Skip to main content

Permissions

User permissions​

The user permissions are divided into data and channel permissions. Data permissions allow access to certain data types, such as orders and products. Channel permissions allow access to that data with restrictions to specific channels.

For example, a user with MANAGE_ORDERS and channel_USD permissions can only access orders from the channel_USD channel.

The channel restriction affects the access to data restricted by the following permissions:

  • MANAGE_ORDERS

Instead of assigning permissions directly to the user, we define them on a group basis. Organizing access rights in Groups helps in determining the roles of team members.

Examples of groups:

  • Translators - MANAGE_TRANSLATIONS permission.
  • Customer support - MANAGE_ORDERS and MANAGE_USERS permissions.
  • Customer support for USD channel - MANAGE_ORDERS and MANAGE_USERS permissions, channel_USD channel.
important

When a user is a member of multiple groups, their permissions are summed up. This means that if the user is in at least one group that has not restricted channel access, they will have access to data from all channels.

Creating and removing groups​

You can create permission group either via the Saleor Dashboard or using the GraphQL API.

Saleor Dashboard​

  1. Navigate to Configuration → Permission Groups.
  2. Click Create Permission group
  3. Name the group, select permissions and channels. Once saved you can assign group members from existing staff users.

API​

To create a group programmatically, use the permissionGroupCreate mutation. This method allows for assigning users during group creation.

Creating the group without channel restriction​

Request:

mutation {
permissionGroupCreate(
input: {
addPermissions: [MANAGE_GIFT_CARD, MANAGE_DISCOUNTS]
addUsers: []
name: "Sale managers"
restrictedAccessToChannels: false
addChannels: []
}
) {
errors {
message
}
group {
id
name
permissions {
name
}
restrictedAccessToChannels
accessibleChannels {
slug
}
}
}
}

A successful response:

{
"data": {
"permissionGroupCreate": {
"errors": [],
"group": {
"id": "R3JvdXA6NDM=",
"name": "Sale managers",
"permissions": [
{
"name": "Manage sales and vouchers."
},
{
"name": "Manage gift cards."
}
]
"restrictedAccessToChannels": false,
"accessibleChannels": [
{
"slug": "channel-pln"
},
{
"slug": "default-channel"
}
]
}
}
}
}

Creating a group with channel restrictions​

Request:

mutation {
permissionGroupCreate(
input: {
addPermissions: [MANAGE_ORDERS]
addUsers: []
name: "Order managers for channel USD"
restrictedAccessToChannels: true
addChannels: ["Q2hhbm5lbDoy"]
}
) {
errors {
message
}
group {
id
name
permissions {
name
}
restrictedAccessToChannels
accessibleChannels {
slug
}
}
}
}

A successful response:

{
"data": {
"permissionGroupCreate": {
"errors": [],
"group": {
"id": "R3JvdXA6MjY=",
"name": "Order managers for USD channel",
"permissions": [
{
"name": "Manage orders."
}
],
"restrictedAccessToChannels": true,
"accessibleChannels": [
{
"slug": "channel-pln"
}
]
}
}
}
}

As we can see, the accessibleChannels field differs from the previous example. The users from this group will have access only to data from the channel-pln channel.

important

When the restrictedAccessToChannels flag is set to false, the channels provided in addChannels field will be ignored.

Removing a group​

To remove a group, use the permissionGroupDelete mutation:

mutation {
permissionGroupDelete(
id: "R3JvdXA6NDM="
) {
errors {
message
}
}

Modifying a group​

Managing the group members​

The permissionGroupUpdate mutation takes a list of user IDs you would like to add or remove from the group. Having the same user in both lists will result in an error.

Example request:

mutation {
permissionGroupUpdate(
id: "R3JvdXA6NDM="
input: {
name: "Sale managers"
addPermissions: []
removePermissions: []
addUsers: ["VXNlcjozMg=="]
removeUsers: []
}
) {
errors {
message
}
}
}

Managing the group channels​

The permissionGroupUpdate mutation takes a list of channel IDs you would like to add or remove from the group. Having the same channels in both lists will result in an error.

Example request:

mutation {
permissionGroupUpdate(
id: "R3JvdXA6MjY="
input: {
addPermissions: []
removePermissions: []
addChannels: ["Q2hhbm5lbDox"]
removeChannels: ["Q2hhbm5lbDoy"]
}
) {
errors {
message
}
}
}
important

When the restrictedAccessToChannels flag is changed from true to false, all currently assigned channels will be cleared.

When the restrictedAccessToChannels flag is set to false, the channels provided in addChannels and removeChannels fields will be ignored.

App permissions​

info

App permissions are described in the App permissions article.

JWT token and permissions​

JWT tokens have a list of assigned permissions. By decoding payload using RS256 algorithm you will get:

{
"iat": 1624013260,
"iss": "example.com",
"token": "AixxXXXxzF",
"email": "john@example.com",
"type": "access",
"user_id": "VXNlcjozMg==",
"is_staff": true,
"exp": 1624049260,
"oauth_access_key": "",
"permissions": [
"MANAGE_TRANSLATIONS",
"MANAGE_PRODUCTS",
"MANAGE_PRODUCT_TYPES_AND_ATTRIBUTES"
]
}

To check the token online and learn more about JWT visit https://jwt.io.

note

Since Saleor reads permissions from the JWT token, generating a new token is necessary when the user changes permissions.

Query.me vs Query.user​

When working with permissions in Saleor, it's important to understand:

  • Query.me returns the effective permissions of the currently authenticated user, as encoded in the access token. This includes permissions granted dynamically, such as through Single Sign-On (SSO) or Role-Based Access Control (RBAC). These may not be stored on the User object in the database.
  • Query.user returns only the permissions stored for a specific user in the database. It does not include any permissions granted dynamically.

Available permissions​

Available permissions are kept in the PermissionEnum.

NameDescription
HANDLE_PAYMENTSProcess payments, refunds, and manage payment transactions.
HANDLE_CHECKOUTSPermission for apps to process some checkout operations like overriding price.
HANDLE_TAXESPermission for apps to delegate tax calculation external systems.
IMPERSONATE_USERAllows attaching customer to checkout by external app or staff user.
MANAGE_APPSInstall, configure, and manage third-party extensions (apps, plugins).
MANAGE_CHANNELSCreate, view and manage channels.
MANAGE_CHECKOUTSPermission for quering checkouts details.
MANAGE_DISCOUNTSCreate, view and manage vouchers and promotions.
MANAGE_GIFT_CARDCreate, activate, deactivate, manage and export gift cards.
MANAGE_MENUSCreate, view and manage navigation menus and their structure.
MANAGE_ORDERSCreate, view and manage all orders data. Update order metadata.
MANAGE_ORDERS_IMPORTImport orders from external sources.
MANAGE_PAGESCreate, view, publish, and manage content pages.
MANAGE_PLUGINSView, configure and manage plugins.
MANAGE_PRODUCT_TYPES_AND_ATTRIBUTESCreate and manage product types, product attributes, and their relationships.
MANAGE_PAGE_TYPES_AND_ATTRIBUTESCreate and manage model types, content attributes, and their relationships.
MANAGE_PRODUCTSCreate, view and manage products, variants, categories, collections and warehouses. Enable export products and stock updates.
MANAGE_SETTINGSConfigure store settings.
MANAGE_SHIPPINGCreate, view and manage shipping zones and shipping methods.
MANAGE_STAFFCreate, view and manage staff accounts, and permissions groups.
MANAGE_TAXESCreate, view and manage tax configuration, tax classes.
MANAGE_TRANSLATIONSCreate, view and manage translations for products, categories, and content etc.
MANAGE_USERSCreate, view and manage customer accounts and their information.