.
-
Test in Simulate as mode #
An admin can impersonate a user with this role to verify what they see or not.
Common use cases #
| Case | Key permissions |
|---|---|
| Read-only accounting | Read Payroll, Read Expenses, Export accounting |
| Office Manager | Full FlexOffice, Read Documents, Full directory |
| IT support | Edit SSO access, Reset MFA, view audit logs |
| External auditor | Read-only on DSN, payslips, contracts |
| Extended manager (2 teams) | Manager + multi-team scope |
FAQ #
How many roles can I create?
No technical limit. Practically, stay under 15 custom roles to keep manageable.
Can I clone an existing role?
Yes, Duplicate button on any role.
How to audit roles?
The Role audit report lists per role: permissions, users, last use.
RBAC vs ABAC?
Illizeo combines both: RBAC as base, ABAC for dynamic rules (data attributes).
