All projects
02 Live 2025
Workly — Timesheets & Internal Operations
Timesheets, leave, documents, tickets, assets and stock — multi-tenant, configurable per company.
WorkforceInternal opsMulti-tenant SaaS
Context
Companies need time tracking, leave, and internal operations (documents, tickets, assets, stock) in one place, without the cost of an enterprise system. The challenge: a SaaS product serving many companies, each with its own active modules and total data isolation.
What I built
- Per-company configurable time tracking — 3 modes (manual edit, Punch In/Out, centralized) + leave with rules (Labor Code) and hierarchical approvals.
- Per-tenant toggleable operations modules: documents, tickets, an assets manager and a stock manager (fail-closed module gating — UI hidden + API blocked when off).
- Multi-tenant isolation with EF Core global query filters and hierarchical RBAC (a manager sees only direct reports).
Technical highlights
Field-level encryption
AES-256-GCM with per-tenant HKDF-SHA256 key derivation — sensitive data is encrypted individually.
IDOR-safe hierarchical RBAC
BFS hierarchy traversal to decide what each role sees, with no direct object references exposed.
Flexible time tracking + network perimeter
3 punch modes per company, plus restriction to allowed IPs (Office-IP, CIDR support).
Secured on Azure
documents in Azure Blob Storage — encrypted at rest and in transit, with geo-redundant storage (GRS) for backup and durability; application secrets in Azure Key Vault.