BigCommerce Roles and Permissions

Understanding BigCommerce's user roles and permissions system is essential for managing store access securely and efficiently. This guide covers all available roles, their capabilities, and best practices for permission management.

BigCommerce User Role Structure

BigCommerce uses a role-based access control (RBAC) system with predefined roles and customizable permissions.

Role Types

BigCommerce offers two categories of user roles:

1. Standard Roles: Predefined roles with fixed permissions
2. Custom Roles: User-defined roles with granular permission control (available on Plus, Pro, and Enterprise plans)

Standard User Roles

Store Owner

Description: Full administrative access to the store.

Key Capabilities:

• Complete control over all store settings
• Manage billing and subscription
• Add, edit, and remove users
• Access all features and settings
• Manage API accounts and tokens
• Configure checkout settings
• Manage domains and SSL certificates
• Access store design and themes
• View and manage all orders and customers

Use Cases:

• Business owner or primary stakeholder
• Agency owner managing client stores
• Technical lead responsible for store operations

Security Considerations:

• Limit to 1-2 users maximum
• Require MFA (multi-factor authentication)
• Do not use for day-to-day operations
• Use for critical changes only

Note: Only the Store Owner can:

• Delete the store
• Transfer store ownership
• Manage billing information
• Add or remove other users

Admin

Description: Broad administrative access without billing or ownership controls.

Key Capabilities:

• Manage products, categories, and inventory
• Process and manage orders
• View and manage customers
• Configure shipping and tax settings
• Access marketing tools
• Manage apps and integrations
• Configure store settings (excluding billing)
• Access analytics and reports
• Cannot manage billing or delete store

Use Cases:

• Store manager
• Operations lead
• Senior team members
• Trusted agency staff

Limitations:

• Cannot access billing settings
• Cannot add or remove users (varies by plan)
• Cannot transfer store ownership

Marketing

Description: Focused on marketing tools and customer engagement.

Key Capabilities:

• Create and manage promotions and coupons
• Configure email marketing settings
• Manage banners and marketing content
• Access customer lists and segments
• View analytics and reports
• Configure SEO settings
• Manage social media integrations

Cannot Access:

• Billing settings
• User management
• Store configuration
• Checkout settings
• Server settings

Use Cases:

• Marketing team members
• Email marketing specialists
• SEO specialists
• Social media managers

Order Fulfillment

Description: Limited to order processing and fulfillment operations.

Key Capabilities:

• View and manage orders
• Process shipments
• Print packing slips and invoices
• Update order status
• View customer information (limited)
• Access shipping tools

Cannot Access:

• Product management
• Pricing changes
• Store settings
• Marketing tools
• Customer management (beyond order context)

Use Cases:

• Warehouse staff
• Fulfillment team
• Third-party logistics (3PL) providers
• Customer service handling order issues

Product Manager

Description: Focused on product catalog management.

Key Capabilities:

• Create, edit, and delete products
• Manage product categories and brands
• Configure product options and variants
• Manage inventory levels
• Upload and manage product images
• Configure product SEO settings
• Import/export products

Cannot Access:

• Order management
• Customer data
• Billing settings
• Store configuration
• Marketing tools

Use Cases:

• Merchandising team
• Content managers
• Product data specialists
• Inventory managers

Customer Support

Description: Customer-facing role for support operations.

Key Capabilities:

• View customer profiles
• View order history
• Process returns and refunds (if enabled)
• Respond to customer inquiries
• Update order status
• Limited product viewing

Cannot Access:

• Product editing
• Pricing changes
• Store settings
• Marketing tools
• Other users' data

Use Cases:

• Customer service representatives
• Support team members
• Chat support operators
• Returns specialists

Custom Roles (Plus, Pro, Enterprise)

Higher-tier BigCommerce plans allow creation of custom roles with granular permissions.

Available Permission Modules

Custom roles can configure access to:

1. Products:

   • View products
   • Create/edit products
   • Delete products
   • Manage categories
   • Manage brands

2. Orders:

   • View orders
   • Edit orders
   • Delete orders
   • Process refunds
   • Export orders

3. Customers:

   • View customers
   • Edit customers
   • Delete customers
   • Manage customer groups
   • Export customers

4. Marketing:

   • Manage coupons
   • Manage gift certificates
   • Configure email marketing
   • Manage banners
   • SEO settings

5. Content:

   • Manage pages
   • Edit theme
   • Manage blog posts
   • Upload images

6. Settings:

   • Store settings
   • Shipping settings
   • Tax settings
   • Payment methods
   • Checkout settings

7. Apps & Integrations:

   • Install apps
   • Configure apps
   • Manage API accounts

8. Analytics:

   • View reports
   • Export reports

Creating Custom Roles

Requirements:

• BigCommerce Plus, Pro, or Enterprise plan
• Store Owner or Admin access

Steps:

1. Navigate to User Management:

   • Go to Account Settings > Users
   • Click User Roles tab

2. Create New Role:

   • Click Create Role
   • Enter role name and description

3. Configure Permissions:

   • Toggle permissions for each module
   • Set to View Only, Edit, or No Access
   • Review summary of selected permissions

4. Save Role:

   • Click Save
   • Role is now available when inviting users

Best Practices:

• Use descriptive role names (e.g., "Warehouse Manager" not "Role 1")
• Document what each custom role can access
• Start with minimal permissions, add as needed
• Review custom roles quarterly

Permission Best Practices

Principle of Least Privilege

Grant minimum necessary access:

• Good: Marketing user can view products but not edit prices
• Bad: Giving Admin role to someone who only needs to create coupons

Examples:

Warehouse Staff:

• Role: Order Fulfillment (standard) or custom role
• Permissions: View/edit orders, manage shipments
• No access to: Products, pricing, settings

Content Writer:

• Role: Custom role
• Permissions: Manage pages, upload images, view products
• No access to: Orders, customers, settings

Agency Developer:

• Role: Admin or custom developer role
• Permissions: Theme editing, apps, settings (excluding billing)
• Time-limited access for project duration

Role Assignment Strategy

Assess User Needs

Before assigning roles, determine:

1. What tasks will the user perform?

   • Order processing? → Order Fulfillment
   • Product updates? → Product Manager
   • Marketing campaigns? → Marketing

2. What data must they access?

   • Customer data needed? → Customer Support or custom role
   • Financial data needed? → Admin or Owner only

3. How long will they need access?

   • Temporary contractor? → Time-limited, document removal date
   • Permanent employee? → Standard role assignment

4. What's the security risk?

   • High: Limit to Owner/Admin with MFA
   • Medium: Standard roles with documented access
   • Low: Custom role with minimal permissions

Document Role Assignments

Maintain a record of:

• User name and email
• Role assigned
• Date granted
• Granted by (approver)
• Justification
• Review date
• Access removal date (if applicable)

Security Controls

Enforce Multi-Factor Authentication (MFA)

Require MFA for:

• All Store Owners
• All Admin users
• Users with billing access
• Users with API access
• Remote/external users

Enable MFA in BigCommerce:

1. Go to Account Settings > Security
2. Enable Require Two-Factor Authentication
3. Users must set up MFA on next login

IP Allowlisting (Enterprise)

For Enterprise plans, restrict access by IP address:

1. Go to Account Settings > Security
2. Configure IP Allowlist
3. Add trusted IP addresses
4. Users can only log in from allowed IPs

Use cases:

• Office-only access
• Restrict to VPN IP ranges
• Prevent unauthorized remote access

Session Management

Best practices:

• Enable Auto Logout after inactivity (30 minutes recommended)
• Review Active Sessions regularly
• Terminate suspicious sessions immediately

Configure in:

• Account Settings > Security > Session Timeout

Regular Access Reviews

Quarterly Access Audits

Review these points every 90 days:

1. Active Users:

   • Are all users still with the company?
   • Do they still need access?
   • Is their role still appropriate?

2. Role Assignments:

   • Are permissions still needed?
   • Can any permissions be reduced?
   • Are custom roles still relevant?

3. Inactive Accounts:

   • Identify users who haven't logged in for 60+ days
   • Remove access for terminated employees
   • Disable dormant accounts

4. External Access:

   • Review agency/contractor access
   • Verify project completion dates
   • Remove temporary access

Access Review Workflow

1. Generate User List:

   • Export from Account Settings > Users
   • Include: Name, email, role, last login

2. Review with Managers:

   • Verify each user's need for access
   • Document any changes

3. Update Permissions:

   • Remove unnecessary users
   • Adjust roles as needed
   • Document changes

4. Notify Users:

   • Inform users of role changes
   • Provide justification

API Access and Tokens

API Account Types

BigCommerce separates user access from API access:

Store-Level API Accounts:

• Created in Settings > API > Store-level API Accounts
• Used for apps and integrations
• OAuth tokens with scoped permissions
• Not tied to individual users

API Credentials:

• Legacy API credentials (v2/v3 REST APIs)
• Full store access
• Not recommended for new integrations

API Permission Scopes

API accounts can have granular permissions:

Common Scopes:

• Products: Read-only or modify
• Orders: Read-only or modify
• Customers: Read-only or modify
• Content: Manage pages and blog
• Marketing: Manage coupons and promotions
• Themes: Read or publish
• Checkout: Read or modify
• Carts: Read or modify

Best Practices:

• Create separate API accounts for each integration
• Use minimum necessary scopes
• Rotate API credentials quarterly
• Store credentials in secure vault (not in code)
• Document which app uses which API account

Managing Service Accounts

Service accounts are API accounts used by automated systems:

Examples:

• ERP integration
• Inventory management system
• Custom reporting tools
• Automated email marketing

Best Practices:

• Use descriptive names ("ERP_Integration" not "API_Account_1")
• Document purpose and owner
• Set expiration dates if possible
• Monitor API usage for anomalies
• Rotate credentials on schedule

Role Comparison Matrix

* Admin ability to add/remove users varies by BigCommerce plan.

Common Role Scenarios

Scenario 1: Agency Managing Client Store

Setup:

• Client: Store Owner (retains ownership and billing)
• Agency Lead: Admin (for store management)
• Agency Developer: Custom role (theme editing, apps, no customer data)
• Agency Support: Customer Support (for ongoing support)

Best Practices:

• Time-limit agency access to project duration
• Remove agency access post-launch or transition to support-only
• Document all agency user accounts

Scenario 2: Growing Retail Business

Setup:

• Owner: Store Owner (primary stakeholder)
• Store Manager: Admin (daily operations)
• Merchandising Team: Product Manager (catalog management)
• Warehouse: Order Fulfillment (shipping and fulfillment)
• Marketing Lead: Marketing (campaigns and promotions)
• Customer Service: Customer Support (tickets and inquiries)

Scenario 3: Enterprise Multi-Store

Setup:

• Corporate IT: Store Owner (technical oversight)
• Brand Manager: Admin (brand-specific store management)
• Shared Services:
  • Fulfillment Center: Order Fulfillment (across all stores)
  • Content Team: Custom role (product data, limited to specific categories)
  • Marketing Team: Marketing (shared campaigns)

Considerations:

• Use consistent role naming across stores
• Document cross-store access
• Centralize user access management

Troubleshooting Access Issues

User Cannot Log In

Possible Causes:

1. Account not yet created or invitation not accepted
2. MFA not configured
3. IP allowlist blocking access (Enterprise)
4. Account disabled

Solutions:

• Resend invitation
• Reset MFA
• Add user's IP to allowlist
• Check user status in Account Settings > Users

User Missing Expected Permissions

Possible Causes:

1. Incorrect role assigned
2. Custom role doesn't have needed permissions
3. BigCommerce plan doesn't support feature

Solutions:

• Verify role assignment
• Review custom role permissions
• Upgrade plan if necessary

API Access Not Working

Possible Causes:

1. API account disabled
2. Scopes don't match required permissions
3. Credentials expired or revoked
4. Rate limit exceeded

Solutions:

• Verify API account status
• Check OAuth scopes
• Regenerate credentials
• Review API usage logs

Next Steps

• Add or Remove Users
• User Management Overview

Additional Resources

• BigCommerce User Permissions
• API Account Management
• Two-Factor Authentication
• Enterprise Security Features