NopCommerce Roles and Permissions (ACL)

Configure customer roles and Access Control Lists (ACL) in NopCommerce to manage permissions, restrict access to features, and implement role-based...

Configure customer roles and implement granular permissions using NopCommerce's Access Control List (ACL) system for secure, role-based access control.

Understanding NopCommerce Roles

Customer Roles vs. Permissions

Customer Role:

Group of customers with common characteristics
Determines what features/content they can access
Examples: Registered, Administrators, Vendors, VIP

Permissions:

Specific actions that can be performed
Assigned to customer roles
Examples: Manage products, View orders, Access admin

Access Control List (ACL):

Controls which roles can access specific entities
Applied to: Products, Categories, Manufacturers, Topics
Restricts visibility based on customer role

Default Customer Roles

Built-in Roles

Administration > Customers > Customer roles

1. Administrators

Full access to admin panel
All permissions enabled
Can manage all aspects of store
System role (cannot be deleted)

2. Forum Moderators

Manage forum posts
Edit/delete forum topics
Moderate user comments
Optional (if forums enabled)

3. Registered

Standard customer account
Can place orders
Manage own account
Access customer features
System role (cannot be deleted)

4. Guests

Anonymous visitors
No account required
Can browse products
Can place orders (if allowed)
System role (cannot be deleted)

5. Vendors

Third-party sellers
Manage own products
View own orders
Limited admin access
Optional (if multi-vendor enabled)

Creating Custom Customer Roles

Step-by-Step Role Creation

Step 1: Create New Role

Administration > Customers > Customer roles > Add new

Step 2: Basic Information

Name: VIP Customer
System name: VIPCustomer (no spaces)
Free shipping: ✓ (Optional benefit)
Tax exempt: ✓ (Optional benefit)
Active: ✓
Is system role: ☐ (Only for built-in roles)
Enable password lifetime: ☐
Purchased with product: (Optional - auto-assign when product purchased)

Step 3: Configure Benefits

Free shipping: ✓
  - Customers with this role get free shipping

Tax exempt: ✓
  - No tax charged for customers in this role

Override default tax display type: ☐
  - Or override to show prices including/excluding tax

Step 4: Assign to Customers

Administration > Customers > Customers > Edit customer

Customer roles:
✓ Registered
✓ VIP Customer

Save

Common Custom Roles

Wholesale Customers:

Name: Wholesale Customer
System name: WholesaleCustomer
Free shipping: ☐
Tax exempt: ✓
Active: ✓

Use case: B2B customers with special pricing

Staff Members:

Name: Staff
System name: Staff
Free shipping: ✓
Tax exempt: ✓
Active: ✓

Use case: Employees with special discounts

Premium Members:

Name: Premium Member
System name: PremiumMember
Free shipping: ✓
Tax exempt: ☐
Active: ✓
Purchased with product: Premium Membership (Product ID)

Use case: Subscription-based benefits

Permission System

Accessing Permissions

Administration > Configuration > Access control list

Permission Categories

Customers Permissions:

Access admin area
Manage customers
Manage vendors
Manage activity log
Manage newsletter subscribers

Catalog Permissions:

Manage products
Manage categories
Manage manufacturers
Manage product reviews
Manage product attributes
Manage specifications

Orders Permissions:

Manage orders
Manage shipments
Manage return requests
Manage gift cards
Manage shopping cart

Promotions Permissions:

Manage discounts
Manage campaigns
Manage affiliates

Content Management:

Manage topics
Manage message templates
Manage blog
Manage news
Manage forums
Manage polls

Configuration:

Manage settings
Manage payment methods
Manage shipping methods
Manage tax settings
Manage currencies
Manage languages
Manage plugins
Manage widgets
Manage themes

System:

Manage system log
Manage message queue
Manage maintenance
Manage scheduled tasks
Access closed store

Configuring Permissions

Step 1: Select Customer Role

Administration > Configuration > Access control list

Customer role: [Select role from dropdown]
Example: Staff

Step 2: Enable Permissions

Check permissions this role should have:

For "Staff" role:
✓ Access admin area
✓ Manage orders
✓ Manage shipments
✓ Manage customers
✓ Manage product reviews
☐ Manage products (read-only via ACL instead)
☐ Manage settings (too sensitive)
☐ Manage plugins (admin only)

Step 3: Save Permissions

Click "Save" button

Result: Role now has selected permissions

Permission Best Practices

Principle of Least Privilege:

Start with minimal permissions
Add only what's needed
Review regularly
Remove unused permissions

Common Permission Sets:

Customer Service Role:

✓ Access admin area
✓ Manage customers
✓ Manage orders
✓ Manage return requests
✓ View products (via ACL, not edit)
✓ Manage newsletter subscribers
✓ View reports
☐ Manage settings
☐ Manage payment methods
☐ Manage plugins

Inventory Manager Role:

✓ Access admin area
✓ Manage products
✓ Manage categories
✓ Manage manufacturers
✓ Manage product attributes
✓ Manage shipments
✓ View orders
☐ Manage customers
☐ Manage settings
☐ Manage discounts

Marketing Manager Role:

✓ Access admin area
✓ Manage discounts
✓ Manage campaigns
✓ Manage affiliates
✓ Manage newsletter subscribers
✓ Manage blog
✓ Manage news
✓ View customers
✓ View products
☐ Manage orders
☐ Manage settings

Access Control Lists (ACL)

Entity-Level Access Control

What is ACL?

Restricts access to specific entities
Based on customer role
Applied to: Products, Categories, Manufacturers, Topics

Use Cases:

B2B products only for wholesale customers
VIP-only categories
Internal documentation for staff
Vendor-specific products

Configuring Product ACL

Step 1: Edit Product

Administration > Catalog > Products > Edit product

Step 2: Configure ACL

Product info tab:

Limited to customer roles:
☐ Administrators
☐ Forum Moderators
✓ Registered
✓ VIP Customer
☐ Guests
✓ Wholesale Customer

Result: Only checked roles can see this product

Step 3: Save Product

Click "Save and Continue Edit"

Product now only visible to selected roles

Category ACL

Administration > Catalog > Categories > Edit category

Limited to customer roles:
✓ Wholesale Customer
✓ Administrators

Result: Entire category hidden from other roles

Manufacturer ACL

Administration > Catalog > Manufacturers > Edit manufacturer

Limited to customer roles:
✓ VIP Customer
✓ Administrators

Result: All products from this manufacturer restricted

Topic (Pages) ACL

Administration > Content management > Topics (pages) > Edit topic

Limited to customer roles:
✓ Administrators
✓ Staff

Result: Help documentation only for staff

Advanced Role Configuration

Role Priority/Hierarchy

Multiple Roles:

Customers can have multiple roles:

Customer: John Doe
Roles:
✓ Registered (default)
✓ VIP Customer (special benefits)
✓ Wholesale Customer (B2B pricing)

Access: Union of all role permissions and benefits

Permissions: Most permissive wins Pricing: Special pricing can be configured per role Shipping: Free shipping if ANY role has it Tax: Tax exempt if ANY role has it

Automatic Role Assignment

Based on Purchase:

Customer role configuration:
Purchased with product: Premium Membership (Product ID: 123)

When customer buys Product 123:
- Automatically assigned to this role
- Benefits activate immediately
- Can be temporary or permanent

Role-Based Pricing

Catalog Tier Prices:

Administration > Catalog > Products > Edit product > Tier prices tab

Add tier price:
Customer role: Wholesale Customer
Quantity: 1
Price: 45.00 (instead of regular $50.00)

Add tier price:
Customer role: VIP Customer
Quantity: 1
Price: 47.50

Result: Different customers see different prices

Role-Based Discounts

Administration > Promotions > Discounts > Add new

Discount type: Assigned to categories
Discount name: VIP 10% Off
Discount percentage: 10
Assigned to customer roles:
✓ VIP Customer

Requirement type: Must be assigned to customer role
Apply discount to: Matching products with selected customer role

Result: 10% off for VIP customers only

Vendor Permissions (Multi-Vendor)

Enable Multi-Vendor

Administration > Configuration > Settings > Vendor settings

Allow customers to apply for vendor account: ✓
Allow vendors to edit info: ✓
Notify store owner about new vendors: ✓
Allow vendors to import products: ☐

Vendor Role Permissions

Administration > Configuration > Access control list
Customer role: Vendors

Typical vendor permissions:
✓ Access admin area (limited)
✓ Manage products (own products only)
✓ Manage orders (own orders only)
✓ View customers (limited)
☐ Manage categories (usually no)
☐ Manage manufacturers (usually no)
☐ Manage settings (no)

Vendor-Specific Restrictions

What Vendors Can Do:

Add/edit/delete own products
View orders for own products
Manage own product reviews
View own reports
Update own vendor profile

What Vendors Cannot Do:

See other vendors' products
Modify store settings
Manage discounts (unless allowed)
Access customer personal data
Manage store-wide categories

C# Permission Checking

Check Permission in Code

using Nop.Services.Security;

public class CustomController : BasePublicController
{
    private readonly IPermissionService _permissionService;

    public CustomController(IPermissionService permissionService)
    {
        _permissionService = permissionService;
    }

    public async Task<IActionResult> ManageProducts()
    {
        // Check if current user has permission
        if (!await _permissionService.AuthorizeAsync(StandardPermissionProvider.ManageProducts))
        {
            return AccessDeniedView();
        }

        // User has permission, continue...
        return View();
    }
}

Custom Permissions

// Define custom permission
public class CustomPermissionProvider : IPermissionProvider
{
    public static readonly PermissionRecord ManageCustomFeature = new PermissionRecord
    {
        Name = "Admin area. Manage Custom Feature",
        SystemName = "ManageCustomFeature",
        Category = "Custom"
    };

    public virtual IEnumerable<PermissionRecord> GetPermissions()
    {
        return new[]
        {
            ManageCustomFeature
        };
    }

    public virtual HashSet<(string systemRoleName, PermissionRecord[] permissions)> GetDefaultPermissions()
    {
        return new HashSet<(string, PermissionRecord[])>
        {
            (
                NopCustomerDefaults.AdministratorsRoleName,
                new[] { ManageCustomFeature }
            )
        };
    }
}

// Use in controller
if (!await _permissionService.AuthorizeAsync(CustomPermissionProvider.ManageCustomFeature))
{
    return AccessDeniedView();
}

Check Customer Role

using Nop.Services.Customers;

public class ProductController : BasePublicController
{
    private readonly IWorkContext _workContext;
    private readonly ICustomerService _customerService;

    public async Task<IActionResult> Index()
    {
        var customer = await _workContext.GetCurrentCustomerAsync();

        // Check if customer is in specific role
        if (await _customerService.IsInCustomerRoleAsync(customer, "VIPCustomer"))
        {
            // Show VIP pricing
        }

        // Check if customer is admin
        if (await _customerService.IsAdminAsync(customer))
        {
            // Show admin features
        }

        // Check if customer is registered
        if (await _customerService.IsRegisteredAsync(customer))
        {
            // Show registered customer features
        }

        return View();
    }
}

Testing Permissions

Test as Different Roles

Method 1: Customer Impersonation

Administration > Customers > Customers > Edit customer
Click "Impersonate" button

Browse site as this customer
Test features/access
Exit impersonation

Method 2: Multiple Browser Profiles

Chrome Profile 1: Admin account
Chrome Profile 2: VIP Customer account
Chrome Profile 3: Regular customer account

Test simultaneously in different profiles

Method 3: Incognito Windows

Regular window: Admin
Incognito window 1: Customer role 1
Incognito window 2: Customer role 2

Troubleshooting

Permission Not Working

Check:

Role Has Permission:

Administration > Configuration > Access control list
Select role > Verify permission checked

Customer Has Role:

Administration > Customers > Customers > Edit customer
Verify correct role assigned

Cache Cleared:

Administration > System > Warnings > Clear cache
Permissions cached, must clear after changes

Not System Role Conflict:

System roles (Guests, Registered) have default permissions
Custom permissions may be overridden

ACL Not Restricting Access

Verify:

Entity ACL Configured:

Edit product/category/manufacturer/topic
"Limited to customer roles" has selections

ACL Enabled Globally:

Administration > Configuration > Settings > Catalog settings
Ignore ACL rules (sitewide): ☐ (should be unchecked)

Customer Has Role:

Customer must have at least one selected role

No Admin Override:

Administrators can always see all entities
Test with non-admin role

User Cannot Access Admin Panel

Diagnose:

Has Admin Role:

Customer roles must include "Administrators"

Has "Access admin area" Permission:

ACL > Administrators role > Access admin area: ✓

Account is Active:
```
Customer > Active: ✓
```

Correct Login URL:

https://yourstore.com/admin
Not /login (that's customer login)

Security Best Practices

Role Management

Minimal Permissions:
- Start with no permissions
- Add only what's needed
- Review quarterly
Separation of Duties:
- Don't give all permissions to one role
- Different people for different functions
- No single point of failure
Regular Audits:
- Review role assignments monthly
- Remove inactive accounts
- Update permissions as roles change
Documentation:
- Document each role's purpose
- List permissions and why
- Update when changes made

Admin Account Security

Unique Admin Accounts:

Don't share admin accounts
One account per administrator
Use real names/emails

Strong Authentication:

Strong passwords required
Two-factor authentication enabled
Regular password changes

Activity Logging:

Administration > System > Log > Activity log
Review admin actions regularly
Investigate suspicious activity

Next Steps

Adding/Removing Users - Manage customer accounts
User Management Overview - Best practices

Nach oben