# Roles & Permissions

> Understand the access control model and manage who can do what

## Roles Overview

Who's OOO uses a simple three-tier role model. Roles **do not inherit** from each other — an Admin does not automatically have Manager permissions.

| Role | Description |
|---|---|
| **Admin** | Manage all users, teams, and leave types. Approve or reject any leave request. Import public holiday calendars. Configure application settings. |
| **Manager** | View and manage direct reports. Approve or reject leave requests from their team. See team-scoped dashboard data. |
| **User** | Submit leave requests. View personal leave balance. Update profile and connected services. |

> **Warning:** Roles do not inherit. If someone needs both Admin and Manager capabilities, both roles must be explicitly assigned.

## Assigning Roles

User roles are set when [creating or inviting a user](/docs/user-invitations). Admins can change a user's role from **My Organization** by editing the user's details.

A user can have the Manager role without any direct reports — they will not see any pending approvals until reports are assigned.