This is done via the Role based Security framework in AX. You will need to create new roles for each function ( basic employee, employee with expense entry capability, employee with requisition entry capability, manager with expense approval and entry etc. )
Each role is comprised of duties, each duty is comprised of individual privileges. Each privilege is comprised of individual entry points, which are the URLs, links, reports, and actions. This is true in EP as well as in the AX client.
Please review the security role development process at http://community.dynamics.com/product/ax/axtechnical/b/brandongeorge/archive/2012/03/06/ax-2012-security-development-tool-beta.aspx