Configure granular access control for your PrestaShop team members using employee profiles, permissions, and role-based restrictions to maintain security and operational efficiency.
PrestaShop Permission System Overview
PrestaShop uses a profile-based permission system that controls access to Back Office features and functionality.
Key Concepts
Employee:
- Individual user account with login credentials
- Assigned to one profile (role)
- Can be assigned to specific shops in multi-store setup
Profile:
- Collection of permissions (role template)
- Defines what sections of Back Office are accessible
- Controls View, Add, Edit, Delete permissions per section
Permission Levels:
- View: See information but cannot modify
- Add: Create new entries
- Edit: Modify existing entries
- Delete: Remove entries
- None: No access to section
Default PrestaShop Profiles
SuperAdmin Profile
Access Level: Full, unrestricted access
Capabilities:
- Access all Back Office sections
- Manage all stores in multi-store setup
- Configure system settings
- Add/remove employees
- Modify any content
- Access server configuration
- Manage modules and themes
Use Cases:
- Store owner
- Technical administrator
- Development team lead
Security Considerations:
- Limit number of SuperAdmin accounts (1-2 maximum)
- Use strong passwords and 2FA
- Restrict to trusted individuals only
- Audit SuperAdmin actions regularly
Administrator Profile (Logistician)
Access Level: Near-full access except system configuration
Capabilities:
- Manage products, categories, inventory
- Process orders and manage customers
- Configure shipping and payments
- Manage store content (CMS pages)
- View reports and analytics
- Cannot: Change system settings, manage employees
Use Cases:
- Store manager
- Operations manager
- Senior team members
Typical Permissions:
Orders: View, Add, Edit, Delete
Customers: View, Add, Edit, Delete
Products: View, Add, Edit, Delete
Catalog: View, Add, Edit, Delete
Stats: View
Employees: None
Preferences: None
Advanced Parameters: None
Translator Profile
Access Level: Translation and content only
Capabilities:
- Translate product descriptions
- Translate category names
- Translate CMS pages
- Translate module strings
- Cannot: Modify prices, inventory, orders
Use Cases:
- Translation team
- Content writers
- Localization specialists
Typical Permissions:
Products: View, Edit (translations only)
Categories: View, Edit (translations only)
CMS: View, Edit
Other sections: None
Salesman Profile
Access Level: Order and customer management
Capabilities:
- View and process orders
- View customer information
- Update order statuses
- Process refunds
- Cannot: Modify catalog, pricing, system settings
Use Cases:
- Customer service representatives
- Order fulfillment team
- Sales support
Typical Permissions:
Orders: View, Edit
Customers: View, Edit
Stats: View
Cart Rules: View
Products: View only
Everything else: None
Accessing Permission Settings
Navigate to Permissions
Back Office > Team > Profiles
- View all profiles
- Click profile name to edit
- Configure permissions per section
Understanding Permission Matrix
PrestaShop shows a grid of sections vs. permission types:
Section | View | Add | Edit | Delete
-----------------+------+-----+------+--------
Orders | ✓ | ✓ | ✓ | ✓
Customers | ✓ | - | ✓ | -
Products | ✓ | ✓ | ✓ | ✓
Employees | - | - | - | -
Creating Custom Profiles
Step-by-Step Profile Creation
1. Create New Profile:
Back Office > Team > Profiles > Add new profile
Name: Content Manager
2. Configure Permissions:
For Content Manager Example:
Catalog Management:
Products: View ✓, Add ✓, Edit ✓, Delete ✓
Categories: View ✓, Add ✓, Edit ✓, Delete ✓
Attributes: View ✓, Add ✓, Edit ✓, Delete -
Features: View ✓, Add ✓, Edit ✓, Delete -
Manufacturers: View ✓, Add ✓, Edit ✓, Delete -
Suppliers: View ✓, Add -, Edit -, Delete -
Orders (Read-only for reference):
Orders: View ✓, Add -, Edit -, Delete -
Customers: View ✓, Add -, Edit -, Delete -
Design & Content:
CMS Pages: View ✓, Add ✓, Edit ✓, Delete ✓
Image Settings: View ✓, Add -, Edit ✓, Delete -
No Access:
Employees: All disabled
Preferences: All disabled
Advanced Parameters: All disabled
Modules: All disabled
Payment: All disabled
Shipping: All disabled
3. Save Profile:
Click "Save" to create profile.
4. Assign to Employees:
Back Office > Team > Employees > Add new employee
or
Edit existing employee > Profile: Select "Content Manager"
Common Custom Profile Examples
Marketing Manager Profile
Purpose: Manage promotions, marketing content, analytics
Permissions:
Cart Rules (Promotions): View ✓, Add ✓, Edit ✓, Delete ✓
Catalog Price Rules: View ✓, Add ✓, Edit ✓, Delete ✓
CMS Pages: View ✓, Add ✓, Edit ✓, Delete ✓
Products: View ✓, Add -, Edit ✓ (descriptions only), Delete -
Stats: View ✓, Add -, Edit -, Delete -
Customers: View ✓, Add -, Edit -, Delete -
Orders: View ✓, Add -, Edit -, Delete -
Modules: View ✓, Add -, Edit ✓ (marketing modules only), Delete -
Everything else: None
Inventory Manager Profile
Purpose: Manage stock levels, suppliers, warehouses
Permissions:
Products: View ✓, Add -, Edit ✓ (stock only), Delete -
Stock: View ✓, Add ✓, Edit ✓, Delete ✓
Suppliers: View ✓, Add ✓, Edit ✓, Delete ✓
Warehouses: View ✓, Add ✓, Edit ✓, Delete ✓
Supply Orders: View ✓, Add ✓, Edit ✓, Delete ✓
Categories: View ✓, Add -, Edit -, Delete -
Orders: View ✓, Add -, Edit -, Delete -
Everything else: None
Customer Service Profile
Purpose: Handle customer inquiries, process returns
Permissions:
Customers: View ✓, Add -, Edit ✓, Delete -
Orders: View ✓, Add -, Edit ✓, Delete -
Order Messages: View ✓, Add ✓, Edit ✓, Delete -
Merchandise Returns: View ✓, Add ✓, Edit ✓, Delete ✓
Customer Service: View ✓, Add ✓, Edit ✓, Delete ✓
Products: View ✓, Add -, Edit -, Delete -
Cart Rules: View ✓, Add ✓ (limited), Edit -, Delete -
Everything else: None
Accountant/Finance Profile
Purpose: Access financial data, reporting
Permissions:
Stats: View ✓, Add -, Edit -, Delete -
Orders: View ✓, Add -, Edit -, Delete -
Customers: View ✓, Add -, Edit -, Delete -
Invoices: View ✓, Add -, Edit -, Delete -
Credit Slips: View ✓, Add ✓, Edit -, Delete -
Payment: View ✓, Add -, Edit -, Delete -
Modules (Analytics): View ✓, Add -, Edit -, Delete -
Everything else: None
Multi-Store Permissions
Shop Association
When running multiple stores, you can restrict employees to specific shops:
Configure Shop Access:
Back Office > Team > Employees > Edit Employee
Shop association:
☑ Main Store
☐ Brand Store 2
☑ Regional Store 3
This employee only accesses Main Store and Regional Store 3
Multi-Store Permission Scenarios
Scenario 1: Global Administrator
- Access: All shops
- Profile: Administrator
- Use: Central management across all stores
Scenario 2: Store-Specific Manager
- Access: Single shop only
- Profile: Administrator
- Use: Manage one specific brand/region
Scenario 3: Product Manager Across Stores
- Access: Selected shops
- Profile: Custom "Product Manager"
- Use: Manage catalog for specific store group
Scenario 4: Customer Service All Stores
- Access: All shops
- Profile: Salesman
- Use: Handle orders from any store
Fine-Grained Permission Control
Tab-Level Permissions
PrestaShop allows permissions at the menu tab level:
Back Office > Team > Profiles > Edit Profile > Permissions tab
Each menu item shown with checkboxes:
Dashboard ☑ View ☐ Add ☐ Edit ☐ Delete
Catalog
Products ☑ View ☑ Add ☑ Edit ☑ Delete
Categories ☑ View ☑ Add ☑ Edit ☐ Delete
Monitoring ☑ View ☐ Add ☐ Edit ☐ Delete
Attributes & Features ☑ View ☐ Add ☐ Edit ☐ Delete
Orders
Orders ☑ View ☐ Add ☑ Edit ☐ Delete
Invoices ☑ View ☐ Add ☐ Edit ☐ Delete
...
Module-Specific Permissions
Control access to specific modules:
Profile: Marketing Manager
Modules:
Google Analytics ☑ View ☐ Add ☑ Edit ☐ Delete
Facebook Pixel ☑ View ☐ Add ☑ Edit ☐ Delete
Email Marketing ☑ View ☑ Add ☑ Edit ☑ Delete
Payment Modules ☐ View ☐ Add ☐ Edit ☐ Delete
Permission Best Practices
Principle of Least Privilege
Grant minimum access needed:
Bad: Give everyone Administrator profile "just in case"
Good: Create specific profiles for each role with exact permissions needed
Example:
Content Writer has:
- Delete products
- Manage employees
- Configure payments
Content Writer has:
- View products
- Edit product descriptions
- Edit CMS pages
Regular Permission Audits
Monthly Review Checklist:
Review Active Employees:
Back Office > Team > Employees - Who has access? - Are all accounts still needed? - Last login date for eachReview Profile Assignments:
- Is each employee in correct profile?
- Have job responsibilities changed?
- Any employees with excessive permissions?
Review SuperAdmin Accounts:
- How many SuperAdmin accounts exist?
- Are all justified?
- Consider downgrading some to Administrator
Check Multi-Store Access:
- Do shop associations still make sense?
- Any employees accessing stores they shouldn't?
Separation of Duties
Critical Separations:
Financial:
- Order processing ≠ Payment configuration
- View reports ≠ Edit financial data
- Process refunds ≠ Modify order totals
Catalog:
- Add products ≠ Approve/publish products
- Modify prices ≠ Final price approval
- Delete products ≠ Restore deleted items
Technical:
- Install modules ≠ Configure modules
- Edit theme ≠ Approve theme changes
- Database access ≠ Production changes
Document Custom Profiles
Profile Documentation Template:
# Custom Profile: Marketing Coordinator
## Purpose
Manage promotional campaigns, marketing content, and analytics tracking
## Assigned To
- Marketing team members
- Campaign managers
- Content creators (marketing)
## Permissions Summary
- Full access: Promotions, CMS Pages, Marketing Modules
- View access: Products, Categories, Orders, Customers, Stats
- No access: Employees, System Settings, Payment, Shipping
## Detailed Permissions
[List specific permissions for each section]
## Shop Association
All shops (multi-brand marketing)
## Restrictions
- Cannot modify product prices
- Cannot process refunds
- Cannot add/remove employees
- Cannot change system configuration
## Review Schedule
Quarterly (January, April, July, October)
## Change Log
- 2024-01-15: Created profile
- 2024-03-10: Added CMS page edit permission
- 2024-06-20: Restricted product edit to view-only
Advanced Permission Scenarios
Temporary Access Elevation
Scenario: Content writer needs temporary access to modify product prices for sale event.
Solution:
Create Time-Limited Administrator Account:
Create new employee with elevated profile Set expiration reminder Document reason and durationOr Temporarily Change Profile:
Back Office > Team > Employees > Edit employee Change from "Content Manager" to "Marketing Manager" Document change in notes Revert after sale event
Vendor/Third-Party Access
Scenario: External agency needs access for module configuration.
Solution:
Create Limited Agency Profile:
Profile: Agency Access
Permissions:
Modules: View ✓, Edit ✓ (specific modules only)
Theme: View ✓, Edit ✓
Products: View ✓ (for testing)
Orders: View ✓ (for testing)
Everything else: None
Additional Controls:
- Set account expiration date
- Require VPN or IP whitelist
- Enable 2FA
- Monitor activity logs
- Disable after project completion
Seasonal Staff Permissions
Scenario: Holiday season temporary staff for order processing.
Solution:
Profile: Seasonal Order Processor
Permissions:
Orders: View ✓, Edit ✓ (status only)
Customers: View ✓
Products: View ✓
Shipping: View ✓
Everything else: None
Constraints:
- Cannot delete orders
- Cannot modify prices
- Cannot issue refunds (escalate to manager)
- View-only access to customer data
- Cannot export data
Monitoring and Logging
Employee Activity Logs
Enable Logging:
Back Office > Advanced Parameters > Logs
Enable:
☑ Save logs
☑ Log severity: Informational (1)
Review Logs:
Back Office > Advanced Parameters > Logs
Filter by:
- Employee
- Date range
- Action type
- Severity
What to Monitor:
- Unusual deletion activity
- Off-hours access
- Failed login attempts
- Permission changes
- Data exports
- Order modifications
- Price changes
Security Alerts
Set up alerts for:
- New employee created
- SuperAdmin profile assigned
- Employee accessing from new IP
- Multiple failed login attempts
- Permission changes
- Large data exports
Compliance Considerations
GDPR Compliance
Employee Access to Customer Data:
Document:
- Who has access to customer data
- Purpose of access (legitimate interest)
- Retention period
- Access audit trail
Restrict:
- Limit customer data access to those who need it
- Implement view vs. edit controls
- Log all customer data access
- Enable data anonymization where possible
PCI DSS Compliance
Payment Data Access:
Requirements:
- Limit access to cardholder data
- Assign unique IDs to employees with computer access
- Restrict physical and logical access
- Track all access to network resources and cardholder data
PrestaShop:
- Minimize employees with payment configuration access
- Use tokenization for card data
- Review payment module access regularly
- Audit changes to payment settings
Troubleshooting Permission Issues
Employee Can't Access Expected Section
Check:
Profile Assignment:
Back Office > Team > Employees > Edit employee Verify correct profile assignedProfile Permissions:
Back Office > Team > Profiles > Edit profile Check permissions for that sectionMulti-Store Context:
Verify employee has access to current shop Check shop associationClear Cache:
Back Office > Advanced Parameters > Performance > Clear cacheModule Disabled:
Some sections require specific modules enabled Check module status
Permission Changes Not Taking Effect
Solutions:
- Log out and back in - Sessions cache permissions
- Clear browser cache - Old cached pages may show
- Clear PrestaShop cache - Template cache may be stale
- Check profile vs. employee - Ensure editing correct profile
Next Steps
- Adding and Removing Users - Employee account management
- User Management Overview - User management best practices
- Troubleshooting - PrestaShop troubleshooting