RBAC matrix — roles × permissions
What it is
The canonical reference for who can do what in ManpowerIQ: the full role × permission matrix, reproduced from a live read of the seeded roles / permissions / role_permissions tables (BU 1, Demo Business Unit, 2026-06-10). The verified totals are 97 permissions across 9 roles.
This is the authoritative source the Roles & permissions user-guide page points to, and the gating used by the Phase-4 task pages. Source: Sprint/RBAC_RolePermission_Extract.md.
Why it's built this way
ManpowerIQ's access model is permission-centric (see Authentication & RBAC): a global catalog of permission codes, BU-scoped roles that bundle them, and runtime [Authorize("x.y")] checks. The matrix below is the concrete grant data behind that model — the actual rows seeded into role_permissions. It is presented grouped by capability so a developer adding a guarded action can find the relevant permission and see which roles already hold it.
The 9 roles
The MIQ-003 baseline seeded 7 roles; HR_DIRECTOR and COO were added in later sprints (post-baseline), both with a narrow attendance + reconciliation scope.
| id |
Code |
Abbr. |
Name |
Scope |
| 1 |
SYS_ADMIN |
SA |
System Administrator |
Full access — all 97 permissions |
| 2 |
HR_ADMIN |
HRA |
HR Administrator |
Employees, skills/certs, leave config, audit (65 perms) |
| 3 |
PLANNER |
PLN |
Planner |
Demand, rosters, allocation runs (55 perms) |
| 4 |
MANAGER |
MGR |
Department Manager |
Approve/publish, approvals, validate attendance (46 perms) |
| 5 |
SUPERVISOR |
SUP |
Supervisor |
Capture/validate attendance, team views (34 perms) |
| 6 |
EMPLOYEE |
EMP |
Employee |
Self-service only (6 perms) |
| 7 |
VIEWER |
VWR |
Viewer |
Read-only across the product (23 perms) |
| 8 |
HR_DIRECTOR |
HRD |
HR Director |
Post-baseline — attendance + reconciliation (7 perms) |
| 9 |
COO |
COO |
Chief Operating Officer |
Post-baseline — attendance + reconciliation (8 perms) |
How to read the matrix
- Columns use the abbreviations above (SA HRA PLN MGR SUP EMP VWR HRD COO).
- A ✓ means the role holds that permission.
SYS_ADMIN holds every permission, so its column is ✓ on every row by definition.
A note on completeness. The source extract enumerates the grants of the 8 non-admin roles explicitly — 92 distinct permission codes — and records that SYS_ADMIN holds all 97. The matrix below lists those 92, plus allocation_run.debug (named in the extract's quick-reference) and admin.config / admin.roles / admin.users (recovered from the Phase-6 controller scan) — all SYS_ADMIN-only — = 96 named permissions. That leaves 1 of the 97 held by SYS_ADMIN only and not yet named (97 − 92 = 5 SYS_ADMIN-only; 4 now named, 1 still unnamed). Rather than invent a code, it's left as the unenumerated residue; to recover it, query permissions directly at HEAD.
The matrix (by capability)
Administration & audit
| Permission |
SA |
HRA |
PLN |
MGR |
SUP |
EMP |
VWR |
HRD |
COO |
admin.audit |
✓ |
✓ |
|
|
|
|
|
|
|
admin.config |
✓ |
|
|
|
|
|
|
|
|
admin.roles |
✓ |
|
|
|
|
|
|
|
|
admin.users |
✓ |
|
|
|
|
|
|
|
|
admin.config / admin.roles / admin.users are SYS_ADMIN-only administrative permissions, recovered from the Phase-6 controller scan (they gate Settings-write, Roles/Permissions, and Users respectively). They were among the previously-unnamed SYS_ADMIN-only residue — see the completeness note above.
Allocation rules & runs
| Permission |
SA |
HRA |
PLN |
MGR |
SUP |
EMP |
VWR |
HRD |
COO |
allocation_rule.execute |
✓ |
|
✓ |
|
|
|
|
|
|
allocation_rule.read |
✓ |
✓ |
✓ |
✓ |
✓ |
|
✓ |
|
|
allocation_rule.write |
✓ |
✓ |
|
|
|
|
|
|
|
allocation_run.debug |
✓ |
|
|
|
|
|
|
|
|
allocation_run.execute |
✓ |
|
✓ |
|
|
|
|
|
|
allocation_run.lock |
✓ |
|
✓ |
|
|
|
|
|
|
allocation_run.read |
✓ |
✓ |
✓ |
✓ |
✓ |
|
✓ |
|
|
allocation_run.write |
✓ |
|
✓ |
|
|
|
|
|
|
Demand planning
| Permission |
SA |
HRA |
PLN |
MGR |
SUP |
EMP |
VWR |
HRD |
COO |
demand.confirm |
✓ |
✓ |
✓ |
|
|
|
|
|
|
demand.create |
✓ |
|
✓ |
|
|
|
|
|
|
demand.edit |
✓ |
|
✓ |
|
|
|
|
|
|
demand.override |
✓ |
✓ |
|
|
|
|
|
|
|
demand.read |
✓ |
✓ |
✓ |
✓ |
✓ |
|
✓ |
|
|
demand.template_manage |
✓ |
✓ |
|
|
|
|
|
|
|
demand.template_read |
✓ |
✓ |
✓ |
✓ |
|
|
|
|
|
demand.view |
✓ |
|
✓ |
✓ |
|
|
✓ |
|
|
demand.write |
✓ |
✓ |
✓ |
|
|
|
|
|
|
demand_reason.config |
✓ |
✓ |
✓ |
|
|
|
|
|
|
demand_reason.view |
✓ |
✓ |
✓ |
✓ |
✓ |
|
✓ |
|
|
Rostering & publish
| Permission |
SA |
HRA |
PLN |
MGR |
SUP |
EMP |
VWR |
HRD |
COO |
roster.approve |
✓ |
|
|
✓ |
|
|
|
|
|
roster.create |
✓ |
|
✓ |
|
|
|
|
|
|
roster.edit |
✓ |
|
✓ |
|
|
|
|
|
|
roster.publish |
✓ |
|
✓ |
✓ |
|
|
|
|
|
roster.view |
✓ |
|
✓ |
✓ |
✓ |
|
✓ |
|
|
roster.view_own |
✓ |
|
|
|
|
✓ |
|
|
|
shift_assignments.override_certification |
✓ |
|
✓ |
✓ |
|
|
|
|
|
Attendance & reconciliation
| Permission |
SA |
HRA |
PLN |
MGR |
SUP |
EMP |
VWR |
HRD |
COO |
attendance.capture |
✓ |
|
|
|
✓ |
|
|
|
|
attendance.edit |
✓ |
✓ |
✓ |
|
|
|
|
✓ |
✓ |
attendance.import |
✓ |
✓ |
✓ |
|
|
|
|
✓ |
✓ |
attendance.review |
✓ |
|
|
✓ |
|
|
|
|
✓ |
attendance.validate |
✓ |
|
|
✓ |
✓ |
|
|
|
|
attendance.view.all |
✓ |
✓ |
✓ |
✓ |
|
|
|
✓ |
✓ |
attendance.view.own |
✓ |
✓ |
✓ |
✓ |
✓ |
✓ |
✓ |
✓ |
✓ |
attendance.view.scoped |
✓ |
|
|
|
✓ |
|
✓ |
|
|
attendance_status.config |
✓ |
✓ |
|
|
|
|
|
✓ |
|
attendance_status.view |
✓ |
✓ |
✓ |
✓ |
✓ |
|
✓ |
✓ |
✓ |
reconciliation.validate |
✓ |
|
|
✓ |
✓ |
|
|
|
✓ |
reconciliation.view |
✓ |
✓ |
✓ |
✓ |
✓ |
|
|
✓ |
✓ |
Leave
| Permission |
SA |
HRA |
PLN |
MGR |
SUP |
EMP |
VWR |
HRD |
COO |
leave.approve |
✓ |
|
|
✓ |
|
|
|
|
|
leave.config |
✓ |
✓ |
|
|
|
|
|
|
|
leave.request |
✓ |
|
|
|
|
✓ |
|
|
|
leave.view |
✓ |
✓ |
✓ |
✓ |
✓ |
|
✓ |
|
|
leave_request.approve |
✓ |
✓ |
|
✓ |
✓ |
|
|
|
|
leave_request.submit |
✓ |
✓ |
✓ |
✓ |
✓ |
✓ |
|
|
|
leave_request.view_all |
✓ |
✓ |
|
✓ |
✓ |
|
|
|
|
leave_request.view_own |
✓ |
✓ |
✓ |
✓ |
✓ |
✓ |
|
|
|
Cross-pool, overtime & early-release
| Permission |
SA |
HRA |
PLN |
MGR |
SUP |
EMP |
VWR |
HRD |
COO |
cross_pool.approve |
✓ |
|
|
✓ |
|
|
|
|
|
cross_pool.request |
✓ |
|
✓ |
|
|
|
|
|
|
early_release.approve |
✓ |
|
|
✓ |
|
|
|
|
|
early_release.submit |
✓ |
|
|
|
✓ |
|
|
|
|
ot.approve |
✓ |
|
|
✓ |
|
|
|
|
|
Employees, skills & certifications
| Permission |
SA |
HRA |
PLN |
MGR |
SUP |
EMP |
VWR |
HRD |
COO |
cert.create |
✓ |
✓ |
|
|
|
|
|
|
|
cert.edit |
✓ |
✓ |
|
|
|
|
|
|
|
cert.view |
✓ |
✓ |
✓ |
✓ |
|
|
✓ |
|
|
certifications.manage |
✓ |
✓ |
✓ |
|
|
|
|
|
|
certifications.read |
✓ |
✓ |
✓ |
✓ |
✓ |
|
✓ |
|
|
employee.create |
✓ |
✓ |
|
|
|
|
|
|
|
employee.delete |
✓ |
✓ |
|
|
|
|
|
|
|
employee.edit |
✓ |
✓ |
|
|
|
|
|
|
|
employee.import |
✓ |
✓ |
|
|
|
|
|
|
|
employee.view |
✓ |
✓ |
✓ |
✓ |
✓ |
|
✓ |
|
|
employee_group.read |
✓ |
✓ |
✓ |
✓ |
✓ |
|
|
|
|
employee_group.write |
✓ |
✓ |
|
✓ |
|
|
|
|
|
grade.config |
✓ |
✓ |
✓ |
|
|
|
|
|
|
grade.view |
✓ |
✓ |
✓ |
✓ |
✓ |
|
✓ |
|
|
skill.assign |
✓ |
✓ |
|
|
|
|
|
|
|
skill.config |
✓ |
✓ |
✓ |
|
|
|
|
|
|
skill.create |
✓ |
✓ |
|
|
|
|
|
|
|
skill.delete |
✓ |
✓ |
|
|
|
|
|
|
|
skill.edit |
✓ |
✓ |
|
|
|
|
|
|
|
skill.view |
✓ |
✓ |
✓ |
✓ |
✓ |
|
✓ |
|
|
Pools
| Permission |
SA |
HRA |
PLN |
MGR |
SUP |
EMP |
VWR |
HRD |
COO |
pool.read |
✓ |
✓ |
✓ |
✓ |
✓ |
|
|
|
|
pool.write |
✓ |
✓ |
|
✓ |
|
|
|
|
|
pool_lending_rule.read |
✓ |
✓ |
✓ |
✓ |
✓ |
|
|
|
|
pool_lending_rule.write |
✓ |
✓ |
|
✓ |
|
|
|
|
|
Calendars, shifts & holidays
| Permission |
SA |
HRA |
PLN |
MGR |
SUP |
EMP |
VWR |
HRD |
COO |
calendar.config |
✓ |
✓ |
|
|
|
|
|
|
|
calendar.view |
✓ |
✓ |
✓ |
✓ |
✓ |
|
✓ |
|
|
holiday.config |
✓ |
✓ |
✓ |
|
|
|
|
|
|
holiday.view |
✓ |
✓ |
✓ |
✓ |
✓ |
|
✓ |
|
|
shift_pattern.config |
✓ |
✓ |
✓ |
|
|
|
|
|
|
shift_pattern.view |
✓ |
✓ |
✓ |
✓ |
✓ |
|
✓ |
|
|
shift_template.config |
✓ |
✓ |
✓ |
|
|
|
|
|
|
shift_template.view |
✓ |
✓ |
✓ |
✓ |
✓ |
|
✓ |
|
|
Org reference data
| Permission |
SA |
HRA |
PLN |
MGR |
SUP |
EMP |
VWR |
HRD |
COO |
node_type.config |
✓ |
✓ |
✓ |
|
|
|
|
|
|
node_type.view |
✓ |
✓ |
✓ |
✓ |
✓ |
|
✓ |
|
|
terminal.config |
✓ |
✓ |
✓ |
|
|
|
|
|
|
terminal.view |
✓ |
✓ |
✓ |
✓ |
✓ |
|
✓ |
|
|
Imports
| Permission |
SA |
HRA |
PLN |
MGR |
SUP |
EMP |
VWR |
HRD |
COO |
imports.run |
✓ |
✓ |
✓ |
|
|
|
|
|
|
imports.view_history |
✓ |
✓ |
|
|
|
|
|
|
|
Dashboards & self-service
| Permission |
SA |
HRA |
PLN |
MGR |
SUP |
EMP |
VWR |
HRD |
COO |
dashboard.view |
✓ |
✓ |
✓ |
✓ |
✓ |
|
✓ |
|
|
dept_dashboard.view |
✓ |
|
|
✓ |
✓ |
|
|
|
|
profile.view_own |
✓ |
✓ |
✓ |
✓ |
✓ |
✓ |
✓ |
|
|
Gotchas / constraints
allocation_rule.write is SYS_ADMIN + HR_ADMIN only. A PLANNER can run the engine (allocation_run.execute) but cannot edit rule sets. A common mis-assumption.allocation_run.debug is SYS_ADMIN only — this gates the ineligibility-reason detail on a run (finding F6). Planners can't see why a candidate was excluded without it.- Leave has two gating styles. A newer chain (
leave_request.submit / leave_request.approve) and a legacy gate (leave.approve = SYS_ADMIN + MANAGER) coexist. Check which an endpoint uses.
HR_DIRECTOR and COO are narrow, not senior-of-everything. Despite the executive names, each holds only 7–8 attendance/reconciliation permissions — not a superset of HR_ADMIN.- This is the BU-1 seed. Roles are tenant-scoped, so another BU's roles could in principle be edited away from this seed; this matrix is the shipped default.
SYS_ADMIN totals 97, but only 96 are named here — see the completeness note above. Don't treat the named rows as the entire catalog (1 SYS_ADMIN-only code remains unenumerated).
Build status
Available — RBAC schema, the 9-role seed, and the 97-permission catalog all ship and are runtime-enforced (sheet 01 §build-status). The matrix is a live extract from the seeded tables (Sprint/RBAC_RolePermission_Extract.md, 2026-06-10).