Kova uses role-based access control (RBAC) with 4 immutable system roles and unlimited custom roles.
System Roles
| Role | Description | Can be deleted? |
|------|------------|----------------|
| **Owner** | Full access to everything. One per organization. | No |
| **HR Admin** | Manages employees, hiring, leave, performance, payroll. | No |
| **Manager** | Department-scoped access. Approves leave, conducts reviews. | No |
| **Employee** | Self-service only. Views own data, submits requests. | No |
Custom Roles (Core+ Plan)
Create custom roles in **Settings → Roles**. Each role is a combination of:
14 Modules: Employees, Hiring, Onboarding, Leave, Attendance, Performance, OKRs, Payroll, Learning, HR Assistant, Reports, Settings, Audit, Partners6 Actions: Create, Read, Update, Delete, Approve, Export4 Scopes: Own (self only), Department (user's department), All (org-wide), Global (cross-entity)**Example:** A "Payroll Specialist" role might have: Payroll (Create, Read, Update, Approve — All scope) + Employees (Read — All scope).
How Permissions Are Enforced
Permissions are enforced at three levels:
Middleware — Checks permissions before rendering pagesAPI routes — Validates permissions on every requestDatabase — Row-level security (RLS) policies use a `has_permission()` Postgres functionThis means even if someone bypasses the UI, the database itself blocks unauthorized access.