Skip to main content
Version: 3.0 (beta)


User permissions#

Instead of assigning permissions directly to the user, we define them on a group basis. Organizing access rights in Groups helps in defining the roles of team members.

Examples of groups:

  • Translators - MANAGE_TRANSLATIONS permission.
  • Customer support - MANAGE_ORDERS and MANAGE_USERS permissions.

Creating and removing groups#

To create a new group, use the permissionGroupCreate mutation.


mutation {  permissionGroupCreate(    input: {      addPermissions: [MANAGE_GIFT_CARD, MANAGE_DISCOUNTS]      addUsers: []      name: "Sale managers"    }  ) {    errors {      message    }    group {      id      name      permissions {        name      }    }  }}

Successful response:

{  "data": {    "permissionGroupCreate": {      "errors": [],      "group": {        "id": "R3JvdXA6NDM=",        "name": "Sale managers",        "permissions": [          {            "name": "Manage sales and vouchers.",          },          {            "name": "Manage gift cards.",          }        ]      },    }  }}

To remove a group, use the permissionGroupDelete mutation:

mutation {  permissionGroupDelete(    id: "R3JvdXA6NDM="  ) {    errors {      message    }}

Modifying a group and managing its members#

The permissionGroupUpdate mutation takes a list of user IDs you would like to add or remove from the group. Having the same user in both of the lists will result in an error.

Example request:

mutation {  permissionGroupUpdate(    id: "R3JvdXA6NDM="    input: {      name: "Sale managers"      addPermissions: []      removePermissions: []      addUsers: ["VXNlcjozMg=="]      removeUsers: []    }  ) {    errors {      message    }  }}

App permissions#

App permissions are defined per-app basis. Access can be assigned during the app installation and modified later using the appUpdate mutation.

JWT token and permissions#

JWT tokens have a list of assigned permissions. By decoding payload using HS256 algorithm you will get:

{  "iat": 1624013260,  "iss": "",  "token": "AixxXXXxzF",  "email": "",  "type": "access",  "user_id": "VXNlcjozMg==",  "is_staff": true,  "exp": 1624049260,  "oauth_access_key": "",  "permissions": [    "MANAGE_TRANSLATIONS",    "MANAGE_PRODUCTS",    "MANAGE_PRODUCT_TYPES_AND_ATTRIBUTES"  ]}

To check token online and learn more about JWT visit


Since Saleor reads permissions from the JWT token, generating a new token is necessary when the user changes permissions.

Available permissions#

Available permissions are kept in the PermissionEnum.

HANDLE_PAYMENTSHandle payments
MANAGE_APPSManage apps
MANAGE_DISCOUNTSManage discounts
MANAGE_GIFT_CARDManage gift cards
MANAGE_MENUSManage the structure of menus
MANAGE_ORDERSAccess to orders data
MANAGE_PAGESManage pages
MANAGE_PLUGINSManage plugins
MANAGE_PRODUCT_TYPES_AND_ATTRIBUTESManage product types and attributes
MANAGE_PRODUCTSManage products
MANAGE_SETTINGSManage shop settings
MANAGE_SHIPPINGManage shipping
MANAGE_STAFFAccess to staff users data
MANAGE_TRANSLATIONSManage translations
MANAGE_USERSAccess to customers data