Permissions & Security
Role-Based Access Access to Payroll features is controlled by permissions assigned to business user roles. The following permissions are available: Permission Access Granted payrol...
Role-Based Access
Access to Payroll features is controlled by permissions assigned to business user roles. The following permissions are available:
| Permission | Access Granted |
|---|---|
payroll.dashboard.view |
View the Payroll dashboard |
payroll.employees.view |
View employee list and profiles |
payroll.employees.create |
Create new employee records, import |
payroll.employees.edit |
Edit employees, manage loans and leave |
payroll.employees.delete |
Archive or delete employees |
payroll.departments.manage |
Create, edit, archive, and delete departments |
payroll.components.manage |
Create, edit, archive, and delete pay components |
payroll.runs.view |
View payroll runs and their details |
payroll.runs.create |
Create and edit payroll runs |
payroll.runs.calculate |
Calculate and recalculate pay runs |
payroll.runs.approve |
Approve calculated runs |
payroll.runs.post |
Post approved runs and manage disbursements |
payroll.runs.void |
Void posted runs with separate authorization |
payroll.payslips.view |
View and download payslips (individual and batch) |
payroll.payslips.send |
Email payslips to employees |
payroll.reports.view |
Access payroll reports (in-browser) |
payroll.reports.export |
Export reports, statutory forms, year-end pack |
payroll.settings.manage |
Configure all payroll settings |
Separation of Duties
For compliance, it is recommended to separate these responsibilities across different users:
- Payroll Operator — creates runs, manages employees and components, calculates
- Payroll Approver — reviews and approves calculated runs (should not also calculate)
- Payroll Poster — posts approved runs and manages disbursements
- Settings Administrator — manages statutory rates and GL mappings
A run cannot be voided by the same user who posted it — this enforces dual-control.
Audit Trail
All significant payroll actions are logged in the audit trail:
- Employee create, edit, archive, and restore events with before/after snapshots
- Component archive/restore events with active assignment counts
- Settings changes with before/after values
- Run calculation, approval, posting, and void events with actor identity and timestamps
- Disbursement release, settlement, and reconciliation events with references
- Leave transactions with balance snapshots
- Loan balance changes
The audit trail is accessible to administrators and provides a complete compliance record for internal and external audits.
All payroll data is stored in the tenant database, completely isolated from other businesses on the platform.