- Features > Access Control
Access Control
Define precise access permissions for every user role in your CPQ system. Control who can configure, price, quote, approve, and publish — at the level of individual actions and data objects.
Role-based
Permissions by function and seniority
Object-level
Control on individual products and pricing
Zero
Unauthorised data access or modifications
The Challenge
CPQ Systems Have Coarse Permissions That Do Not Match Organisational Reality
Most CPQ platforms offer basic user permission tiers — admin, standard user, read-only — that do not reflect the actual variety of roles within a sales and operations organisation. A pricing analyst should be able to view and modify pricing but not approve quotes. A dealer portal user should only see their own quotes, not those of other dealers. A product manager should be able to modify configuration templates but not submit orders.
When the available permission model is too coarse to match organisational needs, administrators face a choice between granting excessive permissions and granting insufficient ones. Excessive permissions create change risk; insufficient permissions create friction and shadow workarounds.
Data privacy is a related concern. In a multi-country organisation, sales reps in one territory should not be able to access customer data or pricing from another territory. In a channel organisation, dealers should have no visibility into the manufacturer's internal pricing.
As organisations grow and roles specialise, the gap between available CPQ permission tiers and the actual access required per role compounds — eventually requiring external controls or workarounds to enforce what the CPQ system cannot.
How It Works
How Access Control Works in Mercura
Mercura's access control system is built on role-based permissions applied at the object and action level. Administrators define roles — such as Sales Rep, Pricing Manager, Distributor, or Product Admin — and assign to each role a precise set of permissions: which objects they can see, which actions they can take, and what data scope they operate within. Data scoping controls restrict users to the subset of data relevant to their context — a dealer sees only their own quotes and their assigned product catalog; a regional sales manager sees only the opportunities in their territory. Roles are assigned to users and can be combined to support hybrid roles. All permission changes are logged in the audit trail.
What's Included
Key Capabilities
- Role-based permission model with unlimited custom roles
- Object-level permissions — control access to individual products, price books, and quote types
- Action-level permissions — view, create, edit, price, approve, and publish as independent rights
- Data scoping — restrict users to their territory, channel, or customer segment
- SSO integration for identity management via SAML or OIDC
- Permission inheritance and role combination for complex organisational structures
- Access review reports — see who has which permissions and when they were assigned
- All permission changes captured in the audit log
The Difference
Before and After CPQ Access Control
- Coarse permission tiers force over-provisioning or under-provisioning
- Dealers can see other dealers' quotes or internal pricing
- Pricing analysts have admin access they do not need — change risk elevated
- Territory data visible across regions — privacy and commercial risk
- Access reviews impossible — no systematic view of who can do what
- Precise role definitions match organisational reality — right access for every role
- Dealers see only their own quotes and assigned catalog — no cross-visibility
- Pricing analysts can modify pricing but not approve or publish — risk contained
- Territory data scoped per user — privacy and commercial sensitivity respected
- Access review reports generated on demand — compliance evidence available instantly
Real-World Application
Example Use Case: International Manufacturer with Dealer Network
An international manufacturer needed three distinct access contexts in their CPQ system: internal sales reps with full quoting capability but no access to pricing administration; regional pricing managers who could modify pricing but not approve quotes above their tier; and 60 dealers who could configure and quote but could only see their own quotes and their assigned product range. The manufacturer's previous CPQ system had two permission levels — admin and user — which could not support this structure. Mercura's role-based access control allowed the manufacturer to define all three access contexts precisely. Dealer isolation was enforced at the data layer — not through UI restrictions that could be bypassed. The implementation was completed in three days.
Quote turnaround dropped from 3 days to under 4 hours.
Business Impact
Why Access Control Matters
Access control in CPQ is a commercial risk management function. When users have access beyond what their role requires, the risk of accidental or deliberate misuse increases with every person who has that access. When access is too restrictive, people work around the system and create shadow processes that are harder to govern. Mercura's access control gives administrators the precision to match system permissions exactly to organisational roles — reducing risk without creating friction.
Give Every User Exactly the Right Access
Book a demo to see how Mercura's role-based access control secures your CPQ system without creating workflow friction.
Let’s build together.
We empower manufacturers to master product modeling, streamline quoting process, reduce errors, and ultimately deliver the tailored solutions that customers demand.