CS-Cart uses a privilege-based permission system where administrator accounts are assigned to usergroups that define granular access to specific admin panel functions. CS-Cart Multi-Vendor adds an additional layer with vendor administrator accounts that have their own isolated permission scope.
Permission model overview
CS-Cart structures admin access through:
- Administrator accounts -- Login accounts with access to the admin panel at
yourdomain.com/admin.php(the admin path is configurable) - Usergroups (Administrator type) -- Named collections of privileges that control which admin panel sections and actions are available. Each admin can belong to multiple usergroups.
- Privileges -- Individual toggles for specific actions like "Manage products," "View orders," "Manage settings," etc.
Permissions are additive: an admin's effective access is the union of all privileges from all their assigned usergroups. There is no deny mechanism.
Built-in account types
- Root Administrator -- The initial admin account created during installation. Has full, irrevocable access to all functionality. Cannot be restricted by usergroups. Only this account can manage other root administrators.
- Administrator -- Standard admin accounts. Access is determined entirely by their assigned usergroups. With no usergroup assignment, they have minimal access.
- Vendor Administrator (Multi-Vendor only) -- Admin accounts scoped to a single vendor/storefront. Can only manage their own products, orders, and vendor settings. Cannot access marketplace-wide configuration.
Available privilege categories
When creating or editing an administrator usergroup under Customers > User groups, you toggle privileges in these categories:
- Products -- View, manage, and import/export products and categories
- Orders -- View, manage, and export orders; process returns and refunds
- Customers -- View and manage customer accounts and customer usergroups
- Content -- Manage pages, blocks, banners, and site layouts
- Design -- Access theme editor, manage layouts, and edit templates
- Marketing -- Manage promotions, gift certificates, reward points, and newsletters
- Add-ons -- Install, configure, and manage CS-Cart add-ons
- Settings -- Access store-wide settings including payment methods, shipping, taxes, and general configuration
- Logs -- View admin activity and error logs
- User groups -- Manage usergroup definitions and assignments
Each category contains multiple individual privileges (e.g., under Orders: "View orders," "Manage orders," "Change order statuses").
Managing users in the admin panel
Adding an administrator:
- Go to Customers > Admins (or Customers > Administrators depending on version)
- Click Add administrator
- Enter email, username, and password
- Under the User groups tab, assign one or more administrator usergroups with status "Active"
- Save the account
Creating a usergroup:
- Go to Customers > User groups
- Click Add group and set the type to Administrator
- Name the group (e.g., "Order Managers," "Marketing Team")
- Save, then click the group name to configure privileges
- Toggle individual privileges on/off and save
Removing an admin:
- Go to Customers > Admins
- Select the account and delete it, or set its status to Disabled
- If the admin had API access, regenerate the affected API keys
API access management
CS-Cart provides a REST API authenticated via API keys:
- API keys are generated per-admin-user under Customers > Admins > [User] > API Access tab
- Each admin's API key inherits that admin's effective permissions from their usergroups
- API requests are authenticated with HTTP Basic Auth using the admin's email as username and their API key as password
- The API can be enabled/disabled globally under Settings > Security > Enable API
To create a limited API integration, create a dedicated admin account with a restricted usergroup and generate an API key for that account.
Analytics and tracking permissions
For analytics implementation on a CS-Cart store:
- Google Analytics -- Configured under Add-ons > Google Analytics (built-in add-on). Requires the "Manage add-ons" privilege to enable and configure the tracking ID.
- Custom script injection -- Add tracking scripts via Design > Layouts by adding HTML blocks to the header/footer, or by editing template files. Requires "Design" privileges.
- SEO settings -- Managed under Settings > SEO or the SEO add-on. Requires "Settings" privileges.
- Built-in statistics -- CS-Cart has a Dashboard with order and sales charts. Access to order statistics requires "View orders" privilege. The Statistics add-on (if installed) provides traffic data.
- Order export for analytics -- Exporting order data for external analytics tools requires "View orders" and "Export" privileges.
A user with only "View orders" can see sales data but cannot install tracking scripts. Analytics implementation requires "Add-ons" and/or "Design" privileges.
Multi-Vendor specifics
In CS-Cart Multi-Vendor, the permission model adds:
- Marketplace administrators control global settings, vendor approval, and commission structures
- Vendor administrators are isolated to their vendor panel. They cannot see other vendors' data or marketplace settings.
- Vendor admin privileges are configured separately under vendor-specific usergroups
- Vendors can be granted or denied access to specific features (e.g., promotions, HTML blocks) at the marketplace level
Security notes
- CS-Cart supports IP-based admin login restrictions under Settings > Security
- The admin panel URL can be changed from the default
/admin.phpfor security through obscurity - Password policy settings are under Settings > Security
- Admin activity is logged under Logs > Admin log when the "Logs" privilege is granted
- There is no native SSO or SCIM support -- admin accounts are local to the installation
Further Reading
- CS-Cart Overview -- Platform overview and analytics integration guides