Time Tracker User Roles
Each group in Time Tracker has a customizable collection of roles, to one of each every user is assigned. In addition, there is a broader Administrator
role to manage an entire Time Tracker application. Role editor is available from a link in Group settings
Accessing Role Editor from Group settings
Each role is assigned with a set of access rights, each allowing access to something, and also has an integer attribute called rank
, which is explained here
Below are descriptions of predefined roles.
user installs and initially configures Time Tracker. He or she usually creates the first group. The administrator can also manage groups and import group data from another Time Tracker server. The default login for Administrator is admin
and the default password is secret
. You can also use admin@localhost
- this special login is always authenticated against a database even in LDAP installations. Note: admin@localhost is available since Time Tracker 22.214.171.12443. Administrator role is not editable.
- administer_site - can administer a site as a whole.
Top manager is a top role in a group, which may contain subgroups. A group
in this case is the entire organization. This non-editable role has a full collection of possible access rights, with an exception of "administer_site"
, which is reserved for a system administrator (see the Administrator
role above). In other words, top manager role is an intrinsic, non-editable role for a general manager in an organization (root manager) with all possible rights in a group and all its subgroups all the way down. It is assigned to a person who creates the organization. Note: you can host multiple organizations on one Time Tracker server. Accounts in one organization
(top group) do not relate to accounts in other organizations (other top groups) in any way.
- All default Manager role rights. They are described below.
- view_client_unapproved - a client, when assigned this right, can view unapproved entries in client reports. This right is here for top manager to be able to assign it to a client role when necessary.
- delete_group - can delete a group and all subgroups.
Users work with Time Tracker by entering data and generating reports and timesheets for themselves. By default, they do not have any management rights. Primary function for users is data entry and viewing their own data.
Default rank: 4.
Default User role access rights:
- track_own_time - can track own time.
- track_own_expenses - can track own expenses.
- view_own_reports - can view own reports.
- view_own_charts - can view own charts.
- view_own_projects - can view assigned project names and their descriptions.
- view_own_tasks - can view tasks for assigned projects and their descriptions.
- manage_own_settings - can edit own settings such as account password.
- view_users - can view user names and roles in a group.
Supervisors have a small set of management functions in a group. They have all of default User
role permissions plus the following.
- track_time - can track time on behalf of lower rank roles.
- track_expenses - can track expenses on behalf of lower rank roles.
- view_reports - can view reports for lower rank roles.
- approve_reports - can approve reports for lower rank roles.
- approve_timesheets - can approve timesheets for lower rank roles.
- view_charts - can view charts for lower rank roles.
- view_own_clients - can view clients assigned to own projects.
- override_punch_mode - can input any start and finish times for lower rank roles (not self).
- override_own_punch_mode - can override punch mode for self.
- override_date_lock - can override date lock for lower rank roles.
- override_own_date_lock - can override date lock for self.
- swap_roles - succession mechanism, allows a person to swap roles with someone having a smaller role rank and a smaller set of rights.
- update_work - can update work items in progress (for remote work plugin - work in progress).
Client role is used with the Clients plugin
. When it is enabled, a client user (which is external to a group) can be provided with a login to view own data such as reports, charts, and invoices. Clients do not have the track_own_time
right but can view what is entered into Time Tracker by other users and is associated with this client.
Default client role access rights:
- view_client_reports - can view reports for client account.
- view_client_invoices - can view invoices for client account.
- manage_own_settings - can edit own settings such as email, password, etc.
Co-manager performs some of group management tasks such as working with users, projects, tasks, generating reports, and invoices. This role is useful for big groups. Small groups may do without co-managers. This role is almost like a group manager, but some tasks still require a manager to login. In other words, a co-manager is a person with an extended set of group management functions, who is helping a group manager with most of the work. Has all of the Supervisor
role permissions plus the following.
- manage_own_account - can modify own login, name, and email.
- manage_users - can add, modify, delete, and assign roles to users with role's rank less than self.
- manage_projects - has full access to project management.
- manage_tasks - has full access to task management.
- manage_custom_fields - has full access to custom field management.
- manage_clients - has full access to client management.
- manage_invoices - has full access to invoice management.
- override_allow_ip - can override access restriction based on IP address in group settings.
- manage_basic_settings - can manage basic group settings such as language, currency, date and time formats.
- view_all_reports - can view reports for all members of the group including users with higher rank.
- manage_work - can create and edit work items and accept bids (for remote work plugin, which is work in progress).
- bid_on_work - can bid on work items from other groups (for remote work plugin).
Manager supervises a group of users, clients, supervisors, and co-managers by having most of access to group data. A person with mostly full set of permissions to a group and the entire tree of its subgroups. Has all of the Co-manager
role permissions plus the following.
- manage_features - can enable or disable plugins (features) for a group.
- manage_advanced_settings - can manage advanced group settings such as group name, bcc, allow IP, some plugin options, configure notifications, templates, etc.
- manage_roles - can create, modify, and delete roles (including custom roles) with rank less than self. Is able to add permissions that they have themselves.
- export_data - can export group and all subgroups data to an XML file.
- approve_all_reports - can approve reports for all members of the group including users with higher rank.
- approve_own_timesheets - can approve own timesheets.
- manage_subgroups - can add, modify, and delete subgroups. Essentially, it gives a capability to create subgroups and assume group manager role in there and all subgroups below.
A user with manage_roles
permission has a capability to create and modify additional custom roles in group. New roles can be assigned a subset of access rights that such user has. This is accomplished with Role editor
as explained below. The same editor can be used to customize or delete pre-defined roles.
Using Role Editor
To access Role Editor
go to the Group
page, and click on the Configure
link to the right of the Roles
label. Below is a picture of how Role Editor screen may look like. There are active group roles on top and inactive on bottom. Here, you can:
- Edit an already existing role using the pencil icon.
- Delete role using a red cross icon.
- Add custom roles using the Add button.
Role Editor in Time Tracker
Let's see how editing roles work. A picture below shows an example when we edit a Co-manager
role. On this screen, we can:
- Change role name, description, and status.
- Change role rank. It is used in access checks for situations of accessing other users data. If user can do something, then it is normally for users with roles of lower rank.
- Modify rights assigned to role. Do so by selecting a right in the list and then clicking either the Add or Delete button.
Time Tracker User Guide
Editing a Co-manager role in Time Tracker