Understanding BigCommerce's user roles and permissions system is essential for managing store access securely and efficiently. This guide covers all available roles, their capabilities, and best practices for permission management.
BigCommerce User Role Structure
BigCommerce uses a role-based access control (RBAC) system with predefined roles and customizable permissions.
Role Types
BigCommerce offers two categories of user roles:
- Standard Roles: Predefined roles with fixed permissions
- Custom Roles: User-defined roles with granular permission control (available on Plus, Pro, and Enterprise plans)
Standard User Roles
Store Owner
Description: Full administrative access to the store.
Key Capabilities:
- Complete control over all store settings
- Manage billing and subscription
- Add, edit, and remove users
- Access all features and settings
- Manage API accounts and tokens
- Configure checkout settings
- Manage domains and SSL certificates
- Access store design and themes
- View and manage all orders and customers
Use Cases:
- Business owner or primary stakeholder
- Agency owner managing client stores
- Technical lead responsible for store operations
Security Considerations:
- Limit to 1-2 users maximum
- Require MFA (multi-factor authentication)
- Do not use for day-to-day operations
- Use for critical changes only
Note: Only the Store Owner can:
- Delete the store
- Transfer store ownership
- Manage billing information
- Add or remove other users
Admin
Description: Broad administrative access without billing or ownership controls.
Key Capabilities:
- Manage products, categories, and inventory
- Process and manage orders
- View and manage customers
- Configure shipping and tax settings
- Access marketing tools
- Manage apps and integrations
- Configure store settings (excluding billing)
- Access analytics and reports
- Cannot manage billing or delete store
Use Cases:
- Store manager
- Operations lead
- Senior team members
- Trusted agency staff
Limitations:
- Cannot access billing settings
- Cannot add or remove users (varies by plan)
- Cannot transfer store ownership
Marketing
Description: Focused on marketing tools and customer engagement.
Key Capabilities:
- Create and manage promotions and coupons
- Configure email marketing settings
- Manage banners and marketing content
- Access customer lists and segments
- View analytics and reports
- Configure SEO settings
- Manage social media integrations
Cannot Access:
- Billing settings
- User management
- Store configuration
- Checkout settings
- Server settings
Use Cases:
- Marketing team members
- Email marketing specialists
- SEO specialists
- Social media managers
Order Fulfillment
Description: Limited to order processing and fulfillment operations.
Key Capabilities:
- View and manage orders
- Process shipments
- Print packing slips and invoices
- Update order status
- View customer information (limited)
- Access shipping tools
Cannot Access:
- Product management
- Pricing changes
- Store settings
- Marketing tools
- Customer management (beyond order context)
Use Cases:
- Warehouse staff
- Fulfillment team
- Third-party logistics (3PL) providers
- Customer service handling order issues
Product Manager
Description: Focused on product catalog management.
Key Capabilities:
- Create, edit, and delete products
- Manage product categories and brands
- Configure product options and variants
- Manage inventory levels
- Upload and manage product images
- Configure product SEO settings
- Import/export products
Cannot Access:
- Order management
- Customer data
- Billing settings
- Store configuration
- Marketing tools
Use Cases:
- Merchandising team
- Content managers
- Product data specialists
- Inventory managers
Customer Support
Description: Customer-facing role for support operations.
Key Capabilities:
- View customer profiles
- View order history
- Process returns and refunds (if enabled)
- Respond to customer inquiries
- Update order status
- Limited product viewing
Cannot Access:
- Product editing
- Pricing changes
- Store settings
- Marketing tools
- Other users' data
Use Cases:
- Customer service representatives
- Support team members
- Chat support operators
- Returns specialists
Custom Roles (Plus, Pro, Enterprise)
Higher-tier BigCommerce plans allow creation of custom roles with granular permissions.
Available Permission Modules
Custom roles can configure access to:
Products:
- View products
- Create/edit products
- Delete products
- Manage categories
- Manage brands
Orders:
- View orders
- Edit orders
- Delete orders
- Process refunds
- Export orders
Customers:
- View customers
- Edit customers
- Delete customers
- Manage customer groups
- Export customers
Marketing:
- Manage coupons
- Manage gift certificates
- Configure email marketing
- Manage banners
- SEO settings
Content:
- Manage pages
- Edit theme
- Manage blog posts
- Upload images
Settings:
- Store settings
- Shipping settings
- Tax settings
- Payment methods
- Checkout settings
Apps & Integrations:
- Install apps
- Configure apps
- Manage API accounts
Analytics:
- View reports
- Export reports
Creating Custom Roles
Requirements:
- BigCommerce Plus, Pro, or Enterprise plan
- Store Owner or Admin access
Steps:
Navigate to User Management:
- Go to Account Settings > Users
- Click User Roles tab
Create New Role:
- Click Create Role
- Enter role name and description
Configure Permissions:
- Toggle permissions for each module
- Set to View Only, Edit, or No Access
- Review summary of selected permissions
Save Role:
- Click Save
- Role is now available when inviting users
Best Practices:
- Use descriptive role names (e.g., "Warehouse Manager" not "Role 1")
- Document what each custom role can access
- Start with minimal permissions, add as needed
- Review custom roles quarterly
Permission Best Practices
Principle of Least Privilege
Grant minimum necessary access:
- Good: Marketing user can view products but not edit prices
- Bad: Giving Admin role to someone who only needs to create coupons
Examples:
Warehouse Staff:
- Role: Order Fulfillment (standard) or custom role
- Permissions: View/edit orders, manage shipments
- No access to: Products, pricing, settings
Content Writer:
- Role: Custom role
- Permissions: Manage pages, upload images, view products
- No access to: Orders, customers, settings
Agency Developer:
- Role: Admin or custom developer role
- Permissions: Theme editing, apps, settings (excluding billing)
- Time-limited access for project duration
Role Assignment Strategy
Assess User Needs
Before assigning roles, determine:
What tasks will the user perform?
- Order processing? → Order Fulfillment
- Product updates? → Product Manager
- Marketing campaigns? → Marketing
What data must they access?
- Customer data needed? → Customer Support or custom role
- Financial data needed? → Admin or Owner only
How long will they need access?
- Temporary contractor? → Time-limited, document removal date
- Permanent employee? → Standard role assignment
What's the security risk?
- High: Limit to Owner/Admin with MFA
- Medium: Standard roles with documented access
- Low: Custom role with minimal permissions
Document Role Assignments
Maintain a record of:
- User name and email
- Role assigned
- Date granted
- Granted by (approver)
- Justification
- Review date
- Access removal date (if applicable)
Security Controls
Enforce Multi-Factor Authentication (MFA)
Require MFA for:
- All Store Owners
- All Admin users
- Users with billing access
- Users with API access
- Remote/external users
Enable MFA in BigCommerce:
- Go to Account Settings > Security
- Enable Require Two-Factor Authentication
- Users must set up MFA on next login
IP Allowlisting (Enterprise)
For Enterprise plans, restrict access by IP address:
- Go to Account Settings > Security
- Configure IP Allowlist
- Add trusted IP addresses
- Users can only log in from allowed IPs
Use cases:
- Office-only access
- Restrict to VPN IP ranges
- Prevent unauthorized remote access
Session Management
Best practices:
- Enable Auto Logout after inactivity (30 minutes recommended)
- Review Active Sessions regularly
- Terminate suspicious sessions immediately
Configure in:
- Account Settings > Security > Session Timeout
Regular Access Reviews
Quarterly Access Audits
Review these points every 90 days:
Active Users:
- Are all users still with the company?
- Do they still need access?
- Is their role still appropriate?
Role Assignments:
- Are permissions still needed?
- Can any permissions be reduced?
- Are custom roles still relevant?
Inactive Accounts:
- Identify users who haven't logged in for 60+ days
- Remove access for terminated employees
- Disable dormant accounts
External Access:
- Review agency/contractor access
- Verify project completion dates
- Remove temporary access
Access Review Workflow
Generate User List:
- Export from Account Settings > Users
- Include: Name, email, role, last login
Review with Managers:
- Verify each user's need for access
- Document any changes
Update Permissions:
- Remove unnecessary users
- Adjust roles as needed
- Document changes
Notify Users:
- Inform users of role changes
- Provide justification
API Access and Tokens
API Account Types
BigCommerce separates user access from API access:
Store-Level API Accounts:
- Created in Settings > API > Store-level API Accounts
- Used for apps and integrations
- OAuth tokens with scoped permissions
- Not tied to individual users
API Credentials:
- Legacy API credentials (v2/v3 REST APIs)
- Full store access
- Not recommended for new integrations
API Permission Scopes
API accounts can have granular permissions:
Common Scopes:
- Products: Read-only or modify
- Orders: Read-only or modify
- Customers: Read-only or modify
- Content: Manage pages and blog
- Marketing: Manage coupons and promotions
- Themes: Read or publish
- Checkout: Read or modify
- Carts: Read or modify
Best Practices:
- Create separate API accounts for each integration
- Use minimum necessary scopes
- Rotate API credentials quarterly
- Store credentials in secure vault (not in code)
- Document which app uses which API account
Managing Service Accounts
Service accounts are API accounts used by automated systems:
Examples:
- ERP integration
- Inventory management system
- Custom reporting tools
- Automated email marketing
Best Practices:
- Use descriptive names ("ERP_Integration" not "API_Account_1")
- Document purpose and owner
- Set expiration dates if possible
- Monitor API usage for anomalies
- Rotate credentials on schedule
Role Comparison Matrix
| Permission | Store Owner | Admin | Marketing | Order Fulfillment | Product Manager | Customer Support |
|---|---|---|---|---|---|---|
| Manage Billing | ✓ | ✗ | ✗ | ✗ | ✗ | ✗ |
| Add/Remove Users | ✓ | ✓* | ✗ | ✗ | ✗ | ✗ |
| Manage Products | ✓ | ✓ | ✗ | ✗ | ✓ | View Only |
| Manage Orders | ✓ | ✓ | ✗ | ✓ | ✗ | View Only |
| Manage Customers | ✓ | ✓ | View Only | View Only | ✗ | View Only |
| Marketing Tools | ✓ | ✓ | ✓ | ✗ | ✗ | ✗ |
| Store Settings | ✓ | ✓ | ✗ | ✗ | ✗ | ✗ |
| Theme/Design | ✓ | ✓ | ✗ | ✗ | ✗ | ✗ |
| Apps | ✓ | ✓ | ✗ | ✗ | ✗ | ✗ |
| Analytics | ✓ | ✓ | ✓ | Limited | Limited | Limited |
* Admin ability to add/remove users varies by BigCommerce plan.
Common Role Scenarios
Scenario 1: Agency Managing Client Store
Setup:
- Client: Store Owner (retains ownership and billing)
- Agency Lead: Admin (for store management)
- Agency Developer: Custom role (theme editing, apps, no customer data)
- Agency Support: Customer Support (for ongoing support)
Best Practices:
- Time-limit agency access to project duration
- Remove agency access post-launch or transition to support-only
- Document all agency user accounts
Scenario 2: Growing Retail Business
Setup:
- Owner: Store Owner (primary stakeholder)
- Store Manager: Admin (daily operations)
- Merchandising Team: Product Manager (catalog management)
- Warehouse: Order Fulfillment (shipping and fulfillment)
- Marketing Lead: Marketing (campaigns and promotions)
- Customer Service: Customer Support (tickets and inquiries)
Scenario 3: Enterprise Multi-Store
Setup:
- Corporate IT: Store Owner (technical oversight)
- Brand Manager: Admin (brand-specific store management)
- Shared Services:
- Fulfillment Center: Order Fulfillment (across all stores)
- Content Team: Custom role (product data, limited to specific categories)
- Marketing Team: Marketing (shared campaigns)
Considerations:
- Use consistent role naming across stores
- Document cross-store access
- Centralize user access management
Troubleshooting Access Issues
User Cannot Log In
Possible Causes:
- Account not yet created or invitation not accepted
- MFA not configured
- IP allowlist blocking access (Enterprise)
- Account disabled
Solutions:
- Resend invitation
- Reset MFA
- Add user's IP to allowlist
- Check user status in Account Settings > Users
User Missing Expected Permissions
Possible Causes:
- Incorrect role assigned
- Custom role doesn't have needed permissions
- BigCommerce plan doesn't support feature
Solutions:
- Verify role assignment
- Review custom role permissions
- Upgrade plan if necessary
API Access Not Working
Possible Causes:
- API account disabled
- Scopes don't match required permissions
- Credentials expired or revoked
- Rate limit exceeded
Solutions:
- Verify API account status
- Check OAuth scopes
- Regenerate credentials
- Review API usage logs