Adding and Removing NopCommerce Users

Manage NopCommerce customer accounts securely and efficiently throughout the entire user lifecycle from registration to account deletion.

Understanding NopCommerce User Types

Customer vs. Admin Users

NopCommerce Terminology:

• Customer: Anyone who visits the store (guests, registered users, admins)
• Customer Role: Determines permissions and access level
• Registered Customer: Has created an account
• Administrator: Customer with admin role assigned

Default Customer Roles:

1. Administrators - Full access to admin panel
2. Forum Moderators - Manage forums
3. Registered - Standard registered customer
4. Guests - Anonymous visitors
5. Vendors - Third-party sellers (if enabled)

Adding New Customers (Public Registration)

Customer Self-Registration

Enable Registration:

Administration > Configuration > Settings > Customer settings

Customer settings:
✓ Allow customers to create accounts
  Registration method: Standard account
  or Email validation
  or Admin approval
✓ Notify about new customer registration
✓ Require unique email addresses

Registration Methods:

1. Standard Account:

• Customer fills form
• Account created immediately
• Can login right away

2. Email Validation:

• Customer fills form
• Receives activation email
• Must click link to activate
• Then can login

3. Admin Approval:

• Customer fills form
• Admin receives notification
• Admin manually approves
• Customer receives approval email
• Then can login

Custom Registration Fields

Administration > Configuration > Settings > Customer settings > Customer form fields

Enable/Disable:
- First name (required)
- Last name (required)
- Date of birth
- Company name
- Street address
- City
- State/province
- Zip/postal code
- Country
- Phone number
- Fax number

Registration Notification

Administration > Configuration > Settings > Email accounts

Set up notifications:
- New customer registered notification
- Send to: admin@yourstore.com
- Template: Customer.NewCustomerNotification

Adding Customers via Admin Panel

Manual Customer Creation

Step 1: Access Customer Management

Administration > Customers > Customers > Add new

Step 2: Customer Info

Email: customer@example.com
Password: [Generate secure password]
First name: John
Last name: Doe

Date of birth: 01/15/1990
Gender: Male
Company: Company Name (optional)

Admin comment: Internal notes about this customer

Step 3: Assign Customer Roles

Customer roles:
✓ Registered
☐ Administrators
☐ Forum Moderators
☐ Guests
☐ Vendors

Note: Can assign multiple roles

Step 4: Additional Settings

Tax exempt: ☐ (Enable if customer shouldn't pay tax)
Active: ✓ (Uncheck to disable account)
Newsletter: ✓ (Subscribe to newsletter)

Affiliate: (Optional - if using affiliate system)
Vendor: (Optional - if multi-vendor enabled)

Step 5: Addresses

Add address:
- First name, Last name
- Email, Phone number
- Address line 1, Address line 2
- City, State/Province, Zip/Postal code
- Country
- Set as billing address
- Set as shipping address

Step 6: Orders Tab

View customer's order history:

• Order number
• Order total
• Order status
• Payment status
• Shipping status
• Created date

Step 7: Activity Log

Track customer activities:

• Login attempts
• Order placements
• Password changes
• Profile updates

Step 8: Current Shopping Cart

View items in customer's cart:

• Product name
• Quantity
• Unit price
• Total

Communicating Login Credentials

Secure Methods:

Option 1: Password Reset Link

1. Create account without password
2. Use "Send email (password recovery link)" button
3. Customer receives email with reset link
4. Customer sets own password

Option 2: Encrypted Email

1. Create account with temporary password
2. Email username separately
3. Send password via secure channel (not same email)
4. Require password change on first login

Option 3: In-Person

1. Create account with temporary password
2. Provide credentials in person
3. Customer logs in immediately
4. Changes password on first access

Bulk Customer Operations

Importing Customers

Step 1: Prepare Import File

Create Excel file with columns:

Email,FirstName,LastName,Gender,DateOfBirth,Company,Country,StateProvince,City,Address1,Address2,ZipPostalCode,PhoneNumber,CustomerRoleSystemNames,Active

customer1@example.com,John,Doe,M,1990-01-15,Company Inc,United States,California,Los Angeles,123 Main St,,90001,555-1234,Registered,true
customer2@example.com,Jane,Smith,F,1985-05-20,,,United Kingdom,London,London,456 High St,,SW1A 1AA,555-5678,Registered,true

Step 2: Import via Plugin

Administration > Configuration > Local plugins

Install: Nop.Plugin.Misc.ImportCustomers (or similar)

Configuration:
1. Upload Excel file
2. Map columns to NopCommerce fields
3. Set import options:
   - Skip existing customers
   - Update existing customers
   - Send welcome emails
4. Click Import

Exporting Customers

Administration > Customers > Customers

Actions:
1. Export to Excel (all customers)
2. Export to XML (all customers)

Or filter first:
- Customer roles
- Registration date range
- Active/Inactive
- Then export filtered results

Bulk Edit Customer Roles

// Custom SQL for bulk role assignment
-- Add "Registered" role to all active customers without it
INSERT INTO [Customer_CustomerRole_Mapping] (CustomerId, CustomerRoleId)
SELECT c.Id, 3 -- 3 = Registered role ID
FROM [Customer] c
WHERE c.Active = 1
  AND c.IsSystemAccount = 0
  AND NOT EXISTS (
    SELECT 1
    FROM [Customer_CustomerRole_Mapping] ccrm
    WHERE ccrm.CustomerId = c.Id AND ccrm.CustomerRoleId = 3
  )

Managing Existing Customers

Updating Customer Information

Administration > Customers > Customers > Edit customer

Common Updates:

1. Change Email/Username:

Email: newemail@example.com
Username: newusername (if usernames enabled)

Note: Email must be unique unless setting allows duplicates

2. Reset Password:

Password section:
- Enter new password
- Or use "Send email (password recovery link)" button

Password requirements (configurable):
- Minimum length
- Require digits
- Require non-alphanumeric characters
- Require uppercase letters

3. Change Customer Role:

Customer roles:
✓ Registered
✓ Administrators  (Add admin access)

Apply changes > Customer now has admin access

4. Temporarily Disable Account:

Active: ☐ (Uncheck)

Result:
- Customer cannot login
- Account preserved
- Can re-enable later

Customer Impersonation

For Support Purposes:

Administration > Customers > Customers > Edit customer

Actions:
Click "Impersonate" button

Result:
- You are logged in as the customer
- Can see exactly what they see
- Can reproduce issues
- Exit impersonation when done

Security Note: Only use for legitimate support purposes. Log all impersonation activities.

Viewing Customer Activity

Administration > Customers > Customers > Edit customer > Activity log tab

View:
- Login/Logout
- Add to cart
- Place order
- Edit profile
- Delete product
- Add product
- Edit product
- IP address for each activity
- Timestamp

Removing Customers

Before Deleting an Account

Compliance Checklist:

• GDPR Compliance: Customer requested deletion (Right to be Forgotten)
• Data Export: Provide customer with their data if requested
• Order History: Preserve for legal/tax requirements
• Financial Records: Maintain for accounting period
• Related Data: Identify all associated records
• Anonymization: Consider anonymizing instead of deleting

Soft Delete (Recommended)

Method 1: Deactivate Account

Administration > Customers > Customers > Edit customer

Active: ☐ (Uncheck)

Result:
- Customer cannot login
- Data preserved
- Can be reactivated
- Maintains referential integrity

Method 2: Anonymize Data

// Custom anonymization logic
var customer = await _customerService.GetCustomerByIdAsync(customerId);

// Anonymize personal data
customer.Email = $"deleted_{customer.Id}@anonymized.local";
customer.Username = $"deleted_{customer.Id}";

// Clear generic attributes
await _genericAttributeService.SaveAttributeAsync<string>(customer, NopCustomerDefaults.FirstNameAttribute, "Deleted");
await _genericAttributeService.SaveAttributeAsync<string>(customer, NopCustomerDefaults.LastNameAttribute, "User");
await _genericAttributeService.SaveAttributeAsync<string>(customer, NopCustomerDefaults.PhoneAttribute, "");
await _genericAttributeService.SaveAttributeAsync<string>(customer, NopCustomerDefaults.StreetAddressAttribute, "");

// Deactivate
customer.Active = false;
await _customerService.UpdateCustomerAsync(customer);

Hard Delete (Caution)

Via Admin Panel:

Administration > Customers > Customers

Select customer > Delete button

Warning: This action cannot be undone
Confirm deletion

Result:
- Customer record deleted
- Associated data may be orphaned
- Orders may lose customer reference

Data Cleanup After Deletion:

-- Clean up orphaned records (use with caution)
-- Shopping cart items
DELETE FROM [ShoppingCartItem] WHERE CustomerId = @CustomerId;

-- Wish list
DELETE FROM [ShoppingCartItem] WHERE CustomerId = @CustomerId AND ShoppingCartTypeId = 2;

-- Customer addresses
DELETE FROM [CustomerAddressMapping] WHERE CustomerId = @CustomerId;
DELETE FROM [Address] WHERE Id IN (
    SELECT AddressId FROM [CustomerAddressMapping] WHERE CustomerId = @CustomerId
);

-- Customer roles mapping
DELETE FROM [Customer_CustomerRole_Mapping] WHERE CustomerId = @CustomerId;

-- Generic attributes
DELETE FROM [GenericAttribute] WHERE EntityId = @CustomerId AND KeyGroup = 'Customer';

-- Activity log
DELETE FROM [ActivityLog] WHERE CustomerId = @CustomerId;

-- Note: Orders should typically be preserved for legal/tax reasons

GDPR Data Deletion

Built-in GDPR Features:

Administration > Configuration > Settings > GDPR settings

Enable GDPR:
✓ GDPR enabled
✓ Log "consent to GDPR" records
✓ Log "newsletter subscriptions" records
✓ Log "user profile changes" records

Customer rights:
✓ Allow users to export their personal data
✓ Allow users to delete their account
  Delete account delay (days): 30

Customer Self-Service Deletion:

Customer account page > GDPR tools > Delete account

Process:
1. Customer requests deletion
2. Admin receives notification
3. Waiting period (configurable)
4. Account automatically deleted/anonymized
5. Customer receives confirmation

Bulk Customer Removal

Export Before Deletion

Administration > Customers > Customers

1. Filter customers to delete (e.g., inactive > 2 years)
2. Export to Excel (backup)
3. Document deletion reason
4. Proceed with deletion

SQL Bulk Deletion (Advanced)

-- Delete inactive customers with no orders (older than 2 years)
DECLARE @TwoYearsAgo DATETIME = DATEADD(YEAR, -2, GETDATE());

-- Get customer IDs to delete
DECLARE @CustomersToDelete TABLE (CustomerId INT);

INSERT INTO @CustomersToDelete
SELECT c.Id
FROM [Customer] c
WHERE c.Active = 0
  AND c.IsSystemAccount = 0
  AND c.LastActivityDateUtc < @TwoYearsAgo
  AND NOT EXISTS (SELECT 1 FROM [Order] o WHERE o.CustomerId = c.Id);

-- Delete related records first (in order)
DELETE FROM [ShoppingCartItem] WHERE CustomerId IN (SELECT CustomerId FROM @CustomersToDelete);
DELETE FROM [CustomerAddressMapping] WHERE CustomerId IN (SELECT CustomerId FROM @CustomersToDelete);
DELETE FROM [Customer_CustomerRole_Mapping] WHERE CustomerId IN (SELECT CustomerId FROM @CustomersToDelete);
DELETE FROM [GenericAttribute] WHERE EntityId IN (SELECT CustomerId FROM @CustomersToDelete) AND KeyGroup = 'Customer';
DELETE FROM [ActivityLog] WHERE CustomerId IN (SELECT CustomerId FROM @CustomersToDelete);

-- Finally, delete customers
DELETE FROM [Customer] WHERE Id IN (SELECT CustomerId FROM @CustomersToDelete);

-- Return count
SELECT COUNT(*) AS DeletedCount FROM @CustomersToDelete;

Security Best Practices

Account Creation Security

Password Requirements:

Administration > Configuration > Settings > Customer settings > Password and security

Password minimum length: 8
Password must have at least one lowercase character: ✓
Password must have at least one uppercase character: ✓
Password must have at least one non-alphanumeric character: ✓
Password must have at least one digit: ✓

Failed password attempts lockout: ✓
Number of failed password attempts: 5
Failed password lockout time (minutes): 30

Email Verification

Registration method: Email validation

Benefits:
- Confirms valid email address
- Prevents spam registrations
- Reduces fake accounts
- Improves data quality

Two-Factor Authentication

Administration > Configuration > Settings > Customer settings > Multi-factor authentication

Enable for:
- All customers (optional)
- Administrators (recommended)

Methods:
- Email verification code
- SMS (requires plugin)
- Authenticator app (requires plugin)

Admin Account Security

Best Practices:

1. Unique Admin Emails:

   Don't use: admin@yourstore.com
   Use: firstname.lastname@yourstore.com
   

2. Strong Passwords:

   Minimum 16 characters
   Mix of uppercase, lowercase, numbers, symbols
   Never reuse passwords
   Use password manager
   

3. Regular Audits:

   Monthly: Review admin accounts
   Quarterly: Remove inactive admins
   Annually: Force password resets
   

4. Principle of Least Privilege:

   Don't assign Administrator role unless necessary
   Create custom roles with specific permissions
   Review and adjust permissions regularly
   

Monitoring and Compliance

Activity Logging

Administration > System > Log > Activity log

Monitor:
- New customer registrations
- Admin account creations
- Permission changes
- Account deletions
- Login failures
- Password resets

Customer Registry

Maintain external record:

Customer Management Registry

| ID | Email | Role | Created | Last Login | Status | Notes |
|----|-------|------|---------|------------|--------|-------|
| 123 | john@example.com | Registered | 2024-01-15 | 2024-12-20 | Active | VIP customer |
| 456 | admin@example.com | Administrator | 2023-05-10 | 2024-12-23 | Active | Store owner |

Compliance Documentation

Document all customer management activities:

- Account creation approvals
- Deletion requests and completions
- GDPR data export requests
- Access reviews
- Role changes
- Security incidents

Troubleshooting

Cannot Create Customer

Check:

1. Email Already Exists:

   Settings allow duplicate emails: ☐
   Solution: Use unique email or enable duplicates
   

2. Validation Errors:

   Required fields missing
   Invalid email format
   Password doesn't meet requirements
   

3. Permission Issues:

   Your admin account lacks permission
   Need "Manage customers" permission
   

Customer Cannot Login

Diagnose:

1. Account Not Active:

   Check Active checkbox is enabled
   

2. Email Not Validated:

   Registration method requires email validation
   Resend activation email
   

3. Account Locked:

   Too many failed login attempts
   Wait for lockout period or unlock manually
   

4. Wrong Customer Role:

   Needs "Registered" role to login to store
   Needs "Administrators" role to access admin panel
   

Next Steps

• Roles and Permissions - Configure customer roles and ACL
• User Management Overview - Best practices