Roles and Permissions
Role-based access control (RBAC) in EUlabel for different user types.
EUlabel uses role-based access control to manage what different users can see and do within an organization.
Roles
| Role | Permissions |
|---|---|
| Brand Manager | Create and edit passports for products in their portfolio. View scan analytics. Cannot access other brands' data. |
| Compliance Officer | View regulatory datasets and compliance validation results. Cannot edit product descriptions or marketing content. |
| Retail Partner | Read-only access to product information for products they sell. Cannot see cost data or supplier details. |
| Supplier | Submit ingredient data and upload certifications for assigned products. Cannot view other suppliers' submissions. |
| Platform Admin | Full access to platform configuration, tenant management, and system monitoring. |
Permission model
Permissions are evaluated through a chain:
User -> Organization (tenant) -> Role -> Permission setA user can belong to multiple organizations with different roles in each. For example, a brand manager at one company may also be a read-only viewer at another.
Data visibility
Product data has different access levels aligned with ESPR requirements:
| Data Class | Who Can Access | Examples |
|---|---|---|
| Public | Anyone (QR scan, unauthenticated) | Product descriptions, ingredients, nutrition, conformity certificates |
| Restricted | Authenticated users with appropriate role | Supply chain details, batch-level lab data, manufacturing information |
| Confidential | Organization admins only | Pricing, supplier agreements, internal notes |
Public data is served to anyone scanning the QR code. Restricted and confidential data requires authentication and the appropriate role.
Enterprise SSO
Enterprise customers can connect their corporate identity provider (Okta, Azure AD, Google Workspace) for single sign-on. SSO is configured per organization by the customer's IT admin.