Permissions & Access

User Roles Back to top

WorkHub has three user roles that determine what a user can see and do within the app. Roles are hierarchical — higher roles inherit all capabilities of lower roles.

Jira Site Administrator

Jira site administrators automatically have full access to all WorkHub features without any additional configuration. This is the highest privilege level.

• Full access to all features: scheduler, time tracking, timesheets, leave, reports.
• Full access to all Settings tabs (General, Capacity, Holidays, Leave Settings, Permissions, Timesheet Access).
• Can promote users to App Admin and revoke App Admin status.
• Can approve and reject all timesheets and leave requests, regardless of assignment rules.
• Can restrict or unblock users.

App Admin

Users promoted to App Admin by a Jira site administrator. App Admins have full access to all features and settings within WorkHub, but cannot promote other users to App Admin.

• Full access to all features: scheduler, time tracking, timesheets, leave, reports.
• Full access to all Settings tabs.
• Can approve and reject all timesheets and leave requests.
• Cannot promote other users to App Admin (only Jira site administrators can do this).

Member

Regular Jira users who have been granted access to WorkHub (either via the "All Users" toggle or by being explicitly added). Members can use the core features but cannot access admin settings.

• View the resource scheduler timeline and workload indicators.
• Log time in the Time Tracking view.
• Submit timesheets for approval.
• Request leave and view own leave status.
• View own data in reports.
• Can approve others' timesheets if assigned as an approver in Timesheet Access settings.
• Can view timesheets of users they are assigned as an approver or viewer for in Timesheet Access settings.
• Cannot access Settings or modify app configuration.

Permissions Summary

Timesheet Approval Permissions Back to top

Timesheet approval permissions determine who can approve or reject submitted timesheets. These are configured in Settings → Timesheet Access.

Rule Types

• Per-User Rule — a specific approver is assigned to each team member. Only the assigned approver (and Jira site administrators) can approve that member's timesheets.
• All-Users Rule — any user with the approver role can approve any team member's timesheet.

Priority Chain

When determining whether a user can approve a timesheet, WorkHub checks in this order:

1. Jira site administrator — always has approval rights for all users.
2. App Admin — always has approval rights for all users.
3. Per-user assignment — the user is the designated approver for the submitter.
4. All-users rule — the user has been granted the global approver role.

View Access

Separate from approval, view access controls who can see other users' timesheets without being able to approve or reject them. Viewer rules follow the same per-user and all-users patterns as approver rules and are configured in the same Timesheet Access settings tab.

Leave Approval Permissions Back to top

Leave approval uses a per-user assignment model. Each user has one designated leave approver who is responsible for reviewing their leave requests.

How It Works

• Each user can have one assigned leave approver, configured in Settings → Leave Settings.
• When a user submits a leave request, it appears in their approver's "Approvals" tab in the Leave view.
• The approver can approve or reject the request, optionally with a note.
• If no leave approver is assigned, only Jira site administrators and App Admins can approve the request.

Recall and Revoke

The leave approval workflow supports the following actions beyond standard approve/reject:

• Recall (before decision) — the leave owner can recall a pending request before it is approved or rejected. This is immediate — no approver consent needed.
• Recall (after approval) — the leave owner can request to recall an already-approved leave. This sets the status to "Recalling" and requires the approver's consent.
• Deny recall — the approver can deny a recall request, keeping the leave approved.
• Revoke — the approver can directly revoke an approved leave without the owner requesting it.

Access Control for Settings Back to top

The Settings view is restricted to Jira site administrators and App Admins. Regular members do not see the Settings option in the navigation sidebar.

• Jira site administrators can access all six settings tabs, including Permissions (where App Admins are promoted/revoked and users are restricted).
• App Admins can access all six settings tabs. However, only Jira site administrators can promote or revoke App Admin status.
• Members have no access to Settings. They can view their own configuration (assigned approver, capacity scheme) in the My Account view.

Restricted User Views Back to top

Users added to the Restrict Users list in Settings → Permissions are blocked from accessing WorkHub entirely. When a restricted user opens the app, they see an "Access Denied" message explaining that they do not have permission to use the application.

• Restricted users cannot view any WorkHub data (scheduler, time tracking, reports, etc.).
• The restriction takes effect even when the "All Users" toggle in Manage Access is enabled — the Restrict Users list overrides it.
• Jira site administrators and App Admins can add or remove users from the restricted list at any time.
• Jira site administrators themselves cannot be restricted — their access is always guaranteed by Jira.

Related Pages Back to top

• Settings & Configuration — configure permissions, timesheet access, leave approvers, and other admin settings.
• Reports — generate utilization, project, leave, and worklog reports.
• Resource Scheduler — the resource scheduler timeline.
• Getting Started — initial setup and first-run configuration.