Comprehensive step-by-step guide for managing Shopware user accounts, from creating new administrators to safely offboarding team members.
Prerequisites
To manage users, you must have:
- Administrator or User Manager role
- Access to Shopware Administration panel
- Appropriate permissions for user management
Plan Considerations:
- User limits depend on your Shopware edition (Community vs Commercial)
- Shopware 6 has improved user management compared to Shopware 5
- API access requires separate credentials
Adding Users to Shopware
Method 1: Administration Interface (Recommended)
Best for: Most user additions, visual management
Step 1: Access User Management
Administration → Settings → System → Users
Screenshot location: /screenshots/shopware-users-menu.png
Step 2: Create New User
- Click "Add user" button (top right)
- Enter required information:
Personal Information:
- First name: Required
- Last name: Required
- Email: Required (used for login and notifications)
- Username: Required (alternative login identifier)
Credentials:
- Password: Must meet complexity requirements
- Minimum 8 characters
- At least one uppercase letter
- At least one number
- Special characters recommended
- Confirm password: Must match
Localization:
- Locale: User interface language
- Time zone: For correct timestamp display
Step 3: Assign Role and Permissions
Select role from dropdown:
- Administrator: Full system access
- Editor: Content and product management
- Viewer: Read-only access
- Custom roles: As defined in your system
See Roles & Permissions for detailed role information.
Step 4: Configure Additional Settings
Media folder access:
- Limit to specific folders
- Grant full media library access
Sales channel access:
- Select which sales channels user can manage
- Useful for multi-store setups
Active status:
- ✓ Active: User can log in immediately
- ✗ Inactive: User created but cannot log in
Step 5: Save and Notify
- Click "Save"
- Send credentials to user via secure channel
- Never send passwords via email - use password manager or require reset
Best practice: Enable "Force password change on first login" if available.
Method 2: API-Based User Creation
Best for: Automated provisioning, bulk imports, integrations
API Endpoint
POST /api/user
Content-Type: application/json
Authorization: Bearer {your-api-token}
Request Body
{
"localeId": "locale-id-here",
"username": "john.doe",
"firstName": "John",
"lastName": "Doe",
"email": "john.doe@company.com",
"password": "SecurePassword123!",
"admin": false,
"aclRoles": [
{
"id": "role-id-here"
}
],
"timeZone": "Europe/Berlin"
}
PHP Example
use Shopware\Core\Framework\Context;
use Shopware\Core\Framework\DataAbstractionLayer\EntityRepository;
$userData = [
'localeId' => $localeId,
'username' => 'john.doe',
'firstName' => 'John',
'lastName' => 'Doe',
'email' => 'john.doe@company.com',
'password' => password_hash('SecurePassword123!', PASSWORD_BCRYPT),
'aclRoles' => [['id' => $roleId]]
];
/** @var EntityRepository $userRepository */
$userRepository->create([$userData], Context::createDefaultContext());
Node.js Example
const axios = require('axios');
async function createShopwareUser() {
try {
const response = await axios.post(
'https://your-shop.com/api/user',
{
localeId: 'locale-id',
username: 'john.doe',
firstName: 'John',
lastName: 'Doe',
email: 'john.doe@company.com',
password: 'SecurePassword123!',
admin: false,
aclRoles: [{ id: 'role-id' }]
},
{
headers: {
'Authorization': 'Bearer ' + apiToken,
'Content-Type': 'application/json'
}
}
);
console.log('User created:', response.data);
} catch (error) {
console.error('Error:', error.response.data);
}
}
Method 3: CLI User Creation (Shopware 6)
Best for: Server administrators, deployment scripts
Create Administrator User
# Create new admin user
bin/console user:create \
--admin \
--email="admin@company.com" \
--firstName="Admin" \
--lastName="User" \
--password="SecurePassword123!"
# Create regular user with role
bin/console user:create \
--email="user@company.com" \
--firstName="Regular" \
--lastName="User" \
--password="SecurePassword123!"
Change User Password
bin/console user:change-password username newpassword
Method 4: Bulk User Import
Best for: Migrating from other platforms, large teams
Prepare CSV File
username,email,firstName,lastName,role,active
john.doe,john@company.com,John,Doe,editor,true
jane.smith,jane@company.com,Jane,Smith,viewer,true
bob.admin,bob@company.com,Bob,Admin,administrator,true
Import Script (PHP)
use Shopware\Core\Framework\Context;
$csv = array_map('str_getcsv', file('users.csv'));
$header = array_shift($csv);
foreach ($csv as $row) {
$user = array_combine($header, $row);
$userData = [
'username' => $user['username'],
'email' => $user['email'],
'firstName' => $user['firstName'],
'lastName' => $user['lastName'],
'password' => password_hash(bin2hex(random_bytes(16)), PASSWORD_BCRYPT),
'active' => filter_var($user['active'], FILTER_VALIDATE_BOOLEAN),
'aclRoles' => [['id' => getRoleIdByName($user['role'])]]
];
$userRepository->create([$userData], Context::createDefaultContext());
// Send password reset email
sendPasswordResetEmail($user['email']);
}
Modifying User Accounts
Change User Role
Via Administration:
Settings → System → Users → Select user → Edit → Change role → Save
Via API:
PATCH /api/user/{userId}
Content-Type: application/json
{
"aclRoles": [
{"id": "new-role-id"}
]
}
Update User Information
Fields you can modify:
- First name, Last name
- Email address (login changes)
- Username
- Locale and timezone
- Active status
- Role assignments
- Media folder permissions
- Sales channel access
Temporarily Disable User
Instead of deleting:
- Navigate to user account
- Uncheck Active status
- Save changes
- User cannot log in but account preserved
Use cases:
- Temporary leave
- Pending investigation
- Seasonal workers
- Contractor between projects
Reset User Password
Administrator-initiated reset:
Settings → System → Users → Select user → Reset password
Self-service reset (if enabled):
- User clicks "Forgot password" on login
- Email sent with reset link
- User creates new password
Removing Users from Shopware
Pre-Removal Checklist
Before removing a user:
- Identify owned content - Products, categories, media created by user
- Reassign ownership - Transfer to another user
- Export activity logs - Keep audit trail
- Document removal reason - Compliance and records
- Backup user data - GDPR compliance
- Revoke API credentials - If user had API access
- Remove from integrations - Third-party services
Method 1: Soft Delete (Recommended)
Deactivate instead of delete:
- Navigate: Settings → System → Users
- Select user to remove
- Edit user
- Uncheck "Active"
- Save
Advantages:
- Preserves audit trail
- Maintains content attribution
- Can reactivate if needed
- Complies with data retention policies
Method 2: Hard Delete (Permanent)
Via Administration Interface
- Navigate: Settings → System → Users
- Select user (checkbox)
- Click "Delete" (trash icon)
- Confirm deletion
Warning dialog:
Are you sure you want to delete this user?
This action cannot be undone.
Content created by this user will be preserved but unassigned.
- Click "Delete" to confirm
What happens:
- User account deleted permanently
- Login credentials invalidated
- Content preserved (products, media, etc.)
- Activity logs maintained
- Cannot be undone
Via API
DELETE /api/user/{userId}
Authorization: Bearer {your-api-token}
const deleteUser = async (userId) => {
await axios.delete(`https://your-shop.com/api/user/${userId}`, {
headers: {
'Authorization': 'Bearer ' + apiToken
}
});
};
Via CLI
# Delete user by ID
bin/console user:delete {user-id}
# Delete user by username
bin/console user:delete --username=john.doe
Method 3: Bulk User Deletion
Via Administration:
- Settings → System → Users
- Select multiple users (checkboxes)
- Bulk actions → Delete
- Confirm deletion
Via Script:
$userIds = ['user-id-1', 'user-id-2', 'user-id-3'];
foreach ($userIds as $userId) {
$userRepository->delete([['id' => $userId]], Context::createDefaultContext());
}
Special Scenarios
Removing Administrator
Cannot remove last administrator:
- System requires at least one active admin
- Ensure another administrator exists first
- Transfer critical responsibilities
Steps:
- Create/verify backup administrator account
- Transfer ownership of critical resources
- Remove original administrator
Emergency Access Revocation
Security incident response:
- Disable account immediately: Uncheck Active status
- Change administrator password: If compromise suspected
- Review recent activity: Check audit logs
- Revoke API tokens: Invalidate all access tokens
- Reset 2FA: If applicable
- Document incident: For security records
GDPR Data Deletion
Right to be forgotten compliance:
// Anonymize user data instead of deletion
$anonymizedData = [
'firstName' => 'Deleted',
'lastName' => 'User',
'email' => 'deleted-user-' . $userId . '@example.com',
'username' => 'deleted-' . $userId,
'active' => false
];
$userRepository->update([
['id' => $userId, ...$anonymizedData]
], Context::createDefaultContext());
// Delete personal data
deleteUserPersonalData($userId);
Multi-Store User Management
Assign User to Specific Sales Channels
Per-channel access control:
- Edit user account
- Sales Channel Access section
- Select permitted channels:
- Main Store
- Wholesale Store
- International Store
- Save
Use cases:
- Regional managers
- Store-specific staff
- Vendor portal access
- Multi-brand management
Duplicate User Across Channels
Create similar user for different channel:
- Clone existing user settings
- Modify sales channel access
- Adjust permissions if needed
- Different login credentials recommended
Integration Management
Revoke API Access
When removing technical users:
- Navigate: Settings → System → Integrations
- Find user's API credentials
- Delete integration or regenerate keys
- Update applications using old credentials
Third-Party Service Access
Audit and revoke:
- Shopware plugins with user-specific configs
- External apps (Slack, CRM integrations)
- Webhook subscriptions
- OAuth tokens
Best Practices
User Onboarding
Security first:
- ✓ Strong password requirements enforced
- ✓ Unique username (not email alone)
- ✓ Least privilege principle
- ✓ Time-limited trial periods for contractors
- ✓ Enable two-factor authentication
- ✓ Document business justification
Documentation:
- Role assignment rationale
- Expected access duration
- Manager approval
- Security clearance level
User Offboarding
Immediate actions:
- Disable account (same day)
- Revoke API credentials
- Remove from team channels
- Transfer owned content
Within 24 hours: 5. Review recent activity 6. Export audit logs 7. Update documentation 8. Notify relevant teams
Within 1 week: 9. Archive user data (if required) 10. Delete or anonymize (per policy) 11. Update access control documentation
Regular Audits
Quarterly review:
- List all active users
- Verify employment status
- Check role appropriateness
- Identify inactive accounts (90+ days)
- Remove unnecessary accounts
- Update permissions
Audit script:
// Find users inactive for 90+ days
$inactiveThreshold = new \DateTime('-90 days');
$criteria = new Criteria();
$criteria->addFilter(
new RangeFilter('lastLogin', [
RangeFilter::LTE => $inactiveThreshold->format('Y-m-d H:i:s')
])
);
$inactiveUsers = $userRepository->search($criteria, Context::createDefaultContext());
Troubleshooting
Cannot Add User - Email Already Exists
Error: "This email address is already in use"
Solutions:
// Check if user exists
$criteria = new Criteria();
$criteria->addFilter(new EqualsFilter('email', 'user@example.com'));
$existingUser = $userRepository->search($criteria, Context::createDefaultContext())->first();
if ($existingUser) {
// User exists - either reactivate or use different email
if (!$existingUser->getActive()) {
// Reactivate existing user
$userRepository->update([
['id' => $existingUser->getId(), 'active' => true]
], Context::createDefaultContext());
}
}
User Cannot Login After Creation
Checklist:
- Active status enabled?
- Correct password entered?
- Username/email correct?
- Role assigned?
- Browser cache cleared?
- Check error logs:
var/log/
Debug:
# Check user status
bin/console user:list
# Reset password
bin/console user:change-password username newpassword
Cannot Delete User - Last Administrator
Error: "Cannot delete the last administrator"
Solution:
- Create new administrator account
- Verify new admin can log in
- Delete original administrator
Bulk Import Fails
Common issues:
- CSV encoding (use UTF-8)
- Missing required fields
- Duplicate emails/usernames
- Invalid role IDs
- Password complexity not met
Debug:
// Log import errors
try {
$userRepository->create([$userData], Context::createDefaultContext());
} catch (\Exception $e) {
error_log("User import failed: " . $e->getMessage());
error_log("User data: " . json_encode($userData));
}
Security Considerations
Password Policies
Enforce strong passwords:
- Minimum length: 12 characters (recommended)
- Complexity: uppercase, lowercase, numbers, symbols
- Expiration: 90 days (configurable)
- History: Prevent reusing last 5 passwords
- Lockout: After 5 failed attempts
Two-Factor Authentication
Enable 2FA (Shopware 6.4+):
Settings → System → Users → Edit user → Enable 2FA
Methods:
- TOTP (Google Authenticator, Authy)
- Email-based codes
- SMS (with plugin)
Session Management
Timeout settings:
- Idle timeout: 30 minutes
- Absolute timeout: 8 hours
- Force logout on password change
- Concurrent session limits
Next Steps
- Shopware Roles & Permissions - Detailed permission guide
- Shopware User Management Overview - General concepts
- Shopware Security Best Practices