Ecwid Staff Roles and Permissions

Ecwid provides granular permission control for staff members, allowing you to grant specific access to different areas of your store. This guide explains each permission and provides recommended configurations for common roles.

Understanding Ecwid Permissions

Unlike some platforms with pre-defined roles, Ecwid uses a permission-based system where you select specific features each staff member can access.

Permission Philosophy

Flexible approach:

• No rigid role names (like "Manager" or "Editor")
• Choose specific features for each person
• Customize based on actual job duties
• Can create your own "role" definitions

Benefits:

• Precise access control
• Adapts to your business structure
• No "one size fits all" limitations

Trade-off:

• Requires careful planning
• More decisions to make
• Need to understand each permission

Available Permissions

Orders

What it controls: Access to order management and fulfillment.

Full access allows:

• View all orders
• Edit order details
• Fulfill orders (mark as shipped)
• Process refunds
• Cancel orders
• Add tracking numbers
• Export order data
• View customer information associated with orders

Grant to:

• Customer Support team
• Fulfillment staff
• Store managers
• Accountant (view-only if possible, full if needed for refunds)

Don't grant to:

• Marketing (unless they need order insights)
• Designers/developers (use test orders)
• External contractors

Risks if misused:

• Unauthorized refunds
• Incorrect order fulfillment
• Customer data exposure
• Financial loss from fraudulent refunds

Permission recommendations:

Products

What it controls: Product catalog management.

Full access allows:

• Add new products
• Edit existing products
• Delete products
• Manage inventory quantities
• Set prices
• Organize categories
• Upload product images
• Manage product options/variations
• Import/export products

Grant to:

• Product managers
• Merchandising team
• Content creators (for descriptions/images)
• Inventory managers

Don't grant to:

• Customer support (view-only is enough)
• Temporary staff (unless specifically hired for this)

Risks if misused:

• Products deleted accidentally
• Wrong prices set
• Inventory counts incorrect
• Products unpublished

Permission recommendations:

*Note: Ecwid doesn't have granular view-only, it's all-or-nothing. Consider training on what NOT to change.

Customers

What it controls: Customer data and profiles.

Full access allows:

• View customer list
• View customer details (name, email, phone, address)
• Edit customer information
• View customer order history
• View customer lifetime value
• Add customer notes
• Export customer data

Grant to:

• Customer support
• Marketing (for segmentation)
• Sales team
• Store manager

Don't grant to:

• Developers (unless absolutely necessary)
• Temporary contractors
• External consultants (use anonymized data)

Risks if misused:

• Privacy violations (GDPR, CCPA)
• Data breaches
• Unauthorized marketing
• Customer trust lost

IMPORTANT: Customer data is personally identifiable information (PII). Handle with care and comply with privacy regulations.

Permission recommendations:

Discount Coupons

What it controls: Creation and management of discount codes.

Full access allows:

• Create discount codes
• Edit existing discounts
• Delete discount codes
• Set discount values (percentage or fixed)
• Set discount limits (usage, minimum order)
• Schedule discount dates

Grant to:

• Marketing team
• Customer support (if authorized to issue compensatory discounts)
• Store manager

Don't grant to:

• Fulfillment staff
• Developers
• Most staff (risk of abuse)

Risks if misused:

• Unlimited discount codes created
• 100% off discounts issued
• Revenue loss
• Abuse by staff or their friends/family

Permission recommendations:

*With clear policies on when/how to issue discounts.

Marketing

What it controls: Email marketing and automated campaigns.

Full access allows:

• Create email campaigns
• Manage email lists
• Set up abandoned cart emails
• Configure marketing automations
• View email analytics

Grant to:

• Marketing team
• Store manager

Don't grant to:

• Customer support (unless part of marketing)
• Operations staff
• Developers

Risks if misused:

• Spam emails sent to customers
• Incorrect segmentation
• Brand reputation damage
• Unsubscribe spikes

Permission recommendations:

Design

What it controls: Store appearance and theme.

Full access allows:

• Choose store theme
• Customize colors, fonts
• Edit CSS
• Manage store design
• Configure layout
• Add custom code (if available on plan)

Grant to:

• Designers
• Developers
• Store manager

Don't grant to:

• Marketing (unless also handle design)
• Customer support
• Operations staff

Risks if misused:

• Store appearance broken
• Custom code breaks functionality
• Poor user experience
• Brand inconsistency

Permission recommendations:

Reports

What it controls: Access to sales and performance reports.

Full access allows:

• View sales reports
• View product performance
• See traffic statistics
• Export report data
• Access analytics

Grant to:

• Store manager
• Accountant
• Marketing (for campaign analysis)
• Product manager (for product performance)

Don't grant to:

• Customer support (unless needed for insights)
• Designers/developers

Risks if misused:

• Minimal (read-only data)
• Competitive intelligence if leaked
• Financial information exposure

Permission recommendations:

Settings

What it controls: Store configuration and settings.

Full access allows:

• Configure shipping methods and rates
• Set up payment processors
• Manage tax settings
• Configure checkout settings
• Add domains
• Manage apps and integrations
• Set up notifications
• Configure store policies

Grant to:

• Store manager only
• Owner

Don't grant to:

• Most staff
• Temporary employees
• Contractors

Risks if misused:

• Payment settings changed (revenue loss)
• Shipping rates incorrect
• Tax settings wrong (legal issues)
• Store accidentally disabled
• Integrations broken

IMPORTANT: Settings is the highest risk permission. Grant very sparingly.

Permission recommendations:

Apps

What it controls: Ecwid App Market apps and integrations.

Full access allows:

• Install apps from App Market
• Configure app settings
• Uninstall apps
• Manage app subscriptions (costs money)

Grant to:

• Store manager
• Developers (if building integrations)

Don't grant to:

• Most staff
• Customer support
• Marketing (unless responsible for martech stack)

Risks if misused:

• Apps installed that cost money
• Apps with poor security
• Apps accessing customer data
• Conflicts between apps

Permission recommendations:

Recommended Permission Sets by Role

Store Owner/Administrator

Full permissions to everything:

• ✓ Orders
• ✓ Products
• ✓ Customers
• ✓ Discount Coupons
• ✓ Marketing
• ✓ Design
• ✓ Reports
• ✓ Settings
• ✓ Apps

Use case: Store owner, general manager, senior administrator.

Store Manager

Nearly full access, except critical settings:

• ✓ Orders
• ✓ Products
• ✓ Customers
• ✓ Discount Coupons
• ✓ Marketing
• ✓ Reports
• ✓ Apps (if trusted)
• ✓ Settings (if highly trusted)
• ✗ Billing (owner only)

Use case: Trusted manager who runs day-to-day operations.

Customer Support Agent

Focus on helping customers:

• ✓ Orders (view, fulfill, refund)
• ✓ Customers (view, edit for corrections)
• ✓ Products (view-only, to answer questions)
• ✓ Discount Coupons (if authorized to issue compensatory discounts)
• ✗ Marketing
• ✗ Design
• ✗ Reports (maybe view-only if helpful)
• ✗ Settings
• ✗ Apps

Use case: Frontline customer service, support team.

Marketing Manager

Focus on campaigns and customer engagement:

• ✓ Marketing
• ✓ Discount Coupons
• ✓ Products (to create campaigns)
• ✓ Customers (for segmentation)
• ✓ Reports (campaign ROI)
• ✗ Orders (unless needed for insights)
• ✗ Design (use designer)
• ✗ Settings
• ✗ Apps (unless manage martech)

Use case: Marketing team lead, growth manager.

Product Manager / Merchandiser

Focus on product catalog:

• ✓ Products (full control)
• ✓ Reports (product performance)
• ✓ Orders (view to understand demand)
• ✗ Customers
• ✗ Discount Coupons
• ✗ Marketing (collaborate with marketing, don't need access)
• ✗ Design
• ✗ Settings
• ✗ Apps

Use case: Manages product catalog, inventory, pricing.

Content Creator / Copywriter

Focus on product content:

• ✓ Products (edit descriptions, images)
• ✗ Orders
• ✗ Customers
• ✗ Discount Coupons
• ✗ Marketing
• ✗ Design
• ✗ Reports
• ✗ Settings
• ✗ Apps

Use case: Writes product descriptions, uploads images.

Designer

Focus on store appearance:

• ✓ Design
• ✓ Products (view to understand what to design for)
• ✗ Orders
• ✗ Customers
• ✗ Discount Coupons
• ✗ Marketing
• ✗ Reports
• ✗ Settings (except design-related)
• ✗ Apps (unless installing design apps)

Use case: Designs store theme, visual appearance.

Developer

Consider API access instead - safer and more appropriate.

If Control Panel access needed:

• ✓ Apps (to install/test integrations)
• ✓ Design (if working on theme)
• ✓ Settings (only specific settings needed)
• ✓ Products (view, to test)
• ✗ Orders (use test orders)
• ✗ Customers (use test data)
• ✗ Discount Coupons
• ✗ Marketing
• ✗ Reports

Better approach: Use API keys for technical access.

Accountant / Bookkeeper

Focus on financial data:

• ✓ Orders (view transactions, process refunds)
• ✓ Reports (financial reporting)
• ✓ Settings (tax settings if managing)
• ✗ Products
• ✗ Customers (unless needed)
• ✗ Discount Coupons
• ✗ Marketing
• ✗ Design
• ✗ Apps

Use case: Manages finances, reconciliation, taxes.

Fulfillment / Warehouse Staff

Focus on shipping orders:

• ✓ Orders (fulfill, add tracking)
• ✓ Products (view inventory)
• ✗ Customers
• ✗ Discount Coupons
• ✗ Marketing
• ✗ Design
• ✗ Reports
• ✗ Settings
• ✗ Apps

Use case: Picks, packs, ships orders.

Security Best Practices

1. Principle of Least Privilege

Always grant minimum necessary permissions:

• Start with zero permissions
• Add only what's needed for job
• Review and remove unused permissions

2. Regular Permission Audits

Monthly review:

• List all staff and their permissions
• Verify permissions match current job duties
• Remove unnecessary permissions
• Check for former employees still with access

3. Separate Duties

Don't give one person too much power:

Risky combinations:

• Orders + Discount Coupons = Can issue unauthorized refunds and discounts
• Products + Settings = Can change prices and shipping, affecting revenue
• Customers + Marketing = Unsupervised access to PII for campaigns

Safer approach:

• Divide responsibilities
• Require approval for sensitive actions (implement as policy)
• Monitor activity logs

4. Document Permission Decisions

Create permission matrix:

Benefits:

• Clear accountability
• Easy to review
• Justification for decisions
• Reference for future staff

5. Provide Training

Before granting access:

1. Train on systems
2. Explain permissions
3. Set expectations
4. Test knowledge

Ongoing:

• Refresher training quarterly
• Update on new features
• Security awareness

6. Monitor Activity

What to watch:

• Large refunds
• Bulk discounts created
• Settings changes
• Mass product edits
• Customer data exports

How to monitor:

• Review activity logs (if available)
• Spot-check orders/products
• Alert on suspicious activity

Red flags:

• Activity outside work hours
• Unusual patterns
• Multiple failed login attempts
• Accessing data outside scope

Common Permission Mistakes

Mistake 1: Giving Full Access Too Easily

Problem: "Just give them full access to make it easier."

Why it's bad:

• Unnecessary risk
• No accountability
• Security vulnerability

Fix: Take time to configure proper permissions.

Mistake 2: Never Reviewing Permissions

Problem: Set permissions once, never check again.

Why it's bad:

• Job duties change
• Former employees retain access
• Unused permissions accumulate

Fix: Quarterly permission reviews.

Mistake 3: Sharing Accounts

Problem: Multiple people using same login.

Why it's bad:

• Can't track who did what
• Can't revoke one person's access
• Password security compromised

Fix: Individual accounts for each person.

Mistake 4: Not Removing Access Promptly

Problem: Waiting days/weeks to remove former employee access.

Why it's bad:

• Disgruntled employee could sabotage
• Data breach risk
• Competitive intelligence leak

Fix: Remove access same day employee leaves.

Mistake 5: Treating All Staff the Same

Problem: Giving same permissions to everyone.

Why it's bad:

• Different jobs need different access
• Unnecessary risk for some roles

Fix: Customize per role/person.

Plan Limitations

Staff Members by Plan

Permission Granularity

Ecwid limitations:

• Permissions are all-or-nothing per feature
• Cannot create view-only access within a permission
• Cannot restrict to specific products/categories
• Cannot set approval workflows

Workarounds:

• Policy and training (don't change X even though you can)
• Regular audits (check for unauthorized changes)
• External tools (approval systems outside Ecwid)

Advanced needs: Consider third-party apps or custom development via API.

Troubleshooting Permissions

Staff Can't Access Feature They Need

Diagnosis:

1. Check their current permissions
2. Identify which permission controls that feature
3. Verify they should have access

Fix:

1. Grant appropriate permission
2. Staff refreshes page
3. Verify access works

Staff Can Access Something They Shouldn't

Diagnosis:

1. Review their permissions
2. Check for overly broad permissions

Fix:

1. Remove unnecessary permission
2. Verify they can still do their job
3. Document why permission was removed

Cannot Determine Which Permission Needed

Diagnosis:

• Unclear which permission controls a feature

Fix:

• Check Ecwid documentation
• Contact Ecwid support
• Test with temporary permission grant

Next Steps

• Adding and Removing Staff - Step-by-step user management
• User Management Overview - General concepts

For general permission concepts, see User Permissions Guide.