Migrating users in your store to the role-based access control model

With the role-based access control model, you can assign roles to users.

The user role represents the user's job in your store and contains all the granular permissions for the user to do their job. When a role is assigned to a user, the associated permissions are granted to the user. When a role is removed from the user, the permissions are also removed. One or multiple roles can be assigned to a user. These roles grant the user the accumulative permissions from all the roles. This means that you can accurately and uniformly change user permissions through their role and reduce instances where a user is accidentally given permissions that aren't part of their job.

There are two types of predefined user roles available: system roles and custom roles. System roles are predefined roles and can't be edited. Custom roles are predefined roles that you can edit to suit your business needs. You can also create custom user roles. Learn more about the available predefined user roles and creating roles.

User access changes

Review the following exceptions to understand how your existing user management permissions will be affected:

• Staff members who have been granted all available permissions are automatically migrated to the Administrator role.
• User management permissions are deprecated. To grant user access permissions with the role-based access control model, you can assign the user the Administrator role. Learn more about system roles.

Migrating users to the roles-based access control model

When your store migrates to the role-based access control model, your existing user access remains unchanged with some exceptions to user management permissions.

You can directly assign a role to a user. After you assign a role to the user, the permissions in the role replace the previous permissions and migrate the user to roles.

You can assign users to predefined roles, or create a new role from the legacy group's existing permissions.

Users that aren’t yet migrated display a Legacy access badge in the Users section of your Shopify admin settings. You can filter and sort your users by Legacy access to display all users that need to be migrated.

Steps:

1. From your Shopify admin, go to Settings > Users.

2. Click a user with the Legacy access badge.

3. In the Legacy access section, click the … button next to the name of one of the stores, and then click Create role.

4. In the Create role from existing store permissions dialog, add the following information:

• Add a name for the role.
• Optional: Add a description to the role.
• Optional: Make any adjustments to the permissions.

5. Click Save to create the role.
6. Select stores to assign store access for the role.
7. Click Done.
8. Click Save.
9. In the Replace legacy permissions dialog, click Replace and save.

POS access

If you have the Shopify Point of Sale (POS) sales channel, then you'll continue to manage POS staff in the POS sales channel or in the POS app. If you want to give your POS staff access to your Shopify admin, then you need to create a custom role in the Users section of your Shopify admin settings with POS access permissions.

Create a custom user role or modify a default role, select the POS access permissions that you want to add to the user role, and then assign that role to users to grant them POS access.

After you assign the role to a user, the user is automatically assigned to the default POS role. You can manage the following user information for POS staff from the POS app or POS sales channel:

• Manage the user's PIN
• Assign the user a different POS role
• Create and manage POS roles

Learn more about managing POS staff and POS roles.

FAQ

Why can’t I edit or create user roles?

If you can’t edit or create user roles, it’s likely due to one of the following reasons:

• You don’t have permission to manage roles. Only the Store owner or users with the Administrator user role have the required permissions to create or edit user roles. Learn more about eligibility requirements for user management.
• You’re trying to modify a user that has a system role. System roles, such as the Organization owner, can't be edited. Learn more about system user roles.

If you need access to user management features, then you can contact a staff member with a user management roles to request access.

Do I need to migrate users with legacy access right away? What happens after May 1 2025?

After May 1, 2025, user permissions and groups with legacy access will be automatically converted to user roles.

An autogenerated user role will generate for each user in your store with their previous permissions.

To keep your access control organized, it’s recommended that you migrate users manually before the deadline.

Why have some of my users been assigned the Administrator role?

Migrated users that had the deprecated organization-level Users permissions are automatically assigned the Administrator user role. This user role includes full access to all features and resources in the organization. Learn more about the Administrator user role.

You can remove the Administrator user role from the user, and assign them a different user role.

Do I have to create a role for each user if they have different permissions?

No, you don’t need to create a separate role for every user. You can create user roles to based on permission categories, so that multiple users can share them. For example, you can create a Merchandiser user role with store-level permissions for Products, Catalogs, Content, and Files. You can assign the Merchandiser role to any users that manage product inventory.

If a user requires unique access, then you can still create a dedicated user role, but in most cases, grouping users under well-defined roles is the best practice.

Can I modify the default user roles?

You can't customize system roles. If you have predefined custom user roles in your admin, then you can customize those roles. Learn more about different types of roles.