As a charging network grows, the gap between “give them Admin and sort it out later” and “build a proper access structure” gets harder to close. A team of three shares a handful of roles without thinking twice. At a few hundred charge points, several partners, and a maintenance contractor, the same approach means a partner finance contact can see data across the whole operator, and a field technician has back office access to charge points they’ll never touch. The network has grown precisely. The access model hasn’t kept up.
The challenge isn’t unusual. As the organisation around a network expands, the number of people who need back office access grows with it, and their positions vary significantly. An operations lead needs a different view than a billing analyst. A partner managing their own sites shouldn’t see another partner’s revenue data. A field technician on an installation job needs access to specific charge points, not the entire platform.
AMPECO’s back office includes a complete role and permissions system built for exactly this situation: six role types with multiple levels within each, custom role creation for positions the standard set doesn’t cover, and dedicated access options for external partners and installation and maintenance companies. This post covers how the system is structured, what each layer does, and what changes in practice when access is configured precisely.
What role-based access gives CPOs: one structure, every stakeholder
The core capability is straightforward to state but significant in practice: CPOs can map their actual org structure into the AMPECO platform and give every person in it access that fits their position — not a rough approximation of it.
AMPECO’s role system is built around how charging networks actually operate. Operators manage multiple partners. Partners manage their own sites and users. External companies handle installation and maintenance. Each layer in that structure gets its own role type in the platform, with access scoped to match its position.
Within each role type, named roles map to different responsibility levels. Someone who needs to view session and analytics data gets the Data analyst role. Someone managing partners and their admin accounts gets the Org admin role. A technician handling charge point maintenance gets the Operations & maintenance role. The role fits the job, which means the access fits the job.
When no existing role covers a position precisely, custom roles close the gap. An operator building a role for a billing-only team, or a support function that needs charge point visibility without configuration rights, starts from a base role that pre-populates a standard permission set, then adjusts from there.
The hierarchy underneath all of this enforces security automatically. An admin at any level can manage users at an equal or lower level, but not above. This rule applies to custom roles as well, so no one can use admin account management permissions to elevate a colleague beyond their own access level.
The system is purpose-built for charging networks: operator, partner, sub-operator, and field technician are first-class roles, not categories adapted from a general-purpose access framework.
How it works: system roles, custom roles, and access for external teams
System roles: six types, ready to use
The back office includes six role types, each representing a distinct category of stakeholder in a charging network.
| Role type | Scope |
|---|---|
| Global | Access across all operators in a multi-operator setup |
| Operator | Scoped to a specific operator’s data |
| Partner supervisor | For sub-operators managing their own network segment |
| Partner | For partner organisations managing their own charge points, users, and revenue |
| Partner site manager | For partners managing a defined subset of sites |
| Installation & maintenance | For external companies handling installation and field maintenance |
Within each type, roles map to specific responsibility levels. For Global and Operator teams, the named roles are:
- Org admin: Full access to all menus and actions
- Admin: Full access, except admin account management
- Admin (no users): Full access, except admin account management and CRM
- Operations & maintenance: Charge points, sessions, locations, and hardware configuration
- Call centre specialist: Charge points, locations, sessions, and CRM
- Data analyst: Activity and analytics only
Global and Operator types share the same role names. Their scope differs: Global roles span all operators in a multi-operator setup; Operator roles are restricted to a single operator’s data.
The Operations & maintenance role includes access to hardware configuration resources: firmware versions, CP models, charge point vendors, and vendor error codes. Maintenance staff can view, create, and update these directly, without requiring Org admin access for routine hardware tasks.
Custom roles: when the standard set doesn’t fit
Where no system role maps precisely to a position, custom roles let operators build one. The starting point is a Base role dropdown that pre-populates the standard permission set for a given role category (Operator, Support, Finance, and others). The admin then adds or removes specific permissions before saving.
Context-aware filtering keeps the configuration clean. When creating a custom role, the available permission sets are filtered by the selected Role Type. Selecting “Partner” removes operator-level permissions that are irrelevant for that context, which reduces the risk of accidentally assigning access that doesn’t belong with that role.
Custom roles also inherit new permissions automatically. When AMPECO releases new features and adds new permission sets to the platform, any custom role linked to the relevant base role receives those permissions automatically. No manual audit of every custom role is needed after a product release.
The permission model itself operates at the level of individual actions per resource. Each resource in the back office (charge points, sessions, tariffs, locations, and others) can be assigned or withheld at the action level: View, View any, Create, Update, Delete, Export, Import, Generate. As one example, the ability to reset a charge point (both soft and hard reset) is a standalone permission, separate from other maintenance tasks. An operator can grant reset rights to a role without assigning full maintenance access.
Partner and I&M access: external stakeholders in your back office
Partners get their own admin access, scoped to their data. The Partner role type has three levels:
- Org admin: Can create partner admin accounts, edit the company’s details, and manage users and charge points for that partner
- Admin: Access to charge points, sessions, and revenue data for the partner; no admin account management
- Data analyst: View-only across activity and analytics
The main operator can control which features partners can use. Whether partners can create new users themselves, or add to existing user account balances, is controlled at the operator level.
Sub-operators, represented by the Partner supervisor type, sit one layer above standard partners. This covers CPOs managing intermediary operators that in turn manage groups of partners, with each level receiving access appropriate to its position in the network structure.
Installation and maintenance companies get two distinct roles. The Org admin at the I&M level manages the company’s profile, its internal admin users (both Org admins and Installers), and all jobs, with access to any charge point linked to the company or its jobs. The Installer role is strictly job-based: a technician can only see the charge points explicitly linked to jobs assigned to them. Charge points outside those assignments are not visible.
The Installer role also serves the mobile Installer App, used by field technicians for on-site setup and configuration. The access model is consistent whether a technician works through the app or logs into the back office directly.
What changes when access is configured this way
When roles match the actual positions in the org, several things stop being problems that require manual attention.
Nobody ends up with more access than their job requires. With six role types and custom roles available to fill gaps, there’s no reason to default to “give them Admin and revisit later.” The Data analyst who needs session reports gets exactly that. Report scheduling, template creation, and export are separate permissions: a role can cover report delivery without touching the operational settings that generate the underlying data. The partner site manager responsible for one group of locations has no visibility into billing data for the rest of the network.
External teams operate within their own scoped view. Partners manage their users, charge points, and revenue data without touching other partners’ data. I&M contractors access only the charge points tied to their assigned jobs; the rest of the network is not visible to them. As the team around the network grows, the access surface does not grow with it.
The hierarchical structure prevents privilege escalation automatically. A Level 2 admin can manage accounts at Level 2 and Level 3, but not at Level 0 or Level 1. Custom roles inherit this constraint from their base role, so the protection holds regardless of how the role was originally configured. No admin can use their account management permissions to elevate a colleague beyond their own access level.
Custom roles stay current as the platform evolves. When AMPECO releases new features, roles linked to a relevant base role receive the new permissions automatically. The access model does not drift behind the product over time, and no one needs to audit and update roles after each release.
Maintenance staff get what they need for day-to-day hardware work without requiring elevated privileges. The Operations & maintenance role covers firmware versions, CP models, charge point vendor data, and error codes, giving maintenance teams direct access to what they need for routine tasks.
Specialised functions get the same scoping. A roaming coordinator can manage bilateral agreements and hub connections without visibility into charge point configuration or partner billing. A team running dynamic load management gets access to flexibility and load settings without broader platform access. Neither requires a custom role built from scratch: the permission groups for roaming and dynamic load management are part of the standard permission set, available when building any role.
The right access for every person in your network
A charging network that has grown quickly often has an access model that hasn’t kept up with it. People have roles that are approximately right. Partners have access that’s roughly appropriate. Contractors have visibility that reaches a little further than their work actually requires.
The role and permissions system in AMPECO is built to close that gap precisely. Six role types cover the main organisational categories. Multiple named roles within each type map to specific responsibilities. Custom roles handle positions the standard set doesn’t fit, and they stay current automatically as the platform evolves. Dedicated access types for partners, sub-operators, and I&M companies bring external stakeholders into the back office on exactly the right terms.
AMPECO’s role and permissions system is built into the platform. To see how it maps to your specific team structure — including partners, sub-operators, and any installation or maintenance companies you work with — book a demo with our team.
Book a consultation with our EV charging experts
Schedule a consultation with our EV charging experts. Let us show you how AMPECO’s role and permissions system maps to your team structure.
