Migrating to the role-based access control model

With the role-based access control model, you assign roles to users in your store or organization instead of assigning permissions directly. A role represents the user's job in your store and contains all the granular permissions for the user to do their job.

Default roles

After you migrate to role-based access control, the following two types of roles are already available in your Shopify admin:

• Administrator roles managed by Shopify.
• Predefined roles that you can customized.

You can also create any additional roles that you need for your business.

User access changes

Review the following exceptions to understand how your existing user management permissions will be affected:

• User management permissions are deprecated. User management permissions are granted only to specific roles managed by Shopify. Learn more about eligible users.
• Some users are automatically assigned to a role managed by Shopify.
  • Users with all available store-level permissions are automatically migrated to the Administrator role.
  • Users with organization-level user management permissions are automatically assigned the Organization administrator role.
• If you're the current store owner of a store in an organization, then you'll be automatically migrated to the Store owner role in the role-based access control model. You can manage user accounts, including adding and removing users and changing user roles. The store owner in an organization can't create or manage roles. If you have access to other stores in an organization, but aren't the store owner, or have access to organization-level features, then you won't be automatically migrated. The organization owner or an Organization administrator must assign a new role to you to grant you additional permissions.

Migrating users to the role-based access control model

To migrate your users to the role-based access model, assign a role to the user. After you assign a role to the user, the role replaces the previous permissions that were assigned directly to a user.

Users and groups that aren’t yet migrated display a Legacy access badge in the Users section of your Shopify admin settings. You can filter and sort your users or groups by Legacy access to display all users and groups that need to be migrated.

Migrate individual legacy users

You can create a new role from the users existing legacy permissions, assign them to a predefined or administrator role, or create a new role.

Steps:

1. From your Shopify admin, go to Settings > Users.

2. Click a user with the Legacy access badge.

3. In the Legacy access section, click the icon next to the name of one of the stores, and then click Create role.

4. In the Create role from existing store permissions dialog, add the following information:

• Add a name for the role.
• Optional: Add a description to the role.
• Optional: Make any adjustments to the permissions.

5. Click Save to create the role.
6. Select stores to assign store access for the role.
7. Click Done.
8. Click Save.
9. In the Replace legacy permissions dialog, click Replace and save.

Migrating users with legacy roles

If your organization already had roles, then your legacy roles are automatically converted to user groups with the same names.

You can't assign a legacy role to a user. Legacy roles have been converted to groups, and no longer control user permissions. You need to migrate your legacy role groups before you can assign permissions to any users.

To migrate users in your legacy access groups, assign a role to the legacy access user group. You can assign users to a predefined or administrator role, or create a new role.

Steps:

1. From your Shopify admin, go to Settings > Users.

2. Click Groups.

3. Click the legacy group that you want to migrate.

4. In the Legacy access section, click the … button next to the name of one of the stores, and then click Create role.

5. In the Create role from existing store permissions dialog, add the following information:

• Add a name for the role.
• Optional: Add a description to the role.
• Optional: Make any adjustments to the permissions.

6. Click Save to create the role.
7. Select stores to assign store access for the role.
8. Click Done.
9. Click Save.
10. In the Replace legacy permissions dialog, click Replace and save.

Provisioning users with SCIM

If you're using System for Cross-domain Identity Management (SCIM) to provision users to Shopify, then assign SCIM users to groups instead of roles in your identity service provider.

To add new groups to your identity, first create a user group in your Shopify admin, and then add the group name to your user assignment in your identity service provider.

You don't need to migrate existing users that have already been provisioned through SCIM to new groups. However, if you want to assign a role or group to a new user, or change role assignment for a user through your identity service provider, then you need to first migrate your legacy roles or create a new user group in your Users settings in your Shopify admin, and then assign the group to your user in your identity service provider. The optional field is still labeled Role Name (Optional), but the value it takes is a user group.

If you want to provision a new user with a legacy role, update the legacy role user group by assigning a new role to the group in your Shopify admin, and then assign that group in your identity service provider. Use the user group name in the role field in your identity service provider.

If you want to provision a user to a new role, then create a new role and assign the role to the user group in your Shopify admin, and then assign that group in your identity service provider. Use the user group name in the role field in your identity service provider.

Learn more about SCIM user management.

POS access

If you have the Shopify Point of Sale (POS) sales channel, then you'll continue to manage POS staff in the Point of Sale channel or in the POS app. If you want to give POS access to your Shopify admin users, then you need to create a role in the Users > Roles section of your Shopify admin settings with the Access Point of Sale store permission.

If your store is part of an organization or on the Shopify Plus plan, then you can grant access to multiple stores in your organization in the role, but you still manage your POS staff separately for each store in your organization.

After you assign the role to a user the user is automatically assigned to a default POS role. You can manage staff with POS access from the Point of Sale channel or from the POS app.

FAQ

Review answers to frequently asked questions about migrating to the role-based access model.

Why can’t I edit or create user roles?

If you can’t edit or create user roles, it’s likely due to one of the following reasons:

• You don’t have permission to manage roles. Only the owner, or users with administrator roles have the required permissions to create or manage roles. Learn more about eligibility requirements for user management.
• You’re trying to modify a user that has a role managed by Shopify. Roles managed by Shopify can't be edited. Learn more about roles managed by Shopify.

If you need access to user management features, then you can contact a user with a user management access to request access.

Do I need to migrate users with legacy access right away? What happens after May 1, 2025?

After May 1, 2025, user permissions and groups with legacy access will be automatically converted to roles.

An autogenerated user role will generate for each user in each store in the organization with their previous permissions.

Your users will maintain their current permissions, but the automatic migration might result in multiple roles per user across the stores in your organization that you'll need to manually manage and cleanup.

To keep your access control organized, it’s recommended that you migrate users manually before the deadline.

Why have some of my users been assigned the Organization administrator role?

Migrated users for organizations, or for stores on the Shopify Plus plan that had the deprecated Users organization permissions are automatically assigned the Organization administrator role.

You can remove the Organization administrator role from the user, and assign them a different role instead.

Learn more about administrator roles.

Why have some of my users been assigned the Administrator role?

Migrated users that had the deprecated Users store permissions are automatically assigned the Administrator role.

You can remove the Administrator role from the user, and assign them a different role instead.

Learn more about administrator roles.

Do I have to create a role for each user if they have different permissions?

No, you don’t need to create a separate role for every user. You can manage user roles in the following ways:

• Create user roles to based on permission categories, so that multiple users can share them. For example, you can create a Merchandiser user role with store permissions for Products, Catalogs, Content, and Files. You can assign the Merchandiser role to any users that manage product inventory.
• If your organization is on the Shopify Plus plan, then use groups to assign the same role to multiple users. Learn more about groups for users.

If a user requires unique access, then you can still create a dedicated user role, but in most cases, grouping users under well-defined roles is the best practice.

Can I modify the default user roles?

You can't customize roles managed by Shopify. If you have predefined roles in your admin, then you can customize those roles. Learn more about the different role categories.