Shopware 6 uses a granular ACL (Access Control List) system where admin users are assigned to roles, and each role contains a set of fine-grained permission keys. Unlike simple module-level access, Shopware's ACL controls individual operations on specific entities -- you can allow a user to read products but not edit them, or allow order editing but deny refunds. The system covers both the Administration panel and the Admin API.
Permission model
Shopware 6's permission system has three components:
- Admin Users -- accounts that access the Administration panel or Admin API. Each user is assigned to one or more ACL roles.
- ACL Roles -- named sets of permission keys. Permissions are additive across all roles assigned to a user. A user with no roles has no access to anything (blank screen in admin).
- Permission Keys -- follow the pattern
entity.operation(e.g.,product.viewer,product.editor,product.creator,product.deleter). Additional keys control specific features likeorders.create_discountsorpromotion.editor.
Shopware ships approximately 200+ permission keys organized by entity. The admin UI groups them into readable categories.
Built-in and common roles
Shopware does not ship pre-defined roles -- you create them from scratch. Common configurations:
| Custom role | Permission keys | Typical use |
|---|---|---|
| Full Administrator | All permissions checked | Store owner, lead admin |
| Catalog Manager | product.*, category.*, property_group.*, media.* |
Product and category management |
| Order Manager | order.viewer, order.editor, customer.viewer |
Order processing, customer service |
| Content Editor | cms_page.*, media.*, landing_page.* |
CMS page building and content updates |
| Marketing | promotion.*, newsletter_recipient.*, product_stream.*, analytics viewer keys |
Campaign and promotion management |
| Developer | plugin.*, integration.*, system.*, log_entry.viewer |
Extension installation, system configuration |
| Analytics Viewer | order.viewer, customer.viewer, analytics module keys |
Read-only access to sales and customer data |
Admin UI paths
| Task | Path |
|---|---|
| Manage admin users | Settings > System > Users & Permissions > Users |
| Create/edit ACL roles | Settings > System > Users & Permissions > Roles |
| Assign roles to users | Settings > System > Users & Permissions > Users > [User] > Roles |
| Integration (API) keys | Settings > System > Integrations |
| Activity log | Not built-in; available via plugins (e.g., FroshTools) |
| Customer management | Customers > Overview |
| Customer groups | Settings > Shop > Customer Groups |
API access management
Admin API:
- RESTful API at
/api/for all admin operations - Two auth methods: OAuth2 password grant (user credentials) or OAuth2 client credentials (integration keys)
- Integration keys are created at Settings > System > Integrations
- Each integration has a label, access key ID, and secret access key
- Integration permissions follow its own ACL role assignment (or all permissions if no role is assigned)
- Separate from admin user accounts -- integrations are service identities
Store API:
- Customer-facing API at
/store-api/ - Authenticated via
sw-access-keyheader (Sales Channel access key) - Customer auth via customer login endpoint returning a context token
- No admin permissions; scoped to storefront operations only
API token management:
- Integration keys do not expire; rotate by deleting and recreating
- Admin user OAuth tokens expire based on
shopware.api.access_token.lifetimeconfig (default 600 seconds) - Refresh tokens available for admin user flows
Analytics-specific permissions
Shopware 6 includes built-in analytics and integrates with external tracking:
- Analytics module -- accessible at Marketing > Analytics in the admin panel. Shows conversion rates, order totals, and sales channel performance. Access requires
order.viewerandcustomer.viewerpermission keys at minimum. - Dashboard -- the admin dashboard displays sales charts, order counts, and recent orders. Visible to any user with
order.viewerpermission. - Google Analytics / GTM app -- installed from the Shopware Store. Configuration at Settings > Plugins > [Plugin] > Config. Requires
plugin.viewerto see andsystem_config.editorto modify the tracking ID. - Custom analytics apps -- Shopware apps can register custom admin modules. Access controlled by the app's ACL requirements declared in its
manifest.xml. - Flow Builder -- automate analytics events (e.g., trigger a webhook on order completion for server-side tracking). Requires
flow.editorandflow.creatorpermissions. - Sales Channel analytics -- each Sales Channel has its own analytics data. Users see analytics only for Sales Channels they have access to view.
To create a reporting-only role:
- Create a new role at Users & Permissions > Roles
- Check only:
order.viewer,customer.viewer,product.viewer - Leave all
editor,creator,deleterkeys unchecked - Assign to the analytics team user accounts
Sub-pages
- Roles and Permissions -- ACL role configuration, permission key reference, and Sales Channel scoping
- Adding and Removing Users -- admin user creation, integration key management, and account deactivation