The Roles and Permissions feature defines how access and responsibility are managed in AristoTelos.
It controls who can perform which actions, on which entities, within which organizational scope, and during which time period.
This feature underpins all operational workflows, ensuring secure, consistent, and auditable behavior across planning, attendance, requests, reporting, and payroll processes.
Key Components
Permission Group
A subset of permissions within a role that applies only to specific employees based on subordinate or excluded role rules.
Assignment Scope
The organizational level at which a role applies. Scope determines where permissions are effective.
Validity
A time interval defining when a role assignment is active and which data periods the permissions apply to.
User Role
A concrete assignment of a role to a user, including scope and validity.
Role Delegation
A temporary transfer of selected permissions from one employee to another for a defined period.
Subordinate Roles
A rule limiting permissions to employees who have specific roles.
Excluded Roles
A rule preventing permissions from applying to employees with specified roles, overriding subordinate role logic.
Delegable Permission
A permission explicitly allowed to be transferred through role delegation.
Configuration
Roles and permissions are configured centrally to reflect organizational structure and rules.
Configuration allows organizations to:
- define roles aligned with real responsibilities
- assign roles globally or to specific organizational units
- restrict where and to whom permissions apply
- enable or disable permission delegation
- manage future and temporary role assignments
Once configured, permissions are enforced automatically across all workflows.
Roster View
Roles and permissions directly control roster behavior.
They determine:
- which employees are visible
- whether shifts can be viewed, edited, or published
- who can create, process, or approve requests
- access to historical and future rosters
The roster dynamically adapts to role, scope, and validity, preventing unauthorized actions by design.
Permissions
(How control is enforced)
Permissions are evaluated dynamically based on:
- assigned roles
- organizational hierarchy
- validity intervals
- delegation rules
The system enforces:
- strict separation of self vs others actions
- hierarchy-aware access control
- controlled handling of future and historical data
- predictable and safe delegation behavior
This ensures consistent and auditable permission enforcement across the system.
Roles and Permissions implementation
The Roles and Permissions feature provides a centralized and predictable authorization framework across all workforce management processes.
Access rules are enforced directly at system level, preventing unauthorized actions and reducing operational risk without relying on manual checks or procedural controls. Permission evaluation is performed automatically and consistently, ensuring uniform behavior across planning, attendance, requests, reporting, and payroll-related workflows.
The feature supports complex organizational structures, including multi-site hierarchies, matrix responsibility models, and time-bound role assignments. Changes in organizational responsibility are reflected immediately in system behavior, without requiring role overlaps, temporary workarounds, or manual intervention.
Through time-aware permissions and controlled role delegation, access remains aligned with current responsibilities and defined validity periods. This ensures clear accountability, traceable authorization decisions, and consistent enforcement of internal rules and regulatory requirements across all operational scenarios.
The result is a stable and scalable authorization foundation that integrates seamlessly with all core workforce management functions.