Shift4Shop User Management: Roles and Permissions | OpsBlu Docs

Shift4Shop User Management: Roles and Permissions

Manage admin users, staff accounts, and API credentials in 3dcart (now Shift4Shop). Covers permission levels, store access, and analytics tracking...

3dcart (rebranded as Shift4Shop in 2020) uses a straightforward admin user system with predefined permission levels. Unlike platforms with granular RBAC, 3dcart groups permissions into broad categories that control access to entire sections of the admin panel.

Permission model overview

3dcart uses a section-based permission system where each admin user is granted or denied access to top-level areas of the store admin. Permissions are toggled per-section rather than per-action, meaning a user with access to "Products" can view, create, edit, and delete products within that section.

The platform does not support custom roles. Instead, you assign individual permissions to each staff account, effectively creating ad-hoc role definitions per user.

Built-in permission areas

Admin users can be granted access to any combination of these sections:

  • Dashboard -- View store overview, recent orders, and sales summaries
  • Orders -- Process orders, issue refunds, manage returns and shipping
  • Customers -- View and edit customer accounts, groups, and CRM data
  • Products -- Manage catalog, categories, inventory, and product options
  • Marketing -- Coupons, gift certificates, newsletters, and SEO settings
  • Content -- Edit pages, blog posts, and site-wide content blocks
  • Settings -- Store configuration, payment gateways, shipping methods, tax rules, and domain settings
  • Reports -- Access sales reports, traffic analytics, and export data
  • Apps -- Install and configure third-party integrations from the app store

The store owner account has irrevocable access to all sections and is the only account that can manage billing and subscription settings.

Managing users in the admin panel

Navigate to Settings > Staff (or Settings > Admin Users in older versions) to manage staff accounts.

To add a new admin user:

  1. Go to Settings > Staff > Add New
  2. Enter the user's name, email, and set a password
  3. Toggle ON each permission section the user needs
  4. Save the account -- the user can now log in at yourdomain.com/admin

To modify an existing user's permissions:

  1. Go to Settings > Staff
  2. Click the user's name
  3. Adjust section toggles as needed
  4. Save changes -- permissions take effect on next login

There is no invite-by-email flow. You create the account directly and share the credentials with the new user.

API access and credentials

3dcart (Shift4Shop) provides a REST API for store data. API credentials are managed separately from admin user accounts.

  • API keys are generated under Settings > General > API (or via the Shift4Shop developer portal)
  • Each API key has its own set of OAuth scopes controlling which resources it can read/write (products, orders, customers, etc.)
  • API keys are not tied to individual admin users -- they are store-level credentials
  • The SecureURL, Token, and PrivateKey values must be stored securely and rotated if a team member with access leaves

When offboarding someone who had access to API credentials, regenerate affected keys immediately.

Analytics and tracking permissions

For installing or modifying analytics tracking on a 3dcart store:

  • Google Analytics setup requires access to the Marketing section (Settings > Marketing > Google in some versions, or Settings > General > Tracking in others)
  • Custom header/footer scripts (for GTM, pixels, etc.) require access to Settings and often Content to edit theme templates
  • Conversion tracking configuration for Facebook, Google Ads, etc. lives under Marketing
  • Reports access lets users view built-in analytics but does not grant the ability to install tracking scripts

A user with only Reports permission can view data but cannot modify any tracking configuration. To install or edit analytics tags, the user needs at minimum Marketing and possibly Settings access.

Staff account limits

3dcart/Shift4Shop plans have different staff account limits:

  • Basic Store -- Limited admin users (typically 1-2)
  • Plus Store -- Up to 5 staff accounts
  • Pro Store -- Unlimited staff accounts

Check your current plan under Settings > Account > Subscription to verify available seats before adding new users.

Security considerations

  • 3dcart does not support SSO or SCIM provisioning -- all accounts are local
  • Enable two-factor authentication for all admin accounts when available
  • The admin login URL (/admin) is not customizable, so strong passwords are critical
  • Session timeouts are controlled at the platform level and cannot be configured per-user
  • There is no built-in audit log of admin actions -- consider supplementing with change-detection monitoring

Further Reading

Nach oben