nopCommerce uses a Customer Role system as its permission model. Every user -- whether a storefront shopper or a back-office administrator -- is a "customer" assigned to one or more roles. Permissions are granted per role through an Access Control List (ACL) that governs both admin panel features and storefront visibility. Multi-store installations can scope roles to specific stores.
Permission model
The nopCommerce permission system has three layers:
- Customer Roles -- named groups (Administrators, Registered, Guests, Forum Moderators, Vendors). A customer can hold multiple roles simultaneously; permissions are additive across all assigned roles.
- ACL (Access Control List) -- a matrix of permission records mapped to customer roles. Each permission record controls access to a specific admin area or action (e.g.,
ManageProducts,ManageOrders,AccessAdminPanel). - Store mapping -- in multi-store setups, individual entities (products, categories, manufacturers) can be restricted to specific stores. This is separate from the role ACL but interacts with it for content visibility.
Permission checks use IPermissionService.AuthorizeAsync() throughout the codebase. If none of a customer's roles grant a particular permission, access is denied.
Built-in customer roles
| Role | Purpose | Key default permissions |
|---|---|---|
| Administrators | Full back-office access | All permissions including ManageACL, ManagePlugins, ManageSettings |
| Registered | Authenticated storefront customers | Place orders, manage account, write reviews |
| Guests | Unauthenticated visitors | Browse catalog, add to cart (if enabled) |
| Forum Moderators | Community management | Edit/delete forum posts, manage topics |
| Vendors | Marketplace sellers | Manage own products and orders via vendor portal |
Custom roles are created at Customers > Customer Roles > Add New. After creating, assign permissions via Configuration > Access Control List.
Admin UI paths
| Task | Path |
|---|---|
| Manage customers | Customers > Customers |
| Create/edit Customer Roles | Customers > Customer Roles |
| Configure ACL permissions | Configuration > Access Control List |
| Multi-store role mapping | Customers > Customer Roles > [Role] > "Limited to stores" checkbox |
| Activity log | Customers > Activity Log |
| Online customers | Customers > Online Customers |
| GDPR requests | Customers > GDPR Requests |
| External auth providers | Configuration > Authentication > External Authentication |
API access management
nopCommerce Web API (plugin-based):
- The official
Nop.Plugin.Apiexposes REST endpoints for customers, products, orders - Authentication via OAuth 2.0 Bearer tokens
- API clients are registered at Configuration > Web API > Clients with a client ID and secret
- Scopes control which resources a client can access (
nop_apiscope for full access) - Rate limiting is configurable per client
Direct database access:
- Customer records in
Customertable, roles inCustomerRole, mapping inCustomer_CustomerRole_Mapping - Permission records in
PermissionRecordwith mappings inPermissionRecord_Role_Mapping - External auth tokens in
ExternalAuthenticationRecord
Webhook/integration tokens:
- Plugins like Zapier or custom integrations use API keys stored in plugin settings
- Manage at Configuration > Plugins > [Plugin] > Configure
- No built-in API key rotation; requires manual update in plugin settings
Analytics-specific permissions
nopCommerce does not ship a dedicated analytics permission. Analytics access is controlled through:
AccessAdminPanel-- required for any back-office access including report viewingManageReports(custom) -- create a custom permission record for report-only users by adding an entry via a plugin- Built-in reports -- Sales reports, Customer reports, and Low Stock reports at Reports > [Category] require admin panel access
- Google Analytics plugin (
Widgets.GoogleAnalytics) -- configuration requiresManageWidgetspermission. The tracking code is injected via widget zones and only configurable by roles with widget management access. - Third-party analytics plugins -- plugins like Nop Google Analytics 4, Facebook Pixel, or custom tracking typically register their own permissions or fall under
ManagePlugins
To create a report-only user: create a custom "Analytics Viewer" role, grant only AccessAdminPanel, and use a plugin to add a custom permission for report pages. Deny ManageProducts, ManageOrders, and all configuration permissions.
The Activity Log at Customers > Activity Log tracks admin actions including configuration changes -- use it to audit who modified analytics settings.
Sub-pages
- Roles and Permissions -- ACL configuration, custom permission records, and multi-store role scoping
- Adding and Removing Users -- customer creation, role assignment, vendor onboarding, and account deactivation