You should change the record rule that allows "write" on a timesheet.

For example, the following rule will allow a user to create, view and update only his own timesheet.

<!-- basic users can only view their timesheets-->
<record model="ir.rule" id="timesheet_users">
    <field name="name">Allow users to view only their own timesheets</field>
    <field name="model_id" ref="hr_timesheet_sheet.model_hr_timesheet_sheet_sheet"/>
    <field name="groups" eval="[(4, ref('base.group_user'))]"/>
    <field name="domain_force">['|',('employee_id.user_id','=',user.id),('employee_id','=',False)]</field>
    <field name="perm_read" eval="True"/>
    <field name="perm_write" eval="True"/>
    <field name="perm_unlink" eval="False"/>
    <field name="perm_create" eval="True"/>
</record>

Since there is now a security rule defined for the timesheets, you should create another rule to give full access for, for example, hr managers:

<!-- HR manager can see all timesheets -->
<record model="ir.rule" id="timesheet_hr_manager">
    <field name="name">Allow HR manager to see all timesheets</field>
    <field name="model_id" ref="hr_timesheet_sheet.model_hr_timesheet_sheet_sheet"/>
    <field name="groups" eval="[(4, ref('base.group_hr_manager'))]"/>
    <field name="perm_read" eval="True"/>
    <field name="perm_write" eval="False"/>
    <field name="perm_unlink" eval="False"/>
    <field name="perm_create" eval="False"/>
</record>

Will anybody be kind enough to post a reply. We are very much stuck.