Migrating to the role-based access control model
User management with Organization Settings supports a role-based access control model.
With the role-based access control model, you can assign roles to users. You can assign roles to user groups, and then assign the user group to a user. A user group is a collection of users that share certain organization attributes, such as North American Customer Support or B2B Sales Team.
The user role represents the user's job in the organization and contains all the granular permissions for the user to do their job. When a role is assigned to a user, the associated permissions are granted to the user. When a role is removed from the user, the permissions are also removed. One or multiple roles can be assigned to either a user or a user group. These roles grant the user or user group the accumulative permissions from all the roles. This means that you can accurately and uniformly change user permissions through their role and reduce instances where a user is accidentally given permissions that aren't part of their job.
Roles are grouped into different categories: organization or stores. Each category represents a unique business context and permissions specific to that context.
When your store or organization is migrated to the roles-based access control model, all of your existing user access remains unchanged with some exceptions to user management permissions.
On this page
Role categories
Roles are grouped into different categories. Each category represents a unique business context and permissions specific to that context. The following role categories are available:
- Organization - Roles and their permissions in this category grant access to features under Organization settings. These features work at the organization level across all stores in the organization. System roles in this category have the highest permisssions in the organization.
- Store - Roles and their permissions in this category grant access to features and resources to a store. System roles in this category are limited to the store context.
System roles
System roles are pre-defined and can't be edited. The following table describes the different system roles that you can assign to your users.
Role name | Permissions | Limitations |
---|---|---|
Organization administrator |
|
|
Store user administrator |
|
|
Exceptions
Review the following exceptions about your existing user management permissions:
- Users with organization-level user management permissions: These users are automatically assigned an Organization administrator role. This role grants users view, create, edit, and delete permissions on all resources across all stores in your organization, with the exception of transferring organization ownership. These users can fully manage users and user permissions without any disruption.
- Users with store-level management permissions, including Store owners: These users can still remove or suspend user access, but they can't modify user access or invite new users. In order for these users to continue modifying users or inviting new users, you can assign them either an Organization administrator or a Store user administrator role. The Store user administrator is only available after all the users in your organization have been migrated.
Migrating users to the roles-based access control model
If the pre-defined roles don't meet your requirements, then you can create a role with the permissions you require for your users.
You can create user groups. In the Organization section, click Users > Groups. After you create a group, you can assign a user group to a user.
After the user is assigned a role, the permissions in the role replace the previous permissions and migrate the user to roles.
If you haven't migrated all of your users to roles before September 30, 2024, then your permissions are automatically converted to roles and assigned to a user or a user group. This conversion doesn't change your users' access, but it does add a list of per-user or per-store roles to your roles index that you might want to customize.
Migrating from legacy roles
If you were using legacy roles as part of your Shopify Plus plan, then your legacy roles are converted to groups with the same name.
To migrate to roles-based access, you can complete any of the following actions:
- create new roles and assign new roles to users
- create a new user group and assign a user group to a user
- create new roles, and then assign the group from your legacy roles to the new role
Users with permissions assigned
If your users had permissions assigned without a role, then you can assign a role to your users.
You can also create a user group and assign a user group to a user.
User management with roles-based access control model
You can create roles with the permissions you need for their job. You can assign new roles to your users.
Create a role
You can create a role with permissions that you need.
Steps:
- From your Shopify admin, click Settings.
- In the Organization section, click Users > Roles.
- Click Add role.
- In the Name section, enter a name for the role.
- In the Description section, enter a description for the role.
- In the Permissions section, select the role category, and then select the permissions.
- Optional: Depending on the role category, you can also select Apps access. In the App access section, select any apps the role can access.
- Click Save.
Assign a role to a user
You can assign roles to a user.
Steps:
- From your Shopify admin, click Settings.
- In the Organization section, click Users.
- In the Users list, select the appropriate staff.
- In the Roles section, click Assign.
- Select the appropriate role.
- Next to the role that you added, click … > Edit store access, and then select the stores that you want the user to access.
- Click Save.