Skip to main content
Version: 3.x

Permissions

User permissions

Instead of assigning permissions directly to the user, we define them on a group basis. Organizing access rights in Groups helps in defining the roles of team members.

Examples of groups:

  • Translators - MANAGE_TRANSLATIONS permission.
  • Customer support - MANAGE_ORDERS and MANAGE_USERS permissions.

Creating and removing groups

To create a new group, use the permissionGroupCreate mutation.

Request:

mutation {
permissionGroupCreate(
input: {
addPermissions: [MANAGE_GIFT_CARD, MANAGE_DISCOUNTS]
addUsers: []
name: "Sale managers"
}
) {
errors {
message
}
group {
id
name
permissions {
name
}
}
}
}

Successful response:

{
"data": {
"permissionGroupCreate": {
"errors": [],
"group": {
"id": "R3JvdXA6NDM=",
"name": "Sale managers",
"permissions": [
{
"name": "Manage sales and vouchers.",
},
{
"name": "Manage gift cards.",
}
]
},
}
}
}

To remove a group, use the permissionGroupDelete mutation:

mutation {
permissionGroupDelete(
id: "R3JvdXA6NDM="
) {
errors {
message
}
}

Modifying a group and managing its members

The permissionGroupUpdate mutation takes a list of user IDs you would like to add or remove from the group. Having the same user in both of the lists will result in an error.

Example request:

mutation {
permissionGroupUpdate(
id: "R3JvdXA6NDM="
input: {
name: "Sale managers"
addPermissions: []
removePermissions: []
addUsers: ["VXNlcjozMg=="]
removeUsers: []
}
) {
errors {
message
}
}
}

App permissions

App permissions are defined per-app basis. Access can be assigned during the app installation and modified later using the appUpdate mutation.

JWT token and permissions

JWT tokens have a list of assigned permissions. By decoding payload using RS256 algorithm you will get:

{
"iat": 1624013260,
"iss": "example.com",
"token": "AixxXXXxzF",
"email": "john@example.com",
"type": "access",
"user_id": "VXNlcjozMg==",
"is_staff": true,
"exp": 1624049260,
"oauth_access_key": "",
"permissions": [
"MANAGE_TRANSLATIONS",
"MANAGE_PRODUCTS",
"MANAGE_PRODUCT_TYPES_AND_ATTRIBUTES"
]
}

To check token online and learn more about JWT visit https://jwt.io.

note

Since Saleor reads permissions from the JWT token, generating a new token is necessary when the user changes permissions.

Available permissions

Available permissions are kept in the PermissionEnum.

NameDescription
HANDLE_PAYMENTSHandle payments
HANDLE_CHECKOUTSHandle checkouts
MANAGE_APPSManage apps
MANAGE_CHECKOUTSManage checkout
MANAGE_DISCOUNTSManage discounts
MANAGE_GIFT_CARDManage gift cards
MANAGE_MENUSManage the structure of menus
MANAGE_ORDERSAccess to orders data
MANAGE_PAGESManage pages
MANAGE_PLUGINSManage plugins
MANAGE_PRODUCT_TYPES_AND_ATTRIBUTESManage product types and attributes
MANAGE_PRODUCTSManage products
MANAGE_SETTINGSManage shop settings
MANAGE_SHIPPINGManage shipping
MANAGE_STAFFAccess to staff users data
MANAGE_TRANSLATIONSManage translations
MANAGE_USERSAccess to customers data