Skip to main content
Tesouro uses role-based access control (RBAC) to manage what actions organization users can perform. When you create a role, you specify a set of permissions that define which actions are allowed on which objects.

Permission types

The following permission types are available:
  • not_allowed (default) - the specified action is not allowed.
  • allowed - the specified action is always allowed.
  • allowed_for_own - the specified action is allowed to be performed only on the objects created by this organization user.

List of permissions

Below is the list of all permissions available in the Tesouro RBAC system:
object_typeaction_nameDescription
approval_policycreate, read, update, deleteGrants organization users permissions to create, view, update, and delete Approval policies.
approval_requestcreate, read, update, deleteDefines an organization user’s ability to perform actions on approval requests.
commentcreate, read, updateControls the ability to create, view, and update comments.
counterpartcreate, read, update, deleteAllows the organization user to create, view, update, and delete counterparts.
counterpart_vat_idcreate, read, update, deleteAllows access to perform actions on counterpart VAT IDs.
delivery_notecreate, read, update, deleteControls the ability to create, view, update, and delete delivery notes.
entityread, updateControls the ability to read and update organization information.
entity_bank_accountcreate, read, update, deleteAllows access to perform actions on organization bank accounts.
entity_vat_idscreate, read, update, deleteAllows access to perform actions on organization VAT IDs.
entity_usercreate, read, update, deleteControls the ability to create, view, update, and delete organization users.
exportcreate, readAllows access to perform actions on data exports.
mailboxcreate, read, deleteAllows access to perform actions on mailboxes.
ocr_taskcreate, read, update, deleteControls the ability to perform actions related to generic OCR.
onboardingcreate, read, updateControls the ability to perform actions related to organization onboarding.
overdue_remindercreate, read, update, deleteAllows access to create, view, update, and delete overdue reminders.
payablecreate, create_from_mail, read, update, delete, submit, approve, cancel, payAllows the organization user to perform actions on a payable.
payables_purchase_ordercreate, read, update, deleteControls the organization user’s ability to create, view, update, and delete purchase orders.
payment_recordcreate, readAllows the organization user to create and view payment records.
payment_remindercreate, read, update, deleteAllows access to create, view, update, and delete payment reminders.
personcreate, read, update, deleteControls the ability to create, view, update, and delete persons associated with an organization.
productcreate, read, update, deleteControls the ability to create, view, update, and delete products.
projectcreate, read, update, deleteControls the ability to create, view, update, and delete projects.
receiptcreate, create_from_mail, read, update, deleteAllows the organization user to perform actions on a receipt.
receivablecreate, read, update, deleteAllows the organization user to perform actions on a receivable.
rolecreate, read, update, deleteControls the ability to create, view, update, and delete user roles.
tagcreate, read, update, deleteControls the ability to create, view, update, and delete tags.
transactioncreate, read, update, deleteControls the ability to create, view, update, and delete transactions.