Overview
Permissions in Flexible Resource Planning control two things: who can access the plugin, and who can act on other people's data (approve timesheets, approve leave, view team worklogs). This page explains every aspect of the permission system so you know exactly who can see and do what.
The permission system is built around three layers:
- Access control — determines whether a user can open the plugin at all
- Timesheet permissions — determines who can approve, reject, reopen, and view timesheets
- Leave permissions — determines who can approve and reject leave requests
All three layers are configured by Admins in the Settings panel. Regular users can view their own assigned approvers in My Settings.
User Roles
Every user in the plugin falls into one of five roles. Roles determine the baseline level of access a user has across all plugin features.
| Role | Who qualifies | Access level |
|---|---|---|
| monday.com Admin | The monday.com account owner and users with admin rights in monday.com | Full access to all plugin features, settings, and all users' data. Can designate App Admins. |
| App Admin | Users explicitly granted App Admin status by an Admin | Full access to all plugin features and settings. Cannot promote other users to App Admin. |
| Team Member | Regular monday.com users who have plugin access | Can use all plugin features for their own data: log time, submit timesheets, request leave, view own workload. |
| Restricted | Users explicitly placed on the restricted list by an Admin | Blocked from accessing any plugin features. Sees an access-denied message. |
| Guest | monday.com guest users (external collaborators) | Cannot access time tracking, timesheets, or leave features. Guest restrictions are enforced automatically based on the monday.com user type. |
Both roles have full access to the plugin, but only monday.com Admins can promote users to App Admin. App Admins cannot escalate privileges for other users. This prevents privilege escalation within the plugin.
Access Control
Access control determines which monday.com users can open and use the plugin. It is managed from Settings › Permissions by Admins and App Admins.
The plugin supports two access modes:
All Users Mode
When the "All Users" toggle is enabled, every monday.com user in the account can access the plugin. This is the simplest setup and works well for organizations where everyone needs resource planning tools.
Allowlist Mode
When "All Users" is disabled, only explicitly added users have access. Use the search field to find and add users one by one. Users not on the list will see an access-denied message when they try to open the plugin.
Restricting Users
The Restrict Users sub-tab lets you block specific users from the plugin entirely. Use this for users who should not have access under any circumstances (e.g., external contractors who should only use monday.com natively, or users whose access needs to be temporarily suspended).
Restricted users cannot:
- Log time or view worklogs
- Submit or view timesheets
- Request or view leave
- Access the scheduler, workload, or reports
The Permissions Tab in Settings
The Permissions tab in Settings contains three sub-tabs that control access and roles:
| Sub-tab | Purpose | Key actions |
|---|---|---|
| Manage Access | Control which users can use the plugin | Toggle "All Users" mode; add/remove individual users from the allowlist |
| Restrict Users | Block specific users from all plugin features | Add users to the restricted list; remove restrictions |
| App Admins | Grant full plugin management rights | Promote users to App Admin; revoke App Admin status |
Timesheet Permissions
Timesheet permissions control two things: who can approve timesheets and who can view other people's timesheets. These are configured in Settings › Timesheet Access, which has two sub-tabs: Approvers and Viewers.
How Permission Rules Work
Permission rules connect a target (whose timesheets are affected) to a grantee (who receives the permission). Each rule has three components:
| Component | Options | Description |
|---|---|---|
| Target type | All users, Team, User | Whose timesheets does this rule cover? "All users" means everyone; "Team" means all members of a specific team; "User" means one specific person. |
| Permission | Approve, View | What action does this rule grant? Approve includes the ability to approve, reject, and reopen timesheets. View grants read-only access. |
| Grantee | User, Team | Who receives this permission? Can be an individual user or all members of a team. |
- All users → Approve → Alice — Alice can approve timesheets for everyone in the workspace
- Team: Engineering → Approve → Bob — Bob can approve timesheets for all Engineering team members
- User: Charlie → Approve → Diana — Diana can approve only Charlie's timesheets
- All users → View → Team: HR — All HR team members can view everyone's timesheets (but not approve)
Users who have approval permission automatically get view access as well. You do not need to create a separate view rule for approvers.
Timesheet Approver Resolution
When a user submits a timesheet, the system automatically determines who should approve it. The approver is not manually selected by the submitter — it is resolved from the configured permission rules using a priority chain.
Approver Resolution Priority
If multiple rules match at the same priority level (e.g., two per-team rules), the earliest-created rule wins. If no matching rule is found and no admin exists, the submission fails with an error asking an admin to configure approval rules.
Setting Up Approvers
The Approvers sub-tab in Settings › Timesheet Access provides two ways to configure approval rules:
Rules (team-wide or workspace-wide)
Create broad rules that apply to teams or the entire workspace. Use the rule builder to select a target type (All users, Team), then select the grantee (user or team) who receives approval rights.
Per-User Assignments
Directly assign specific approvers to specific users. Multi-select is supported: select multiple users and multiple approvers to create all combinations in one action. Per-user assignments take priority over team rules and all-users rules.
Timesheet View Access
By default, users can only see their own timesheets and worklogs. Additional view access is granted through three mechanisms:
| Mechanism | Automatic? | Description |
|---|---|---|
| Self-access | Always | Every user can always view their own timesheets and worklogs. |
| Admin access | Always | Admins and App Admins can view all timesheets across the entire workspace. |
| Approver access | Automatic | Users with approval permission can view timesheets for the users they can approve. Approve implies view. |
| Explicit viewer | Manual setup | Additional users can be granted view-only access via the Viewers sub-tab without giving them approval rights. |
Configuring Additional Viewers
The Viewers sub-tab in Settings › Timesheet Access shows two sections:
- Approvers (read-only list) — All users and teams that already have view access because they are approvers. These entries cannot be edited here; manage them in the Approvers tab.
- Additional Viewers — Add users or teams who should see timesheets but do not need approval rights. Typical use cases: HR managers, finance team members, project coordinators.
Leave Approval Permissions
Leave approval works differently from timesheet approval. Instead of rule-based resolution, leave uses a direct per-user approver assignment. Each user has one designated leave approver, configured by an Admin.
How Leave Approvers Are Assigned
Admins assign leave approvers in Settings › Leave Settings › Leave Approvers. The interface shows a table of all users with a dropdown to select each user's approver.
- Per-user assignment — Each user has exactly one leave approver
- Bulk assignment — Select multiple users with checkboxes, then assign the same approver to all of them in one action
How Leave Approval Works at Submission Time
When a user creates a leave request, the approver field in the form is automatically pre-filled and locked to their assigned approver. The user cannot change the approver. This ensures leave requests always follow the configured reporting structure.
Timesheet vs Leave Permissions: Key Differences
| Aspect | Timesheet Approval | Leave Approval |
|---|---|---|
| Assignment model | Rule-based (target → grantee with priority chain) | Direct per-user assignment (one approver per user) |
| Approver resolution | Automatic via priority chain at submission time | Pre-assigned, locked in the request form |
| Team-based rules | Supported | Not supported (per-user only) |
| All-users rules | Supported | Not supported |
| Admin override | Admins can approve any timesheet | Admins can only approve if they are the assigned approver |
| Configured in | Settings › Timesheet Access › Approvers | Settings › Leave Settings › Leave Approvers |
Leave Approval Actions
Only the assigned approver can act on leave requests. Unlike timesheets, admins have no special override — they must be explicitly assigned as the approver for a user to approve, reject, or revoke their leave.
| Action | Assigned Approver | Submitter |
|---|---|---|
| Approve a pending request | ||
| Reject a pending request | ||
| Recall own request (before approval) | — | |
| Request recall of approved leave | — | |
| Confirm or deny a recall request | ||
| Revoke approved leave |
Full Role Matrix
The table below shows what each role can do across all plugin features. Use this as a quick reference when setting up permissions for your team.
| Action | Team Member | Assigned Approver | Admin / App Admin | Restricted | Guest |
|---|---|---|---|---|---|
| Timesheet Approval | |||||
| Submit own timesheet | |||||
| Approve / reject timesheets | Assigned only | All | |||
| Reopen approved timesheets | Assigned only | All | |||
| View other users' timesheets | All | ||||
| Configure approval rules | |||||
| Leave Management | |||||
| Request own leave | |||||
| Approve / reject leave | Assigned only | Assigned only | |||
| Recall own leave | |||||
| Configure leave approvers | |||||
| Settings & Administration | |||||
| Access App Settings | |||||
| Manage board configurations | |||||
| Promote App Admins | monday.com Admin only | ||||
| Use Resource Scheduler | |||||
| View Reports | |||||
Guest Users
monday.com Guest users (external collaborators invited to specific boards) are automatically restricted from time tracking, timesheet, and leave features. This restriction is enforced based on the user's monday.com account type — no manual configuration is needed.
Guest users:
- Cannot log worklogs or view time tracking data
- Cannot submit, view, or approve timesheets
- Cannot request or approve leave
- Can view the Resource Scheduler on boards they have access to (read-only)
Guest users in monday.com typically represent external clients, vendors, or contractors who should see project progress but not internal resource planning data like worklogs, timesheets, and leave balances.
My Settings (View Your Permissions)
Every user can see their own permission assignments by opening My Settings from the app sidebar. This read-only panel shows:
- Leave Approver — Who is assigned to approve your leave requests
- Timesheet Approver — Who is assigned to approve your timesheets (may show a user, team, or multiple approvers depending on rule configuration)
- Work Capacity Scheme — Your assigned work schedule
If any field shows "Not assigned," contact your Admin to set up the appropriate assignment.
Troubleshooting
Common permission-related issues and how to resolve them:
"No approver could be found" when submitting a timesheet
Cause: No timesheet approval rules have been configured, or no rule matches the submitting user.
Fix: Ask an Admin to go to Settings › Timesheet Access › Approvers and create at least one approval rule. An "All users" rule with a designated approver is the quickest way to unblock the team.
Cannot see other users' timesheets
Cause: You don't have view permission for the target user's timesheets. By default, users can only see their own data.
Fix: Ask an Admin to add you as an approver or viewer in Settings › Timesheet Access.
Cannot submit a leave request (no approver shown)
Cause: No leave approver has been assigned to you.
Fix: Ask an Admin to assign a leave approver in Settings › Leave Settings › Leave Approvers.
"Your access has been restricted" message
Cause: An Admin has added you to the restricted users list.
Fix: Contact your Admin to have your access restored via Settings › Permissions › Restrict Users.
Guest user cannot access plugin features
Cause: Guest users are automatically blocked from time tracking, timesheet, and leave features.
Fix: This is by design. If the user needs full plugin access, they must be converted from a Guest to a regular Member in monday.com account settings.
Approvals tab not visible in Timesheets
Cause: The Approvals tab only appears for users who are configured as approvers for at least one user.
Fix: Ask an Admin to set you up as an approver in Settings › Timesheet Access › Approvers.
Related Pages
- Settings & Configuration — Full reference for all settings tabs, including Permissions and Timesheet Access
- Timesheets — Timesheet submission, approval workflow, and status lifecycle
- Leave Management — Leave requests, approval, recall, and allocation
- Getting Started — Initial setup walkthrough including first-time permission configuration
Need Help?
If you have questions about permissions, access control, or approval configuration, our support team is here to help.
Contact Support