I suppose there are a couple of way to manage this and you will get a few responses.
You want to control the low level employee access to only see their records. Not a detailed explanation, but here are some ideas:
Control the found set through finds or relationships based on account name. A table with account names and UUIDs?
Run in Kiosk mode or use custom menus to control record navigation.
I would not discount implementing security at the layout level especially as you want a workflow type process for time off requests. IMHO this seems like a great use case for record level security implementation by role and record status. The details of how you have set up your tables will have a significant impact on how complex the security implementation becomes.
As BT said there are many ways to "skin this cat".
Let's say you create a new table called "TimeOffRequests". In that table, you create a field called "z_Creator", of type Text with an auto-enter calculation that enters the AccountName on creation.
If you have a privilege set set up for Employees, then you'd go into Security for that privilege set, and select Custom Privileges in the Records area. Click on the table called "TimeOffRequests, and in the View column, select "Limited...". For your formula, you'd use: "TimeOffRequests::z_Creator = Get ( AccountName )".
Show All Records would still show records which an employee didn't create, but normal finds would auto-filter out the records which the user was not entitled to view.
There are other ways, but that's a good start.