E-commerce
March 25, 2025
Marketing, support, logistics, finance: the more your team grows, the more the Shopify admin concentrates sensitive actions (orders, customers, payments, apps). Roles and permissions make it possible to apply the principle of least privilege without micro-managing every checkbox for each person. This guide is based on the official documentation: User management, Permissions, Role management, Sensitive permissions, security settings, and the OWASP Authorization Cheat Sheet for the “who can do what” framework on the application security side. For another step-by-step perspective, also see RBAC in the Shopify admin.
The goal is not to cite global average breach costs: it is to structure access, document roles, and review permissions when the organization changes.
Summary
RBAC and Shopify terminology
Role-based access control (RBAC) groups permissions into reusable roles. In Shopify, a role has a name, a description, and a set of permissions; you then assign it to the accounts that need it. User management indicates that roles and permissions are used to grant the required level of access while limiting what is not essential to the job.
“Permissions grant or restrict access to specific areas of your business for a given context. You can assign permissions to roles to give a user granular access levels based on the role category.”
Shopify Help Center, Permissions page (free translation and quote)
Common entry point: Settings > Users > Users and Roles tabs, depending on whether you are in a single-store or organization context. The exact interface may vary if you are on a multi-store organization.
RBAC does not replace the internal security policy: it operationalizes it. As soon as more than one person logs in to the admin, set rules for shared accounts (to be avoided except in documented exceptional cases), password rotation for technical accounts, and the use of named accounts for any traceable action on orders or customer data.
Permission types: store, organization, POS
Shopify distinguishes several permission families:
Store: for roles in the “Store role” category.
Organization: for roles in the “Organization role” category (multi-store context).
Shopify POS: for POS roles when the point of sale is used.
Some tasks (granular user and role management) are not exposed as simple checkboxes: they are reserved for authorized profiles, as explained in the user management requirements.
Role categories and plans
The Roles management page specifies that the available role types depend on the plan, membership in an organization, Shopify Plus for certain custom organization roles, and the presence of POS Pro for POS roles. Shopify-managed roles cannot be edited: you duplicate them or create custom roles alongside them.
Question | Suggested answer |
|---|---|
Can I create roles on Basic or Starter? | The docs link custom store roles to plans above Basic/Starter; check your screen and the up-to-date help page. |
Plus and organization | Custom organization roles notably concern the Plus and multi-store context. |
POS | POS roles and POS staff if the POS channel + location with POS Pro. |
Sensitive permissions and customer data
Sensitive permissions provide access to private data: finances, billing payment methods, customer data requests, or sensitive business entity information within an organization. Granting them makes it possible to delegate workflows (e.g., GDPR aspects or payment settings) while distributing tasks among several people rather than concentrating all access on a single account.
From a compliance perspective, link each sensitive permission to an internal procedure: who can approve an export, who can modify a payment method, and how you track the action in your tools (tickets, internal notes). The CNIL website reiterates individuals' rights over their data: your roles must be consistent with who is authorized to respond to requests.
Create, duplicate, and edit a role
Creation follows the documented path: Settings > Users > Roles > Add role, choose the category, name, description, then select permissions and, optionally, accessible applications. Duplication copies an existing role not managed by Shopify to speed up creating a similar role (e.g., “Support Level 1” from “Support Level 2” with fewer boxes checked).
If you need to change a role category afterward, the documentation states that you must create a new role: the category cannot be edited after creation. Plan stable naming (support_tier1_v2 internally) to avoid the proliferation of dead roles.
Assigning roles and multi-store access
The Role management page explicitly indicates that one or more roles can be assigned to a user (or a POS staff member), in order to refine permissions consistently and limit accidental access. For organizations, you can then adjust the stores that the user can access after assigning a store role.
In practice, avoid stacking roles without a clear map: each combination should correspond to a job title or a named use case; otherwise, audits become opaque.
POS roles and in-store staff
If you sell in-store, POS permissions determine what staff can do at checkout: discounts, refunds, opening the cash drawer, reports. They depend on the POS channel being present and POS Pro on at least one location, as noted in the section on eligibility criteria. Align POS roles with your anti-fraud procedures: separate the person who approves a large refund from the one who takes payment the same day, if the tool allows it.
Employee and partner accounts
Collaborator accounts allow Shopify partners to work on your store with controlled permissions. Distinguish them from internal staff accounts: governance (who invites whom, duration, app scope) should be as clear as it is for an employee.
For each service provider, list the relevant apps, thematic access (theme, catalog, billing), and the mission end date. When the project ends, revoke collaborator access before closing the contract: too long a delay between the end of the mission and deactivation is a frequent source of unnecessary exposure.
User groups
Shopify also allows you to structure users through groups in contexts where this feature is available. Groups complement roles when you need to apply common policies to entire teams (e.g., access to a set of stores or organizational segments). Check in your admin whether your plan and structure expose groups: the interface evolves with Organization and Plus plans.
In practice, a group can serve as an HR “tag” for auditing: “all employees of the Lyon store” without replacing the business role that defines granular permissions. Avoid multiplying groups that are redundant with roles: keep a simple rule, for example role = permissions, group = organizational scope.
Permissions and Settings page
Certain actions in Settings (billing, payment methods, users) require specific permissions. The page on required permissions for options on the Settings page details these dependencies: useful when a team member sees a grayed-out menu without understanding why. If you’re blocked, start by checking the role, then sensitive permissions, then membership in a multi-store organization.
Document internally who can invite new users: on non-Plus stores, documentation often restricts user management to the store owner and store administrators; in an organization, other organization roles may also come into play. Refer to the tables on the user management requirements page for your case.
Invitations, CSV export and reviews
The process of inviting users must be standardized: business email, role name assigned before sending, and verification that the collaborator has indeed accepted the invitation. Pending accounts represent a risk if the email was entered incorrectly: a misspelled domain sends an invitation outside the organization.
When your organization allows it, the CSV export of user management information makes periodic reviews easier: cross-check the list with your HR directory to identify orphaned accounts. Plan a quarterly review of roles: teams change faster than internal documentation.
Least privilege, auditing, and 2FA
OWASP recommends designing systems where users receive only the rights necessary for their role and regularly reviewing those rights. This is the spirit of the Authorization Cheat Sheet, applicable to your Shopify matrix: fewer day-to-day “store admin” accounts, more explicit business roles.
Shopify also links sensitive permissions to trust in two-factor authentication: the page on sensitive permissions mentions the value of 2FA in reducing risk for accounts that handle critical data. Require 2FA for owners and administrators, and train teams on phishing targeted at e-commerce access.
Examples of matrices by profession
The tables below are starting templates: adapt them to your plan, your apps, and your legal requirements.
Business role | Typical permissions | Avoid |
|---|---|---|
Customer service | Orders (view, edit), customers, creation of purchase orders | Global payment settings without necessity |
Logistics | Orders (processing), products (view), inventory | Deleting apps or billing |
Content marketing | Products, collections, content, campaigns according to scope | Mass export of customer data without a framework |
For detailed catalog operations, keep the link with adding products and data quality rules.
Finance teams often need to export reports without modifying payment methods: separate « view payments » and « edit billing settings » when the interface allows it, rather than giving a full administrator role. Legal / compliance teams may require permissions related to customer data requests: tie this scope to your processing register and your internal GDPR procedures.
Third-party apps and access scope
When creating or editing a role, the App permissions section allows you to limit which apps a user sees in the admin. This is useful when a team uses only an emailing tool or an ERP connector: reducing the list limits the risks of mishandling and clarifies the interface. Cross-check with your app purchasing policy: each new installation should not imply « full access for everyone » by default.
Apps can also request extended API scopes on the developer side: from a governance perspective, keep a list of approved integrations and disable staff access to obsolete apps when you change tools. For an overview of integrations, see Shopify integrations.
Common errors
Error | Risk | Fix |
|---|---|---|
Too many "administrator" profiles | Broad attack surface | Documented intermediate roles |
Duplicated roles without maintenance | Obsolete permissions | Quarterly review, removal of unused roles |
Forgetting to remove access upon departure | Orphaned accounts | Offboarding checklist + deactivation |
Partners with too broad a scope | Prolonged exposure | Collaborator limited by time and by app |
Quick checklist when a collaborator joins
Define the role or combination of roles before sending the invitation.
Invite the user and verify access to the right stores.
Validate a test action (view an order, adjust inventory) within the intended scope.
Document the assignment in your internal HR / IT repository.
Chatbot and exposure surface
A chatbot like Qstomy handles visitor questions on the public storefront: it does not replace staff account governance, but it reduces the need to grant admin access to teams that only needed access to FAQ answers. Fewer sensitive accounts, less risk, provided you keep the bot up to date with your policies.
Summary
Role-based access controls in Shopify rely on permissions grouped into customizable roles, with different rules depending on plan, organization, Plus, and POS. Identify sensitive permissions, limit high-privilege accounts, duplicate roles to iterate quickly, and review combinations during team changes. Rely on Shopify documentation and OWASP best practices to structure your access reviews.
Also consider external collaborators, user exports, and apps: each access channel should have an owner and a review date. Clean admin management reduces human errors on orders and customer data, and makes team growth easier without multiplying default “super-admin” accounts.
FAQ
Can a user have multiple roles?
Yes. The documentation on role management indicates that one or more roles can be assigned to the same user to refine permissions consistently.
How many custom roles can I create?
It depends on your plan and the limits displayed in the admin; also check the maximum number of users per plan page.
Can I modify a Shopify-managed role?
No. Shopify-managed roles cannot be edited; duplicate them or create a custom role, as indicated on the role management page.
What happens if I modify an existing role?
Changes apply to users who have that role: plan communication and test on a pilot account if the scope is broad.
Should cost-of-breach studies be used to decide roles?
Industry reports can raise awareness, but your decisions should be based on your actual surface area (number of admins, apps, partners) and Shopify documentation, not on average figures disconnected from your context.
How can access be revoked quickly?
Remove roles, disable the account, or delete the user according to your procedure; document the action in your internal ticket. For multi-store organizations, also check store access so no store is left accessible by mistake.
Enforcing 2FA for teams
Shopify offers security settings to strengthen accounts; combine a strong password requirement, 2FA, and review of sensitive permissions for profiles that can view financial data or customer exports.
Go further
March 25, 2025
