Manage PrestaShop employee accounts securely and efficiently throughout the entire user lifecycle from onboarding to offboarding.
Adding New Employees
Before Creating an Account
Preparation Checklist:
- Job Role Defined: Understand employee's responsibilities
- Profile Selected: Choose appropriate permission profile
- Shop Access Determined: Which shops should they access (multi-store)
- Manager Approval: Document approval for account creation
- Security Requirements: 2FA enabled, password policy reviewed
- Email Address: Valid business email for account
Step-by-Step Account Creation
Navigate to Employee Management:
Back Office > Team > Employees > Add new employee
1. Employee Information:
First Name: John
Last Name: Doe
Email address: john.doe@yourcompany.com
This email will be the login username
2. Password Configuration:
Password: [Generate strong password]
Requirements:
- Minimum 8 characters
- Mix of uppercase and lowercase
- Include numbers
- Include special characters
Example: Ps#2024Store!
☑ Generate Password button - Creates random secure password
☑ Show Password - Verify password entered correctly
Password Best Practices:
- Use password generator for strong passwords
- Never reuse passwords across employees
- Change default passwords immediately
- Store securely (password manager)
- Don't send password via email (use secure channel)
3. Profile Assignment:
Permission profile: [Select appropriate profile]
Common selections:
- SuperAdmin (only for owners/lead admins)
- Administrator (store managers)
- Salesman (customer service)
- Custom profiles (see Roles & Permissions guide)
4. Shop Association (Multi-Store):
Shop association:
☑ Main Store
☐ Brand Store 2
☑ Regional Store 3
Select all shops employee should access
Or check "Select all" for full access
5. Employee Settings:
Language: English (or employee's preferred language)
Default page: [Select page employee sees after login]
- Dashboard (most common)
- Orders
- Customers
- Products
Status:
☑ Enabled (account is active)
☐ Disabled (account disabled - use for temporary suspension)
6. Optional Settings:
Avatar: Upload employee photo (helps identify in logs)
Notes: Internal notes about employee
Example: "Temporary seasonal staff - contract ends Dec 31, 2024"
7. Save Employee:
Click Save to create account.
Communicating Login Credentials
Secure Credential Delivery:
Option 1: In-Person (Most Secure)
1. Create account with temporary password
2. Meet employee in person
3. Provide credentials on paper
4. Have employee log in immediately
5. Force password change on first login
6. Destroy paper with credentials
Option 2: Encrypted Email
1. Send username via regular email
2. Send password via encrypted email (ProtonMail, etc.)
OR
Send password via SMS/phone call
3. Require password change on first login
Option 3: Password Reset Link
1. Create account with random password (don't share)
2. Use "Forgot Password" feature
3. Send reset link to employee's email
4. Employee sets own password
Never:
- Send username and password in same email
- Send credentials via unencrypted channels
- Share credentials in Slack/Teams messages
- Write credentials in shared documents
First Login Checklist
Employee's First Access:
## Welcome to PrestaShop Back Office
Your account has been created:
- Username: john.doe@yourcompany.com
- Temporary Password: [provided separately]
First Login Steps:
1. Navigate to: https://yourstore.com/admin-folder
2. Enter your username and temporary password
3. You will be prompted to change your password
4. Choose a strong, unique password
5. (Optional) Set up 2FA if enabled
6. Verify you can access expected sections
7. Complete any required training
Need Help?
Contact: admin@yourcompany.com
Onboarding Documentation
Provide New Employee:
Access Information:
Back Office URL: https://yourstore.com/admin123
Username: john.doe@yourcompany.com
Profile: Salesman
Shops: Main Store, Regional Store 3
Permission Summary:
You can:
- View and process orders
- View customer information
- Update order statuses
- View product catalog
You cannot:
- Modify product prices
- Add/remove products
- Access system settings
- Manage other employees
Support Contacts:
Technical Issues: it@yourcompany.com
Permission Questions: admin@yourcompany.com
Training Materials: [link to documentation]
Managing Existing Employees
Updating Employee Information
Edit Employee:
Back Office > Team > Employees > Click employee name
Common Updates:
1. Change Profile (Role Change):
Scenario: Customer service rep promoted to team lead
Old Profile: Salesman
New Profile: Administrator
Steps:
1. Edit employee
2. Change "Permission profile" to Administrator
3. Save
4. Notify employee of new access
5. Document change in notes
2. Modify Shop Access:
Scenario: Marketing coordinator now managing additional store
Current: Main Store only
New: Main Store + Brand Store 2
Steps:
1. Edit employee
2. Check additional shops in "Shop association"
3. Save
4. Clear cache if employee already logged in
3. Change Email/Username:
Note: Email is the username in PrestaShop
Steps:
1. Edit employee
2. Change "Email address"
3. Save
4. Notify employee of new username
5. Old email will no longer work for login
4. Temporarily Disable Account:
Scenario: Employee on extended leave
Instead of deleting:
1. Edit employee
2. Uncheck "Enabled" under Status
3. Add note: "Disabled [date] - Extended leave until [date]"
4. Save
To re-enable:
1. Edit employee
2. Check "Enabled"
3. Employee can log in again
Password Management
Reset Employee Password:
Method 1: Admin Reset
Back Office > Team > Employees > Edit employee
1. Enter new password in "Password" field
2. Click "Generate Password" for random secure password
3. Save
4. Securely communicate new password to employee
5. Require password change on next login
Method 2: Self-Service Reset
Employee can reset their own password:
1. Go to login page
2. Click "Forgot your password?"
3. Enter email address
4. Receive reset link via email
5. Set new password
Force Password Change:
PrestaShop doesn't have built-in "force password change on next login"
Workaround:
1. Reset password to random value
2. Don't tell employee the password
3. Have them use "Forgot Password" to set their own
Monitoring Employee Activity
View Login History:
Back Office > Advanced Parameters > Logs
Filter by:
- Employee name
- Date range
- Action type
Shows:
- Login times
- IP addresses
- Actions taken
- Errors encountered
Audit Employee Actions:
Back Office > Advanced Parameters > Logs > Filter
Check for:
- Order modifications
- Product changes
- Price updates
- Customer data access
- Configuration changes
- Module installations
- Data exports
Unusual Activity Indicators:
- Logins from new locations
- Off-hours access (3 AM, weekends)
- Multiple failed login attempts
- Mass data exports
- Unusual deletion activity
- Permission/configuration changes
Removing Employees (Offboarding)
Before Removing an Account
Offboarding Checklist:
- Manager Approval: Confirm termination authorized
- Data Transfer: Reassign open tasks/orders
- Documentation: Identify employee's responsibilities
- Knowledge Transfer: Ensure handoff to other team members
- Asset Return: Retrieve any physical/digital assets
- Export Activity Logs: Save employee's action history
- Review Access: Check what they had access to
Account Deactivation Process
Step 1: Disable Account Immediately
Back Office > Team > Employees > Edit employee
Actions:
1. Uncheck "Enabled" status
2. Add note: "Disabled [date] - Employee terminated"
3. Save
Result: Employee cannot log in immediately
Why disable before delete?
- Immediate access revocation
- Maintain audit trail temporarily
- Allow time for data review
- Reversible if mistake made
Step 2: Review and Transfer Ownership
Check Employee's Data:
Orders:
Back Office > Orders > Orders
Filter: Last modified by [employee]
Review:
- Pending orders
- Orders in progress
- Recent modifications
- Customer communications
Reassign: Update employee responsible if needed
Customer Accounts:
Back Office > Customers > Customers
Filter: Managed by [employee] (if feature enabled)
Reassign: Transfer to active employee
Content/Products:
Check for:
- Draft products
- Pending content
- Scheduled tasks
- Custom modules/configurations
Transfer: Document and reassign to appropriate team member
Step 3: Export Employee's Activity Log
Back Office > Advanced Parameters > Logs
Filter by:
- Employee: [departing employee]
- Date range: [employment period]
Actions:
1. Apply filter
2. Export logs (CSV format)
3. Save securely for compliance
4. Retention: Keep per company policy (typically 1-7 years)
Step 4: Delete Employee Account
After waiting period (recommended: 30-90 days):
Back Office > Team > Employees
1. Find disabled employee
2. Click dropdown arrow > Delete
3. Confirm deletion
Warning: This action is permanent
Or via SQL (if needed):
-- Backup first!
-- Only if absolutely necessary
-- Find employee ID
SELECT id_employee, firstname, lastname, email, active
FROM ps_employee
WHERE email = 'former.employee@company.com';
-- Delete employee (cascades to related tables)
DELETE FROM ps_employee WHERE id_employee = 123;
Alternative: Long-Term Deactivation
Instead of deletion, keep account disabled:
When to Keep:
- Legal/compliance requirements
- Audit trail preservation
- Potential rehire
- Complex permission history
- Multi-store considerations
How to Manage:
1. Disable account (don't delete)
2. Change email to: terminated.[date].[original-email]
3. Set profile to lowest level (or create "Deactivated" profile with zero permissions)
4. Clear shop associations
5. Add note: "TERMINATED [date] - Keep for audit purposes"
6. Regular review: Quarterly check if can be deleted
Bulk User Management
Adding Multiple Employees
Scenario: Onboarding seasonal team (10+ employees)
Option 1: Import via CSV (Custom Module)
firstname,lastname,email,profile,shop_ids,password
John,Doe,john.doe@company.com,Salesman,"1,3",TempPass123!
Jane,Smith,jane.smith@company.com,Salesman,"1,3",TempPass456!
Option 2: SQL Script (Advanced)
-- Backup database first!
-- Use prepared script with secure password hashing
-- Example structure (don't use directly - passwords must be hashed)
INSERT INTO ps_employee (id_profile, lastname, firstname, email, passwd, active)
VALUES
(4, 'Doe', 'John', 'john.doe@company.com', MD5('password_here'), 1);
-- Note: PrestaShop uses more complex hashing - this is example only
Option 3: Programmatic via PrestaShop API
<?php
// Custom module or standalone script
require_once('config/config.inc.php');
$employees_to_add = [
['John', 'Doe', 'john.doe@company.com', 4], // Profile ID 4 = Salesman
['Jane', 'Smith', 'jane.smith@company.com', 4],
// ... more employees
];
foreach ($employees_to_add as $emp) {
$employee = new Employee();
$employee->firstname = $emp[0];
$employee->lastname = $emp[1];
$employee->email = $emp[2];
$employee->id_profile = $emp[3];
$employee->passwd = Tools::hash('temporary_password_123');
$employee->active = 1;
if ($employee->add()) {
echo "Added: {$emp[1]}, {$emp[0]}\n";
} else {
echo "Failed: {$emp[1]}, {$emp[0]}\n";
}
}
Removing Multiple Employees
Scenario: End of season, removing temporary staff
Process:
Generate List:
Back Office > Team > Employees Export current employee list Identify employees to removeBulk Disable:
-- Disable multiple employees at once UPDATE ps_employee SET active = 0 WHERE email IN ( 'temp1@company.com', 'temp2@company.com', 'temp3@company.com' );Audit Period:
Wait 30-90 days with accounts disabled Review logs for each Export activity historyBulk Delete:
-- After audit period DELETE FROM ps_employee WHERE email IN ( 'temp1@company.com', 'temp2@company.com', 'temp3@company.com' );
Security Best Practices
Account Creation Security
Strong Password Policy:
Requirements:
- Minimum 12 characters
- Mix of uppercase, lowercase, numbers, symbols
- No dictionary words
- No personal information
- Unique per employee
- Changed every 90 days (optional)
Enforcement:
- Use password generator
- Document policy in employee handbook
- Regular audits
Two-Factor Authentication (2FA):
If supported by PrestaShop version or module:
1. Enable 2FA in settings
2. Require for all employees (or SuperAdmins minimum)
3. Support authenticator apps (Google Authenticator, Authy)
4. Provide backup codes
5. Document recovery process
IP Whitelisting (Optional):
Restrict admin access to known IPs:
.htaccess in admin folder:
<Files "index.php">
Order Deny,Allow
Deny from all
Allow from 203.0.113.0/24 # Office IP range
Allow from 198.51.100.50 # VPN IP
</Files>
Update when employees work remotely
Account Management Security
Regular Audits:
Monthly:
- [ ] Review active employee list
- [ ] Verify all accounts still needed
- [ ] Check for accounts without recent activity
- [ ] Review permission levels
- [ ] Check for shared accounts (not allowed!)
Quarterly:
- [ ] Force password resets (optional)
- [ ] Review SuperAdmin accounts
- [ ] Audit employee activity logs
- [ ] Update security documentation
Access Reviews:
When to Review Access:
- Employee changes roles
- Every 6 months (minimum)
- After security incident
- Before audit/compliance review
- After organizational changes
Review Questions:
- Does employee still need access?
- Is permission level still appropriate?
- Any unusual activity?
- Any policy violations?
Separation of Duties:
Critical Separations:
- Account creator ≠ Permission assigner
- Employee manager ≠ Self (can't manage own account)
- Security auditor ≠ System administrator
Implementation:
- At least 2 SuperAdmins
- One for operations, one for oversight
- Regular cross-verification
Compliance and Documentation
Employee Access Registry
Maintain Current Record:
# Employee Access Registry
## Active Employees
| Name | Email | Profile | Shops | Start Date | Last Review |
|------|-------|---------|-------|------------|-------------|
| John Doe | john@co.com | Admin | All | 2023-01-15 | 2024-06-01 |
| Jane Smith | jane@co.com | Salesman | 1,3 | 2024-03-20 | 2024-06-01 |
## Recently Disabled
| Name | Email | Disabled Date | Reason | Delete After |
|------|-------|---------------|--------|--------------|
| Bob Jones | bob@co.com | 2024-05-15 | Terminated | 2024-07-15 |
## Change Log
| Date | Employee | Change | Approver |
|------|----------|--------|----------|
| 2024-06-15 | Jane Smith | Added shop 3 access | Admin |
| 2024-05-15 | Bob Jones | Account disabled | HR Manager |
Audit Trail Requirements
Maintain Records:
Employee Account Creation:
- Date/time created
- Created by (administrator)
- Approval documentation
- Initial permission level
- Shop access assigned
Account Modifications:
- Date/time of change
- Changed by (administrator)
- What was changed
- Reason for change
- Approval (if required)
Account Deletion:
- Date/time deleted
- Deleted by (administrator)
- Reason for removal
- Activity logs exported
- Data transfer documented
GDPR Considerations
Employee Data Privacy:
Collect Only:
- Name, email (required)
- Job title/role
- Photo (optional, with consent)
Don't Collect:
- Personal phone numbers (unless necessary)
- Home address (unless necessary)
- Other personal information
Retention:
- Active employees: As needed
- Former employees: Per local law (typically 3-7 years)
- Delete when no longer required
Employee Rights:
- Access their own data
- Request corrections
- Request deletion (after retention period)
Troubleshooting
Can't Create Employee
Check:
Email Already Exists:
Error: "This email address is already used" Solution: Search existing employees, may be disabled account Either delete old account or use different emailPermission Denied:
Error: "You do not have permission to add employees" Solution: Verify your profile has "Add" permission for Employees sectionInvalid Email Format:
Error: "Invalid email address" Solution: Use proper email format: user@domain.com No spaces, special characters in wrong places
Employee Can't Log In
Troubleshoot:
Account Disabled:
Check: Back Office > Team > Employees > Edit employee Verify: "Enabled" is checkedWrong Password:
Solution: Reset password via "Forgot Password" link Or admin can reset in employee settingsWrong Admin URL:
Verify: Employee using correct admin URL May be: /admin, /admin123, /backoffice, etc. Find in: .htaccess or config filesIP Blocked:
Check: .htaccess IP restrictions Verify: Employee IP is whitelistedCache Issue:
Solution: Clear PrestaShop cache Back Office > Advanced Parameters > Performance > Clear cache
Next Steps
- Roles and Permissions - Configure employee profiles
- User Management Overview - User management best practices
- Troubleshooting - PrestaShop troubleshooting