Overview
OpenCart uses User Groups to control admin panel access. Each user group defines:
- Access permissions: Which pages/features users can view
- Modify permissions: Which pages/features users can edit/delete
This allows you to:
- Limit staff access to specific areas
- Prevent accidental changes to critical settings
- Create role-based access control (RBAC)
- Maintain security and accountability
Understanding User Groups
Default User Groups
OpenCart includes one default group:
Administrator (ID: 1)
- Full access to all features
- Can view and modify everything
- No restrictions
Best Practice: Create custom groups instead of giving everyone Administrator access.
User Group Structure
Each user group has two permission sets:
Access Permission
- Controls which pages user can VIEW
- User sees menu items and can open pages
- Cannot make changes without Modify permission
Modify Permission
- Controls which pages user can EDIT/DELETE
- Requires Access permission to be effective
- Enables Save, Delete, and other action buttons
Example:
- Access:
catalog/product→ User can view product list - Modify:
catalog/product→ User can add/edit/delete products
Managing User Groups
Viewing User Groups
Admin Panel > System > Users > User Groups
Displays:
- User Group Name
- Actions (Edit, Delete)
Adding User Groups
Navigate to User Groups
Admin Panel > System > Users > User GroupsClick Add New
- Click blue + button (top-right)
Enter Group Name
- User Group Name: Descriptive name (e.g., "Product Manager", "Order Processor")
Set Access Permissions
Scroll through the Access Permission list and check pages the group should VIEW:
Common Permission Patterns:
Product Manager:
catalog/productcatalog/categorycatalog/manufacturercatalog/optioncatalog/attributesale/order(view only)
Order Processor:
sale/ordersale/returncustomer/customer(view only)report/sale_order
Marketing Manager:
marketing/marketingmarketing/coupondesign/bannerdesign/seo_urlextension/module
Content Editor:
catalog/informationdesign/layoutdesign/bannerdesign/seo_url
Set Modify Permissions
Check pages where the group can MAKE CHANGES:
Note: Only include permissions where editing is needed. For view-only access, check only Access permission.
Save User Group
- Click Save button
Editing User Groups
Navigate to User Groups
Admin Panel > System > Users > User GroupsClick Edit (pencil icon)
Modify Permissions
- Add or remove permissions as needed
- Click Save
Warning: Removing permissions from a group in use will immediately affect all users in that group.
Deleting User Groups
Admin Panel > System > Users > User Groups
Select user group (checkbox)
Click Delete (trash icon)
Confirm deletion
Note: Cannot delete a user group that has users assigned to it. Reassign users first.
Common Permission Patterns
Full Product Management
Access:
catalog/productcatalog/categorycatalog/manufacturercatalog/attributecatalog/attribute_groupcatalog/optioncatalog/reviewcatalog/downloadcatalog/filtertool/upload
Modify:
- All of the above
Order Management Only
Access:
sale/ordersale/order_statussale/returncustomer/customer(view customer details)report/sale_orderreport/sale_return
Modify:
sale/order(change status, add history)sale/return(process returns)
Marketing & SEO
Access:
marketing/marketingmarketing/couponmarketing/contactdesign/bannerdesign/seo_urlcatalog/product(view products)catalog/category(view categories)extension/moduleextension/total
Modify:
marketing/marketingmarketing/couponmarketing/contactdesign/bannerdesign/seo_urlextension/module
Customer Service
Access:
sale/order(view orders)sale/returncustomer/customercustomer/customer_groupcustomer/customer_approvalmarketing/contactreport/customer_orderreport/customer_activity
Modify:
sale/returncustomer/customer(edit customer details)marketing/contact
Store Manager (Almost Full Access)
Access:
- All catalog/, sale/, customer/, marketing/, design/*
- Most report/*
- Some extension/* (modules, shipping, payment)
Modify:
- Most of the above
- Exclude: System settings, user management, modifications
Do NOT give access to:
setting/setting(store settings)user/*(user management)design/modification(OCMOD)extension/installer(extension upload)marketplace/api
Read-Only Reporting
Access:
- All
report/* sale/order(view only)customer/customer(view only)catalog/product(view only)
Modify:
- None (read-only)
Permission Paths Reference
Catalog Permissions
catalog/product Product management
catalog/category Category management
catalog/manufacturer Manufacturer/brand management
catalog/option Product options
catalog/attribute Product attributes
catalog/attribute_group Attribute groups
catalog/review Product reviews
catalog/information Information pages (About Us, etc.)
catalog/download Digital downloads
catalog/filter Product filters
catalog/recurring Recurring profiles
Sales Permissions
sale/order Order management
sale/order_status Order statuses
sale/return Returns/RMA
sale/voucher Gift vouchers
sale/voucher_theme Voucher themes
sale/recurring Recurring payments
Customer Permissions
customer/customer Customer management
customer/customer_group Customer groups
customer/customer_approval Approve new customers
customer/custom_field Custom fields
Marketing Permissions
marketing/marketing Marketing/campaigns
marketing/coupon Discount coupons
marketing/contact Contact/newsletter
marketing/affiliate Affiliate management
Design Permissions
design/layout Page layouts
design/banner Banners
design/theme Theme editor
design/translation Language editor
design/seo_url SEO URLs
System Permissions
setting/setting Store settings (CRITICAL)
setting/store Multi-store management
setting/event Events
User Management Permissions
user/user Admin users (CRITICAL)
user/user_group User groups (CRITICAL)
user/api API users
Extension Permissions
extension/extension Extension management
extension/installer Extension upload (CRITICAL)
extension/modification OCMOD management (CRITICAL)
extension/module Module settings
extension/shipping Shipping methods
extension/payment Payment methods
extension/total Order totals
extension/analytics Analytics extensions
Reports Permissions
report/sale_order Sales reports
report/sale_tax Tax reports
report/sale_shipping Shipping reports
report/sale_return Returns reports
report/sale_coupon Coupon reports
report/product_viewed Product views
report/product_purchased Product purchases
report/customer_order Customer orders
report/customer_activity Customer activity
report/customer_search Customer searches
report/online Online customers
Tools Permissions
tool/upload File uploads
tool/backup Backup/restore (CRITICAL)
tool/log Error logs
Creating Custom Roles
Example: Content Writer
Purpose: Add/edit blog posts and info pages only
Create User Group
- Name: "Content Writer"
Access Permissions:
catalog/information design/seo_url tool/upload (for images)Modify Permissions:
catalog/information design/seo_url tool/upload
Example: Inventory Manager
Purpose: Update stock levels and prices only
Create User Group
- Name: "Inventory Manager"
Access Permissions:
catalog/product catalog/category (view only) catalog/manufacturer (view only) report/product_purchased report/stockModify Permissions:
catalog/product (price, quantity, status only)
Limitation: OpenCart doesn't support field-level permissions. User can edit all product fields if they have modify permission.
Workaround: Create custom extension to limit specific field editing.
Example: Junior Developer
Purpose: Install extensions and modify themes (but not core settings)
Create User Group
- Name: "Junior Developer"
Access Permissions:
extension/extension extension/module design/* catalog/* (view products/categories)Modify Permissions:
extension/module design/layout design/banner design/theme
Do NOT give:
extension/installer(can't upload new extensions)extension/modification(can't modify OCMODs)setting/setting(can't change store settings)
Assigning Users to Groups
When Creating New User
Admin Panel > System > Users > Users > Add New
User Group: Select from dropdown
Fill in other details
Save
Changing Existing User's Group
Admin Panel > System > Users > Users > Edit
User Group: Change selection
Save
Result: User immediately gets new permissions on next page load.
Testing Permissions
Test User Access
Create test user with new user group
Log in as test user (use different browser or incognito)
Verify:
- Can access permitted pages
- Cannot access restricted pages (404 or permission error)
- Can modify where permitted
- Cannot modify where restricted
Permission Denied Error
When user tries to access restricted page:
Warning: You do not have permission to access this page, please refer to your system administrator.
Causes:
- User group lacks Access permission for that path
- User status is Disabled
- User logged out (session expired)
Advanced Permission Management
Database-Level Permissions
User group permissions stored in:
Table: oc_user_group
Columns:
user_group_id: Primary keyname: Group namepermission: Serialized array of access/modify permissions
View permissions:
SELECT
user_group_id,
name,
permission
FROM oc_user_group;
Example permission data:
a:2:{
s:6:"access";a:10:{
i:0;s:15:"catalog/product";
i:1;s:16:"catalog/category";
// ... more paths
}
s:6:"modify";a:5:{
i:0;s:15:"catalog/product";
i:1;s:16:"catalog/category";
// ... more paths
}
}
Programmatic Permission Check
Extensions can check permissions:
File: admin/controller/extension/module/my_module.php
<?php
class ControllerExtensionModuleMyModule extends Controller {
public function index() {
// Check if user has access
if (!$this->user->hasPermission('access', 'extension/module/my_module')) {
$this->response->redirect($this->url->link('error/permission'));
}
// Check if user can modify
if (!$this->user->hasPermission('modify', 'extension/module/my_module')) {
// Show view-only interface
$data['can_edit'] = false;
} else {
$data['can_edit'] = true;
}
// ... rest of controller
}
public function save() {
// Always check modify permission for save actions
if (!$this->user->hasPermission('modify', 'extension/module/my_module')) {
$this->error['warning'] = 'You do not have permission to modify!';
return;
}
// Proceed with save
}
}
Custom Permission Checks
Create helper function:
File: system/library/cart/user.php (extend existing User class)
Or create new library:
File: system/library/permission_helper.php
<?php
class PermissionHelper {
private $user;
public function __construct($user) {
$this->user = $user;
}
public function canViewProducts() {
return $this->user->hasPermission('access', 'catalog/product');
}
public function canEditProducts() {
return $this->user->hasPermission('modify', 'catalog/product');
}
public function canProcessOrders() {
return $this->user->hasPermission('modify', 'sale/order');
}
public function canManageUsers() {
return $this->user->hasPermission('access', 'user/user') &&
$this->user->hasPermission('modify', 'user/user');
}
public function isAdministrator() {
return $this->user->getGroupId() == 1;
}
}
Security Best Practices
Principle of Least Privilege
- Give users only permissions they need
- Start restrictive, add permissions as needed
- Review permissions quarterly
Critical Permissions
Never give to non-administrators:
setting/setting- Store configurationuser/user- User managementuser/user_group- Permission managementextension/installer- Extension uploadsextension/modification- OCMOD managementtool/backup- Database access
Audit User Actions
Enable activity logging:
System > Settings > Edit > Server tab
Use Compression: Enable
View user activity:
System > Users > User Activity
Regular Permission Reviews
Monthly:
- Review active users and their groups
- Disable inactive users
- Update permissions for role changes
Quarterly:
- Audit all user groups
- Remove unnecessary permissions
- Update for new features/extensions
Separation of Duties
Don't combine these permissions in one role:
- Financial settings + Order processing
- User management + Regular operations
- Extension installation + Content editing
Troubleshooting
User Can't See Menu Items
Cause: Lacks Access permission
Solution:
- Find user's group
- Edit user group
- Add Access permission for missing path
- User must re-login to see changes
User Can See Page But Can't Save
Cause: Has Access but not Modify permission
Solution:
- Edit user group
- Add Modify permission for that path
- Save
Permission Denied Despite Correct Settings
Causes:
Cache Issue
- Clear browser cache
- User re-login
Session Expired
- User re-login
Database Corruption
SELECT * FROM oc_user_group WHERE user_group_id = X;Verify permission data is not corrupted
Extension Override
- Some extensions modify permission checks
- Disable recently installed extensions
Can't Delete User Group
Cause: Users are assigned to that group
Solution:
- Find users in that group:
SELECT user_id, username FROM oc_user WHERE user_group_id = X; - Reassign users to different group
- Delete empty group