Roles & Permissions | eso

ESO uses a role-based access control system. Every member of your organisation is assigned a role, and each role comes with a predefined set of permissions. Administrators can further fine-tune access with per-user overrides and access scopes.

Built-in roles

`org:admin`

Full access to everything in the platform. Admins can:

Manage all inventory, packing lists, containers, projects, and clients.
Read and write invoices, quotes, and supplier data.
Manage organisation settings, invite links, and member roles.
Grant and revoke permissions for other users.

`org:member`

Standard operator access. Members can:

Create, view, and update inventory, packing lists, containers, projects, and clients.
Finalise and progress packing lists through the shipping lifecycle.
Read invoices; create and update quotes and suppliers.
Cannot: delete inventory, delete packing lists, write invoices, manage organisation settings, or manage permissions.

`truck_broker`

Restricted access for external logistics partners. Truck brokers can only:

View packing lists that have been explicitly assigned to their broker company. They cannot see any other data in the organisation.

Permission reference

Permissions are grouped by feature area:

Permission	Key	Description
View packing lists	`packing_lists.read`	See packing lists and their items.
Create packing lists	`packing_lists.create`	Create new packing lists.
Update packing lists	`packing_lists.update`	Edit items while in an editable status.
Delete packing lists	`packing_lists.delete`	Delete packing lists.
Finalize / ship / close	`packing_lists.finalize`	Advance through `shipped → delivered → closed`.
Revert packing list status	`packing_lists.revert`	Step a packing list back one status.
Delete attachments	`packing_lists.attachment.delete`	Remove files from packing lists.
View audit history	`packing_lists.audit.read`	See the status-change history log.
View inventory	`inventory.read`	See inventory items and quantities.
Create inventory	`inventory.create`	Add new inventory items.
Update inventory	`inventory.update`	Edit items and adjust quantities.
Delete inventory	`inventory.delete`	Remove inventory items.
View inventory audit	`inventory.audit.read`	See historical audit entries for inventory.
Merge inventory	`inventory.merge`	Merge duplicate inventory records.
View containers	`containers.read`	See containers and their attachments.
Create containers	`containers.create`	Add containers and upload files.
Update containers	`containers.update`	Edit container details.
View projects	`projects.read`	See projects.
Create / update projects	`projects.write`	Create and edit projects (includes financials).
Delete projects	`projects.delete`	Remove projects.
View clients	`clients.read`	See clients.
Create clients	`clients.create`	Add new clients.
Update clients	`clients.update`	Edit client details.
Delete clients	`clients.delete`	Remove clients.
View invoices	`invoices.read`	See invoices and payment data.
Manage invoices	`invoices.write`	Create, edit, and record payments.
View quotes	`quotes.read`	See quotes.
Manage quotes	`quotes.write`	Create and update quotes.
View suppliers	`suppliers.read`	See supplier catalogue.
Manage suppliers	`suppliers.write`	Create and update suppliers and services.
View org settings	`settings.org.read`	See organisation configuration.
Update org settings	`settings.org.update`	Change organisation-level settings.
View members	`settings.members.read`	See who is in the organisation.
Invite members	`settings.members.invite`	Generate invitation links.
Update members	`settings.members.update`	Change member roles.
Remove members	`settings.members.remove`	Remove users from the organisation.
View permissions	`settings.permissions.read`	See role and override configuration.
Manage permissions	`settings.permissions.update`	Modify roles and per-user overrides.

Per-user permission overrides

Administrators can grant or deny individual permissions to specific users independently of their role. For example, you could grant invoices.write to a single org:member without changing their role. Navigate to Settings → Permissions and find the user to add an override.

Access scopes

In addition to permissions, users can be restricted to specific projects, clients, or locations. When a scope is configured, the user can only see data that falls within those scoped resources. Access scopes support both allow and deny effects:

Allow scopes — The user can only see the listed resources.
Deny scopes — The user can see everything except the listed resources. Scopes are also configurable from Settings → Permissions.