Shopify User Management: Roles and Permissions | OpsBlu Docs

Shopify User Management: Roles and Permissions

How to manage team access, roles, and permissions in Shopify. Covers adding users, updating access levels, revoking access, and security best practices...

Shopify uses a staff account system to control who can access your store admin and what they can do. Proper user management ensures security, maintains data integrity, and enables efficient collaboration.

Shopify User Management Overview

Account Types

1. Store Owner

  • Full access to everything
  • Can add/remove staff
  • Manages billing
  • Cannot be removed (ownership can be transferred)

2. Staff Accounts

  • Limited by assigned permissions
  • Access specific areas of admin
  • Cannot see billing by default
  • Can be added/removed by Owner or users with staff permissions

3. Collaborator Accounts (For Partners/Agencies)

  • Temporary access for developers/agencies
  • Doesn't count toward staff limit
  • Limited access scope
  • Can be revoked anytime

4. Staff with Storefront Login (Optional)

  • Can access both admin and storefront
  • Useful for customer support
  • Separate from customer accounts

Staff Limits by Plan

Plan Staff Accounts Included Additional Cost
Basic 2 $5/month per additional staff
Shopify 5 $5/month per additional staff
Advanced 15 $5/month per additional staff
Plus Unlimited Included

Check your current usage: Settings → Users and permissions → See staff count at top

Shopify Permission Structure

Built-in Permission Levels

Shopify doesn't have traditional "roles." Instead, you grant granular permissions:

Full Permissions

  • Everything except ownership transfer and billing
  • Can add/remove other staff
  • Manage all store aspects

Limited Permissions

  • Choose specific areas: Orders, Products, Customers, etc.
  • Cannot manage staff
  • Cannot access Settings (unless granted)

Collaborator Permissions

  • Themes (view/edit)
  • Apps (limited)
  • No access to customer data, orders, or settings

Permission Categories

Orders

  • View orders
  • Edit orders
  • Export orders
  • Process returns and exchanges

Products

  • View products
  • Edit products
  • Manage inventory
  • Import/export products

Customers

  • View customer data
  • Edit customer data
  • Export customer data
  • Send marketing emails

Discounts

  • View discounts
  • Create and edit discounts
  • Delete discounts

Marketing

  • View marketing campaigns
  • Create campaigns
  • Edit/delete campaigns

Online Store

  • View themes
  • Edit themes
  • Manage navigation
  • Blog posts and pages

Apps

  • View installed apps
  • Install/uninstall apps
  • Configure app settings

Settings

  • Access store settings
  • Manage payments
  • Shipping and taxes
  • Locations

Analytics

  • View reports
  • Export reports

Gift Cards

  • View gift cards
  • Issue gift cards

When to Add Staff Accounts

Internal Team Members

Marketing Team:

  • Products (view/edit)
  • Marketing (full)
  • Discounts (full)
  • Analytics (view)

Customer Support:

  • Orders (view/edit)
  • Customers (view/edit)
  • Gift cards (issue)
  • Returns processing

Inventory Manager:

  • Products (full)
  • Inventory transfers
  • Locations
  • Purchase orders (if using Shopify POS)

Content Editor:

  • Online Store (edit themes, pages, blog)
  • Products (view/edit)
  • Navigation

Accountant/Finance:

  • Orders (view/export)
  • Analytics (view/export)
  • Settings (view billing)

External Collaborators

Developer/Agency:

  • Use Collaborator account
  • Theme access only
  • Remove after project complete

Photographer:

  • Products (edit - for uploading images)
  • Temporary access
  • Remove after photoshoot

Consultant/Auditor:

  • View-only permissions
  • Analytics access
  • Time-limited access

Security Best Practices

1. Enable Two-Factor Authentication (2FA)

For all staff accounts:

To require 2FA:

  1. SettingsUsers and permissions
  2. Click Security
  3. Enable Require two-step authentication for all staff
  4. All staff will be prompted to set up 2FA on next login

Staff setup:

  1. Staff logs into Shopify
  2. Prompted to enable 2FA
  3. Uses authenticator app (Google Authenticator, Authy, etc.)
  4. Enters code to verify

2. Principle of Least Privilege

Grant minimum permissions needed:

  • Don't give "Full permissions" unless necessary
  • Review permissions quarterly
  • Remove permissions when no longer needed

Examples:

  • Marketing team doesn't need Settings access
  • Content editors don't need Customer data
  • Support staff don't need Theme edit permissions

3. Regular Access Reviews

Schedule quarterly reviews:

  • List all active staff accounts
  • Verify each person still needs access
  • Check if permissions are still appropriate
  • Remove inactive accounts

Document:

  • Who has access
  • What permissions they have
  • When access was granted
  • Next review date

4. Immediate Offboarding

When staff leaves:

  1. Remove staff account immediately (same day)
  2. Transfer ownership of any assets (e.g., unpublished products)
  3. Change any shared passwords (if applicable)
  4. Document removal

SettingsUsers and permissions → Staff name → Remove staff member

5. Use Collaborator Accounts for Temporary Access

For agencies, developers, consultants:

  • Don't create staff accounts
  • Use Collaborator accounts instead
  • Automatically expire or manually revoke
  • Don't count toward staff limit

Add collaborator:

  1. SettingsUsers and permissions
  2. Add collaborator
  3. Enter email
  4. Set permissions (limited to themes/apps)
  5. Send request

Shopify Plus: Advanced User Management

Staff with Custom Permissions

Plus stores can create more granular permissions:

  • Restrict access to specific locations
  • Limit order editing to certain conditions
  • Control access to specific apps

SSO (Single Sign-On)

Shopify Plus feature:

  • Integrate with identity provider (Okta, Azure AD, Google Workspace)
  • Centralized user management
  • Automatic provisioning/deprovisioning
  • Stronger security

Setup:

  1. Settings → Users and permissions → Security
  2. Enable Single Sign-On
  3. Configure identity provider
  4. Test with pilot group

IP Allowlisting

Restrict admin access by IP:

  • Only allow access from office network
  • Block access from unknown locations
  • Available on Plus

Setup: Settings → Users and permissions → Security → IP allowlisting

Common User Management Scenarios

Scenario 1: Adding Marketing Manager

Permissions needed:

  • ✓ Products (view/edit)
  • ✓ Discounts (full)
  • ✓ Marketing (full)
  • ✓ Analytics (view)
  • ✓ Online Store (edit pages/blog)
  • ✗ Orders (not needed)
  • ✗ Customers (not needed for marketing)
  • ✗ Settings (not needed)

Scenario 2: Customer Support Agent

Permissions needed:

  • ✓ Orders (view/edit)
  • ✓ Customers (view/edit)
  • ✓ Gift cards (issue)
  • ✓ Products (view only - to answer questions)
  • ✗ Marketing (not needed)
  • ✗ Discounts (not needed - unless authorized to issue)
  • ✗ Settings (not needed)

Scenario 3: Contractor Developer

Use Collaborator Account:

  • Theme access (view/edit)
  • Specific app access (if needed)
  • Time-limited (set end date)
  • Remove after project

Scenario 4: Temporary Holiday Help

Permissions needed:

  • ✓ Orders (view/edit)
  • ✓ Products (view only)
  • ✓ Customers (view only)
  • ✗ All others
  • Time-limited: Remove after holiday season

Scenario 5: Accountant Review

View-only access:

  • ✓ Orders (view/export)
  • ✓ Analytics (view/export)
  • ✓ Settings (view billing/payments)
  • ✗ Edit permissions (none)

Monitoring Staff Activity

Activity Logs

Check staff actions:

  1. SettingsNotifications
  2. Staff activity
  3. Subscribe to activity updates via email

What's tracked:

  • Staff logins
  • Permission changes
  • Major setting changes
  • Theme edits
  • App installations

Audit Trail (Shopify Plus)

More detailed tracking:

  • Settings → Users and permissions → Activity
  • See all staff actions
  • Filter by user, action, date
  • Export for compliance

Troubleshooting Access Issues

Staff Can't Log In

Check:

  1. Account still active (not removed)
  2. 2FA set up correctly
  3. Email correct (case-sensitive)
  4. Password reset if needed

Reset password:

  • Staff goes to login page
  • Clicks "Forgot password"
  • Receives email with reset link

Staff Can't See Certain Features

Check permissions:

  1. Settings → Users and permissions
  2. Click staff name
  3. Review granted permissions
  4. Add missing permissions

Collaborator Can't Access Theme

Verify:

  1. Collaborator request accepted
  2. Permissions include theme access
  3. Using correct login (not customer login)

2FA Issues

Staff lost 2FA device:

  1. Store owner can disable 2FA for that user
  2. Settings → Users and permissions → Staff name
  3. Disable two-step authentication
  4. Staff sets up new 2FA on next login

Best Practices Summary

Do:

  • ✓ Enable 2FA for all staff
  • ✓ Grant minimum necessary permissions
  • ✓ Review access quarterly
  • ✓ Remove staff immediately upon departure
  • ✓ Use collaborator accounts for temporary access
  • ✓ Document who has access and why

Don't:

  • ✗ Share staff accounts between people
  • ✗ Give full permissions unless necessary
  • ✗ Leave inactive accounts enabled
  • ✗ Use staff accounts for agency access
  • ✗ Forget to review permissions regularly

Next Steps

For general user management concepts, see User Management Guide.

返回顶部