Log in
Start free trial

Migrating to the role-based access control model

User management with Organization Settings supports a role-based access control model.

With the role-based access control model, you can assign roles to users. If your organization is on the Shopify Plus plan, then you can assign roles to user groups, and then assign the user group to a user. A user group is a collection of users that share certain organization attributes, such as North American Customer Support or B2B Sales Team.

The user role represents the user's job in the organization and contains all the granular permissions for the user to do their job. When a role is assigned to a user, the associated permissions are granted to the user. When a role is removed from the user, the permissions are also removed. One or multiple roles can be assigned to either a user or a user group. These roles grant the user or user group the accumulative permissions from all the roles. This means that you can accurately and uniformly change user permissions through their role and reduce instances where a user is accidentally given permissions that aren't part of their job.

There are two types of predefined user roles available. System roles are predefined roles and can't be edited. Custom roles are predefined roles that you can edit to suit your business needs. Learn more about the available predefined user roles.

Roles are grouped into different categories: organization or stores. Each category represents a unique business context and permissions specific to that context. Learn more about user role categories.

On this page

User access exceptions

Review the following exceptions about your existing user management permissions:

  • Users with organization-level user management permissions: These users are automatically assigned an Organization administrator role. This role grants users view, create, edit, and delete permissions on all resources across all stores in your organization, with the exception of transferring organization ownership. These users can fully manage users and user permissions without any disruption.
  • Users with store-level management permissions, including Store owners: These users can still remove or suspend user access, but they can't modify user access or invite new users. To continue modifying users or inviting new users, you can assign them either an Organization administrator or a Store user administrator role.

Migrating users to the roles-based access control model

When your store or organization migrates to the role-based access control model, your existing user access remains unchanged with some exceptions to user management permissions.

You can directly assign a role to a user. If your store is on the Shopify Plus plan, then you can also assign a role to a user group, and then assign the user group to the user.

After the user is assigned a role, either directly or through a group (Plus plan only), the permissions in the role replace the previous permissions and migrate the user to roles.

You can assign your users to predefined roles. If the pre-defined roles don't meet your requirements, then you can create a role with the permissions you require for your users.

If you haven't migrated all of your users to roles before February 1, 2025, then your permissions are automatically converted to roles and assigned to a user or a user group. This conversion doesn't change your users' access, but it does add a list of per-user or per-store roles to your roles index that you might want to customize.

Migrating users with permissions only

If your users didn’t have roles and had permissions only, then you can migrate by assigning them a role. If your store is on the Shopify Plus plan, then your can also assign users to a user group.

Users that aren’t yet migrated display a Legacy Access badge in the Users section of your Shopify admin settings. You can filter and sort your users by Legacy Access to display all users that need to be migrated.

Complete any of the following actions to migrate your Legacy Access users:

Migrating legacy Plus roles

If your organization already had roles, then your legacy roles are automatically converted to user groups with the same names. These converted user groups display a Legacy Plus role badge. All the users that were previously assigned the legacy role are now assigned to this new user group.

To migrate these users, assign a new role to the group. You can assign users to an existing role, or create a new role to match your user group.

For example, if your legacy Plus role was for your East Coast sales representatives, then you can create a role with selected permissions and assign the role to the group. Complete any of the following actions to migrate your Legacy Plus roles groups:

Migrating users with SCIM

If you're using System for Cross-domain Identity Management (SCIM) to provision users to Shopify, then assign SCIM users to groups instead of roles in your identity service provider.

To add new groups to your identity, first create a user group in your Shopify admin, and then add the group name to your user assignment in your identity service provider.

You don't need to migrate existing users that have already been provisioned through SCIM to new groups. However, if you want to assign a role or group to a new user, or change role assignment for a user through your identity service provider, then you need to first migrate your Legacy Plus roles or create a new user group in your Users settings in your Shopify admin, and then assign the group to your user in your identity service provider. The optional field is still labeled Role Name (Optional), but the value it takes is a user group.

Learn more about SCIM user management.

Can’t find the answers you’re looking for? We’re here to help.