Properly managing user access on your BigCommerce store ensures security, compliance, and operational efficiency. This guide covers adding new users, modifying permissions, and removing access.
Prerequisites
Before managing users:
Sufficient Permissions:
- Store Owner: Can manage all users
- Admin: Can manage users (varies by plan)
- Other roles: Cannot manage users
User Information:
- Full name
- Valid email address
- Appropriate role for their responsibilities
Approval:
- Document who requested access
- Verify business justification
- Note expected duration (if temporary)
Adding New Users
Step 1: Prepare for User Addition
Gather Required Information:
User Details:
- First name
- Last name
- Email address (must be unique per store)
- Job title or department
Access Requirements:
- Role needed (see Roles & Permissions)
- Access duration (permanent or time-limited)
- Specific permissions if using custom role
Security Requirements:
- Will user need MFA? (recommended for all users)
- IP restrictions needed? (Enterprise only)
- Remote or office-based access?
Document the Request:
Create a record containing:
- Date of request
- Requested by (name and department)
- Approved by (manager or store owner)
- Business justification
- Review date (recommended: 90 days)
Step 2: Add User via BigCommerce Control Panel
Navigate to User Management:
- Log in to BigCommerce control panel
- Go to Account Settings (gear icon in header)
- Click Users
Initiate User Creation:
- Click Add a User button
- Or click + Create User
Enter User Information:
- First Name: User's first name
- Last Name: User's last name
- Email Address: Unique email for login
- Select Role: Choose from dropdown:
- Store Owner
- Admin
- Marketing
- Order Fulfillment
- Product Manager
- Customer Support
- Custom Role (if created)
Optional: Add to Team (Enterprise):
- If using Teams feature, assign user to relevant team
- Teams allow grouping users by department or function
Send Invitation:
- Click Send Invitation
- User receives email with invitation link
- Invitation expires in 7 days
Step 3: User Accepts Invitation
User Actions:
Check Email:
- Look for email from
noreply@bigcommerce.com - Subject: "You've been invited to [Store Name]"
- Look for email from
Click Invitation Link:
- Link is valid for 7 days
- Redirects to password creation page
Create Password:
- Enter secure password
- Password requirements:
- Minimum 8 characters
- At least 1 uppercase letter
- At least 1 lowercase letter
- At least 1 number
- At least 1 special character
Set Up MFA (if required):
- Scan QR code with authenticator app (Google Authenticator, Authy, etc.)
- Enter verification code
- Save backup codes securely
Complete Login:
- User is now logged in and can access store based on assigned role
Step 4: Verify User Access
After user accepts invitation:
Confirm User is Active:
- Go to Account Settings > Users
- Verify user appears with Active status
- Check role assignment is correct
Test Permissions:
- Ask user to log in
- Verify they can access expected features
- Confirm they cannot access restricted areas
Document Activation:
- Record activation date
- Note any issues encountered
- Schedule first access review (30-90 days)
Managing Existing Users
Updating User Information
Change User Details:
- Go to Account Settings > Users
- Find user in list
- Click Edit (pencil icon)
- Update:
- Name
- Email address (creates new invitation)
- Role
- Team assignment (Enterprise)
- Click Save
Important: Changing email requires user to accept new invitation.
Changing User Roles
When to Change Roles:
- Promotion or job change
- Temporary elevated access needed
- Access reduction for security
- Contractor scope expansion/reduction
Steps:
Review Current Permissions:
- Note user's current role
- Document what will change
- Get approval for role change
Update Role:
- Go to Account Settings > Users
- Click Edit next to user
- Select new role from dropdown
- Click Save
Notify User:
- Inform user of role change
- Explain new permissions
- Document change date and reason
Set Review Date:
- If temporary elevation, set calendar reminder
- Schedule review to downgrade after project completion
Suspending User Access (Temporary)
BigCommerce doesn't have a native "suspend" feature. For temporary suspension:
Option 1: Remove User, Re-add Later
- Remove user from account
- Save their email and role information
- Re-invite when access should be restored
Option 2: Change to Restricted Role
- Change user's role to custom role with minimal permissions
- Document suspension date and reason
- Restore original role when needed
Option 3: Password Reset (Not Recommended)
- Not secure - user can reset password
- Use removal instead
Best Practice: Fully remove users for suspensions longer than 30 days.
Removing Users
When to Remove Users
Remove user access when:
- Employee Termination: Immediate removal required
- Contractor Project Complete: Remove after final deliverables
- Role Change: User no longer needs store access
- Security Incident: Compromised account
- Inactive Account: User hasn't logged in for 90+ days
- Company Policy: Scheduled access reviews indicate removal
Pre-Removal Checklist
Before removing a user:
Transfer Ownership: Reassign any owned resources
- Draft products or pages
- Scheduled campaigns
- Personal API tokens
- Saved reports or dashboards
Document Access: Record user's:
- Name and email
- Role and permissions
- Access duration
- Removal reason
- Removed by (your name)
- Date of removal
Backup Data: If user created content:
- Export product lists
- Save campaign settings
- Document custom configurations
Notify Stakeholders:
- Inform team of user removal
- Update documentation
- Reassign responsibilities
Step-by-Step User Removal
Navigate to User Management:
- Go to Account Settings > Users
- Locate user to remove
Initiate Removal:
- Click Delete icon (trash can) next to user
- Or click user's row, then Delete User
Confirm Deletion:
- Review warning message
- Confirm you want to remove user
- Click Delete or Confirm
Verify Removal:
- User should no longer appear in user list
- User cannot log in to store
- User receives no notification of removal
Post-Removal Actions:
- Revoke any personal API tokens user may have had
- Remove from external systems (SSO, if applicable)
- Update access documentation
- Archive removal record for compliance
Immediate Removal (Security Incidents)
For urgent removals (compromised account, terminated employee):
Immediate Actions:
Remove User Access:
- Delete user from Account Settings > Users immediately
- Do not wait for approval workflows
Revoke API Credentials:
- Go to Settings > API > Store-level API Accounts
- Delete any API accounts created by user
- Regenerate shared API credentials if compromised
Change Passwords:
- If user had Store Owner access, change store control panel password
- Reset passwords for any shared accounts
Review Audit Logs:
- Check recent activity by removed user
- Look for suspicious actions
- Document findings
Notify Team:
- Alert relevant stakeholders
- Document incident
- Review security policies
Managing API Access
API access is separate from user accounts in BigCommerce.
Removing API Access
For Store-Level API Accounts:
- Go to Settings > API > Store-level API Accounts
- Find API account to remove
- Click Edit
- Click Delete
- Confirm deletion
Important: Deleting API account immediately revokes access for all apps/integrations using those credentials.
Rotating API Credentials
When to Rotate:
- User with API access leaves company
- Suspected credential compromise
- Quarterly security maintenance
- Before/after contractor access
Steps:
Create New API Account:
- Generate new credentials with same scopes
- Test new credentials with integration
Update Application:
- Update app/integration to use new credentials
- Verify functionality
Delete Old API Account:
- Remove old credentials
- Verify old credentials no longer work
Document Change:
- Record credential rotation date
- Note who performed rotation
- Schedule next rotation
Best Practices
User Lifecycle Management
Onboarding:
- Request submitted with business justification
- Approval from manager or Store Owner
- User created with minimum necessary role
- MFA enforced before first access
- User acknowledged security policies
- Access documented in user registry
Active Use:
- Regular access reviews (quarterly)
- Adjust permissions as role changes
- Monitor for inactive accounts
- Audit high-privilege access monthly
Offboarding:
- Remove access immediately on last day
- Transfer owned resources
- Revoke API credentials
- Document removal
- Notify relevant teams
Security Controls
Enforce MFA for All Users:
- Go to Account Settings > Security
- Enable Require Two-Factor Authentication
- Users must set up MFA on next login
- Verify all users have MFA enabled
Regularly Audit User List:
Monthly:
- Review Store Owner and Admin users
- Verify all are still with company
- Check for duplicate accounts
Quarterly:
- Full user list review
- Remove inactive users (60+ days no login)
- Verify roles still appropriate
- Check for shared accounts (violates ToS)
Annually:
- Comprehensive access review
- Update documentation
- Review and update custom roles
- Validate API account usage
Documentation
Maintain User Access Log:
Create spreadsheet or database with:
| Field | Description | Example |
|---|---|---|
| User Name | Full name | John Smith |
| Login email | john.smith@example.com | |
| Role | Current role | Admin |
| Added Date | When access granted | 2024-01-15 |
| Added By | Who granted access | Jane Doe |
| Justification | Why access needed | Store Manager |
| Review Date | Next scheduled review | 2024-04-15 |
| Status | Active, Inactive, Removed | Active |
| Notes | Additional info | Temporary for Q1 project |
Update Log When:
- User added
- Role changed
- User removed
- Quarterly reviews completed
Troubleshooting
Invitation Email Not Received
Possible Causes:
- Email in spam/junk folder
- Incorrect email address
- Corporate email filter blocking
- Invitation expired (>7 days old)
Solutions:
- Check spam folder
- Verify email address is correct
- Whitelist
noreply@bigcommerce.com - Resend invitation:
- Go to Account Settings > Users
- Click Resend Invitation next to pending user
User Cannot Accept Invitation
Possible Causes:
Solutions:
- Check if user is already active
- Clear browser cache and cookies
- Resend invitation
- Try different browser
User Has Wrong Permissions
Possible Causes:
- Incorrect role assigned
- Custom role misconfigured
- BigCommerce plan doesn't support feature
Solutions:
- Verify assigned role
- Check custom role permissions
- Update role if needed
- Verify plan supports required features
Cannot Remove User
Possible Causes:
- Insufficient permissions (must be Owner or Admin)
- User is Store Owner (cannot delete yourself)
- Browser issue
Solutions:
- Verify you have Owner or Admin access
- Ask another Owner/Admin to remove user
- Contact BigCommerce support if issue persists
Removed User Can Still Access Store
Possible Causes:
- User not fully deleted
- User has multiple accounts
- API access still active
- Cache issue
Solutions:
- Verify user removed from Users list
- Check for duplicate accounts
- Revoke API credentials
- Contact BigCommerce support
Compliance Considerations
Data Protection Regulations
When managing user access, consider:
GDPR (Europe):
- Document user access requests and approvals
- Maintain records of who accessed customer data
- Remove access within required timeframes
- Conduct regular access reviews
CCPA (California):
- Limit access to consumer data
- Document data access for audit purposes
- Remove access for terminated employees immediately
SOC 2 / PCI DSS:
- Implement least privilege access
- Regular access reviews and audits
- MFA for all users
- Document all access changes
Audit Trail
Maintain records of:
- All user additions (who, when, why)
- All user removals (who, when, why)
- Role changes and justifications
- Access reviews and findings
- Security incidents involving user accounts
Retention: Keep audit logs for minimum 2 years (longer if required by industry).