> ## Documentation Index
> Fetch the complete documentation index at: https://docs.tesouro.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Permissions

> Reference for all role-based access control (RBAC) permission types and objects available in the Tesouro platform.

Tesouro uses role-based access control (RBAC) to manage what actions organization users can perform. When you [create a role](/finops/guides/organizations/users#create-a-user-role), you specify a set of permissions that define which actions are allowed on which objects.

## Permission types

The following permission types are available:

* `not_allowed` (default) - the specified action is not allowed.
* `allowed` - the specified action is always allowed.
* `allowed_for_own` - the specified action is allowed to be performed only on the objects created by this organization user.

## List of permissions

Below is the list of all permissions available in the Tesouro RBAC system:

| object\_type              | action\_name                                                                                   | Description                                                                                                                                              |
| ------------------------- | ---------------------------------------------------------------------------------------------- | :------------------------------------------------------------------------------------------------------------------------------------------------------- |
| `approval_policy`         | `create`, `read`, `update`, `delete`                                                           | Grants organization users permissions to create, view, update, and delete [Approval policies](/finops/guides/accounts-payable/approvals/policies/index). |
| `approval_request`        | `create`, `read`, `update`, `delete`                                                           | Defines an organization user's ability to perform actions on [approval requests](/finops/guides/accounts-payable/approvals/policies/approval-requests).  |
| `comment`                 | `create`, `read`, `update`                                                                     | Controls the ability to create, view, and update [comments](/finops/guides/accounts-payable/payables/comments).                                          |
| `counterpart`             | `create`, `read`, `update`, `delete`                                                           | Allows the organization user to create, view, update, and delete [counterparts](/finops/guides/common/counterparts/index).                               |
| `counterpart_vat_id`      | `create`, `read`, `update`, `delete`                                                           | Allows access to perform actions on [counterpart VAT IDs](/finops/guides/common/counterparts/vat-ids).                                                   |
| `delivery_note`           | `create`, `read`, `update`, `delete`                                                           | Controls the ability to create, view, update, and delete [delivery notes](/finops/guides/accounts-receivable/delivery-notes).                            |
| `entity`                  | `read`, `update`                                                                               | Controls the ability to read and update [organization information](/finops/guides/organizations/index).                                                  |
| `entity_bank_account`     | `create`, `read`, `update`, `delete`                                                           | Allows access to perform actions on [organization bank accounts](/finops/guides/organizations/bank-accounts).                                            |
| `entity_vat_ids`          | `create`, `read`, `update`, `delete`                                                           | Allows access to perform actions on [organization VAT IDs](/finops/guides/organizations/vat-ids).                                                        |
| `entity_user`             | `create`, `read`, `update`, `delete`                                                           | Controls the ability to create, view, update, and delete [organization users](/finops/guides/organizations/users).                                       |
| `export`                  | `create`, `read`                                                                               | Allows access to perform actions on [data exports](/finops/reference/openapi/data-export/get-data-exports).                                              |
| `mailbox`                 | `create`, `read`, `delete`                                                                     | Allows access to perform actions on [mailboxes](/finops/guides/advanced/mailboxes#manage-mailboxes).                                                     |
| `ocr_task`                | `create`, `read`, `update`, `delete`                                                           | Controls the ability to perform actions related to [generic OCR](/finops/guides/advanced/ocr).                                                           |
| `onboarding`              | `create`, `read`, `update`                                                                     | Controls the ability to perform actions related to [organization onboarding](/finops/guides/payments/onboarding/index).                                  |
| `overdue_reminder`        | `create`, `read`, `update`, `delete`                                                           | Allows access to create, view, update, and delete [overdue reminders](/finops/guides/accounts-receivable/invoices/overdue-reminders).                    |
| `payable`                 | `create`, `create_from_mail`, `read`, `update`, `delete`, `submit`, `approve`, `cancel`, `pay` | Allows the organization user to perform actions on a [payable](/finops/guides/accounts-payable/payables/index).                                          |
| `payables_purchase_order` | `create`, `read`, `update`, `delete`                                                           | Controls the organization user's ability to create, view, update, and delete [purchase orders](/finops/guides/accounts-payable/purchase-orders).         |
| `payment_record`          | `create`, `read`                                                                               | Allows the organization user to create and view [payment records](/finops/guides/common/payment-records).                                                |
| `payment_reminder`        | `create`, `read`, `update`, `delete`                                                           | Allows access to create, view, update, and delete [payment reminders](/finops/guides/accounts-receivable/invoices/payment-reminders).                    |
| `person`                  | `create`, `read`, `update`, `delete`                                                           | Controls the ability to create, view, update, and delete [persons](/finops/guides/payments/onboarding/via-api/persons) associated with an organization.  |
| `product`                 | `create`, `read`, `update`, `delete`                                                           | Controls the ability to create, view, update, and delete [products](/finops/guides/accounts-receivable/products).                                        |
| `project`                 | `create`, `read`, `update`, `delete`                                                           | Controls the ability to create, view, update, and delete [projects](/finops/guides/common/projects).                                                     |
| `receipt`                 | `create`, `create_from_mail`, `read`, `update`, `delete`                                       | Allows the organization user to perform actions on a [receipt](/finops/guides/expense-management/receipts).                                              |
| `receivable`              | `create`, `read`, `update`, `delete`                                                           | Allows the organization user to perform actions on a [receivable](/finops/guides/accounts-receivable/index).                                             |
| `role`                    | `create`, `read`, `update`, `delete`                                                           | Controls the ability to create, view, update, and delete [user roles](/finops/reference/openapi/roles/get-roles).                                        |
| `tag`                     | `create`, `read`, `update`, `delete`                                                           | Controls the ability to create, view, update, and delete [tags](/finops/guides/common/tags).                                                             |
| `transaction`             | `create`, `read`, `update`, `delete`                                                           | Controls the ability to create, view, update, and delete [transactions](/finops/guides/expense-management/transactions).                                 |
