Roles and Permissions
Role-based access control (RBAC) in EUlabel for different user types.
EUlabel uses role-based access control to manage what different users can see and do within an organization.
Only Platform Admins can modify roles, invite users, or manage organization settings. Contact your admin if you need elevated permissions.
At a glance
- Roles control what you can do; data classes control what you can see.
- A user can have different roles across different organizations.
- Public data remains accessible via QR scans; restricted/confidential data requires auth.
Roles
Brand Manager
Create/edit passports for owned products; view analytics; isolated from other brands
Compliance Officer
View compliance/regulatory datasets; cannot edit marketing content
Retail Partner
Read-only access to products they sell; limited commercial visibility
Supplier
Submit ingredient/certification data for assigned products
Platform Admin
Full access to tenant configuration, role management, and monitoring
Permission model
Permissions are evaluated through a chain:
User -> Organization (tenant) -> Role -> Permission setA user can belong to multiple organizations with different roles in each. For example, a brand manager at one company may also be a read-only viewer at another.
Data visibility
Product data has different access levels aligned with ESPR requirements:
Public data is served to anyone scanning the QR code. Restricted and confidential data requires authentication and the appropriate role.
Enterprise SSO
Enterprise customers can connect their corporate identity provider (Okta, Azure AD, Google Workspace) for single sign-on. SSO is configured per organization by the customer's IT admin.