Migrating users in your organization to the role-based access control model
With the role-based access control model, you can assign roles to users in your organization.
The user role represents the user's job in the organization and contains all the granular permissions for the user to do their job. When a role is assigned to a user, the associated permissions are granted to the user. When a role is removed from the user, the permissions are also removed. One or multiple roles can be assigned to either a user or a user group. These roles grant the user or user group the accumulative permissions from all the roles. This means that you can accurately and uniformly change user permissions through their role and reduce instances where a user is accidentally given permissions that aren't part of their job.
If your organization is on the Shopify Plus plan, then you can also assign roles to user groups, and then assign the user group to a user. A user group is a collection of users that share certain organization attributes, such as North American Customer Support or B2B Sales Team.
There are two types of predefined user roles available. System roles are predefined roles and can't be edited. Custom roles are predefined roles that you can edit to suit your business needs. Learn more about user roles and creating roles.
On this page
Migrating users to the roles-based access control model
When your store or organization migrates to the role-based access control model, your existing user access remains unchanged with some exceptions to user management permissions.
You can directly assign a role to a user. You can assign users to predefined roles, or create a new role from the legacy group's existing permissions.
If your store or organization is on the Shopify Plus plan, then you can also assign a role to a user group, and then assign the user group to the user.
Users and groups that aren’t yet migrated display a Legacy access badge in the Users section of your Shopify admin settings. You can filter and sort your users and groups by Legacy access to display all users and groups that need to be migrated.
User access changes
Review the following exceptions to understand how your existing user management permissions will be affected:
- Users with organization-level user management permissions: These users are automatically assigned the Organization administrator role. This role grants users view, create, edit, and delete permissions on all resources across all stores in your organization, with the exception of transferring organization ownership. These users can fully manage users and user permissions without any disruption.
- Users with store-level management permissions: User management permissions are deprecated. To continue modifying users or inviting new users, you can assign users either the Organization administrator role or a Store user administrator role for store-level user management.
- Store owners in organizations on the Shopify Plus plan: If you're the current owner of a store in an organization, then you'll be automatically migrated to the Store owner role in the role-based access control model. You can manage user accounts, including adding and removing users and changing user roles. The store owner in an organization can't create or manage roles. If you have access to other stores in an organization, but aren't the store owner, or have access to organization-level features, then you won't be automatically migrated. The organization owner or an organization administrator must assign a new role to you to grant you additional permissions.
Learn more about system roles for organizations.
Migrating users with legacy roles
If your organization already had roles, then your legacy roles are automatically converted to user groups with the same names.
You can't assign a legacy role to a user. Legacy roles have been converted to groups, and no longer control user permissions. You need to migrate your legacy role groups before you can assign permissions to any users.
To migrate users in your legacy access groups, assign a role to the legacy access user group.
You can assign users to a pre-defined role, or create a new role from the legacy group's existing permissions.
Steps:
From your Shopify admin, go to Settings > Users and permissions.
Click Groups.
Click the legacy group that you want to migrate.
In the Legacy access section, click the … button next to the name of one of the stores, and then click Create role.
-
In the Create role from existing store permissions dialog, add the following information:
- Add a name for the role.
- Optional: Add a description to the role.
- Optional: Make any adjustments to the permissions.
Click Save to create the role.
Select stores to assign store access for the role.
Click Done.
Click Save.
In the Replace legacy permissions dialog, click Replace and save.
Migrating individual users
You can migrate individual users with legacy access by assigning a role to each user. You can assign users to a pre-defined role, or create a new role from the legacy group's existing permissions.
Steps:
From your Shopify admin, go to Settings > Users and permissions.
Click a user with the Legacy access badge.
In the Legacy access section, click the … button next to the name of one of the stores, and then click Create role.
-
In the Create role from existing store permissions dialog, add the following information:
- Add a name for the role.
- Optional: Add a description to the role.
- Optional: Make any adjustments to the permissions.
Click Save to create the role.
Select stores to assign store access for the role.
Click Done.
Click Save.
In the Replace legacy permissions dialog, click Replace and save.
Provisioning users with SCIM
If you're using System for Cross-domain Identity Management (SCIM) to provision users to Shopify, then assign SCIM users to groups instead of roles in your identity service provider.
To add new groups to your identity, first create a user group in your Shopify admin, and then add the group name to your user assignment in your identity service provider.
You don't need to migrate existing users that have already been provisioned through SCIM to new groups. However, if you want to assign a role or group to a new user, or change role assignment for a user through your identity service provider, then you need to first migrate your Legacy roles or create a new user group in your Users settings in your Shopify admin, and then assign the group to your user in your identity service provider. The optional field is still labeled Role Name (Optional), but the value it takes is a user group.
If you want to provision a new user with a Legacy role, update the Legacy role user group by assigning a new role to the group in your Shopify admin, and then assign that group in your identity service provider. Use the user group name in the role field in your identity service provider.
If you want to provision a user to a new role, then create a new role and assign the role to the user group in your Shopify admin, and then assign that group in your identity service provider. Use the user group name in the role field in your identity service provider.
Learn more about SCIM user management.
POS access for organizations
If you have the Shopify Point of Sale (POS) sales channel, then you need to create a custom role in the Users section of your store settings with POS access permissions to grant POS access to staff members.
Create a custom user role or modify a default role, select the POS access permissions that you want to grant for the user role, and then assign that role to users to grant them POS access. After you assign the role to a user, the user is automatically assigned to the default Associate role.
You can manage the following user information for POS staff from the POS app or POS sales channel:
- Manage the user's PIN
- Assign the user a different POS role
- Create and manage POS roles
You can grant access to multiple stores in your organization with this custom role, but you still manage your POS staff separately for each store in your organization.