Easyteam Embedded
GuidesAPIWhite-Label UIs
GuidesAPIWhite-Label UIs
  1. Embedded Workforce Management
  • Getting Started
    • Introduction
    • Why Choose Easyteam Embedded
  • Development
    • Overview
    • Authentication
    • Web Integration
    • Mobile SDK Integration
    • Passing Data
    • Using Identifiers
    • Events
    • Error Handling
  • Going Live
    • Data Security
    • Support
  • Embedded Workforce Management
    • Organizations & Locations
    • Employees
    • Permissions
    • Compliance
  • Embedded Time Tracking
    • Time Clock
    • Timesheets
    • Breaks
    • Geofencing
    • Timezones
  • Embedded Scheduling
    • Overview
    • Availability & Open Shifts
    • Multi-Location Scheduling
    • Publishing Schedules
    • Working with Time Off in Schedules
    • Notifications on Schedule Actions
    • Calendar Sync (Google / Apple Calendar)
  • Embedded Time Off Management
    • Overview
    • Time Off Policies
    • Requests & Approvals
    • Balance Tracking & Accruals
    • Carryover Rules
    • Time Off and Payroll Sync
  • Embedded Notifications
    • Overview
  • Payroll Integrations
    • Embedded Payroll with Salsa
      • What is Embedded Payroll?
      • Time & Attendance in Payroll
      • Money Movement and Compliance
    • External Providers
      • Embedded Payroll Integrations
  • AI-Native Integrations
    • Integrating an MCP Server with Easyteam
  1. Embedded Workforce Management

Permissions

Easyteam uses a granular permission system to control access to each workforce management feature.

Permission Types#

Refer to the codebase for the canonical list of permissions; the enum below is mirrored here for quick reference.

Feature‑Level Permissions#

To control timesheets, use SHIFT_READ, SHIFT_WRITE, SHIFT_ADD, SHIFT_UPDATE to control access for view, add, modify attendance entries actions.
To control schedules use SCHEDULE_READ, SCHEDULE_WRITE for read-only or edit actions on schedules.
New features and modules have their own permission levels. View the types and codebase for more info.

Location Management#

Location-based permissions manage access across specific work sites. The LOCATION_READ permission enables viewing all employee data within a location, while LOCATION_ADMIN grants full administrative control over location settings and configurations.

Organization Management#

At the highest level, ORGANIZATION_ADMIN provides complete access to manage all locations and settings across the entire organization.

Example: Common Permission Configurations#

Granular permission structure in Easyteam

Regular Employee#

A standard employee typically only needs access to see their own shifts and view their personal timesheet:

Shift Manager#

A location manager needs more comprehensive access to manage their team's schedules, but only in locations they're assigned to:

Regional Manager#

Regional managers require full access across multiple locations, without access to the whole organization:

Hierarchical Inheritance Rules#

While some permissions imply others (e.g., ORGANIZATION_ADMIN grants LOCATION_ADMIN, which in turn grants shift & schedule rights), best practice is to explicitly list every permission a role requires. Being verbose keeps JWT payloads self‑describing and future‑proofs your integration.
When in doubt, deny by default and add the minimal permission needed.
WARNING
When implementing the payroll module, only render the component to the relevant users and hide it for everyone else.
Need help designing your permission structure? Our team can help you map your organizational roles to the appropriate permission sets and create more granular permissions for your specific use-case.
Modified at 2025-06-26 16:11:17
Previous
Employees
Next
Compliance