/app/admin/roles) lets you view, edit, create, and delete roles. A role is a name and a set of permissions; users get their effective permissions by being assigned roles.
Default roles
Out of the box, iWorkWhen seeds five roles:| Role | System? | What it can do |
|---|---|---|
| Admin | Yes | Everything |
| Supervisor | No | Approves trades/absences/overtime, publishes schedules, manages coverage/duty/SA |
| Lead | No | View + approve trades and absences (not overtime) |
| Dispatcher | No | Standard employee: own schedule + requests |
| Trainee | No | Limited: own schedule + notes, no trade/PTO/OT |
roles.manage or users.manage, you could lock yourself out.
Create a role
Select permissions
Permissions are grouped by category (self, admin, schedule, approval, bidding, reports, sa). Check every capability the role should grant.
Edit a role
Click Edit next to a role. Same form, but pre-filled. Changes take effect immediately (there’s a ~few-second in-memory cache that flushes).Delete a role
Click Delete. Only non-system roles can be deleted. Users who had that role lose those permissions (other roles they have are unaffected).Recipes
Trainer
Trainer
Dispatcher +
sa.manage. Can do everything a regular employee does, plus create/manage special assignments.Scheduler
Scheduler
self.* + schedule.view.all + schedule.publish + schedule.history.view + shifts.manage + shift_patterns.manage + coverage.view + coverage.manage. Can build and publish schedules but can’t approve trades/absences.HR
HR
self.* + users.view + users.manage + users.hours.change + timebank.view.all + absences.approve. Manages people and PTO balances.Read-only viewer
Read-only viewer
self.schedule.view + users.view + schedule.view.all + shifts.view + coverage.view + duties.view + reports.view. Can look but not change anything.Required permissions
roles.view— read the listroles.manage— create/edit/delete
roles.manage by default.