Roles & permissions

Roles control who can see and do what in Momentumpro. Permissions are fine-grained — over 200 of them across the platform — and bundled into roles for ease of use.

Default roles

Every new tenant ships with these roles:

You can use these as-is, modify them, or build your own.

Editing a role

1. Admin → Roles → [Role].
2. The permissions list is grouped by module — Employees, Attendance, Documents, etc.
3. Tick / untick individual permissions.
4. Save.

Users with that role get the changes on their next page load.

Creating a custom role

1. Admin → Roles → New role.
2. Name it (e.g. "Branch Manager — Tel Aviv").
3. Either:
   • Start from blank — tick only what you need.
   • Copy from existing — duplicate "Manager" and tweak.
4. Save.

Assigning roles

A user can have multiple roles — permissions are the union (most permissive wins).

1. Open the user.
2. Roles & permissions tab.
3. Tick the roles to assign.
4. Save.

For bulk:

• Admin → Users → Bulk action → Assign role.

Permission scope

Some permissions are scoped:

• view_employees — sees all employees.
• view_employees:own_department — sees only their department.
• view_employees:direct_reports — sees only their direct reports.

When you tick view_employees, you can pick the scope on the right.

Auditing

Who did what when:

• Admin → Activity Log shows every permission change.
• Admin → Roles → [Role] → History shows the history of that specific role.

Best practice

• Don't assign Admin liberally. It's a god role.
• Use department-scoped roles for managers — they shouldn't see other departments by default.
• Review roles quarterly — people's responsibilities drift.

Next step

SSO & two-factor →