Skip to main content
Version: 3.x

Permissions

User permissions

The user permissions are divided into data and channel permissions. Data permissions allow access to certain data types, such as orders and products. Channel permissions allow access to that data with restrictions to specific channels.

For example, a user with MANAGE_ORDERS and channel_USD permissions can only access orders from the channel_USD channel.

The channel restriction affects the access to data restricted by the following permissions:

  • MANAGE_ORDERS

Instead of assigning permissions directly to the user, we define them on a group basis. Organizing access rights in Groups helps in determining the roles of team members.

Examples of groups:

  • Translators - MANAGE_TRANSLATIONS permission.
  • Customer support - MANAGE_ORDERS and MANAGE_USERS permissions.
  • Customer support for USD channel - MANAGE_ORDERS and MANAGE_USERS permissions, channel_USD channel.
info

When a user is a member of multiple groups, their permissions are summed up. This means that if the user is in at least one group that has not restricted channel access, they will have access to data from all channels.

Creating and removing groups

To create a new group, use the permissionGroupCreate mutation.

Creating the group without channel restriction

Request:

mutation {
permissionGroupCreate(
input: {
addPermissions: [MANAGE_GIFT_CARD, MANAGE_DISCOUNTS]
addUsers: []
name: "Sale managers"
restrictedAccessToChannels: false
addChannels: []
}
) {
errors {
message
}
group {
id
name
permissions {
name
}
restrictedAccessToChannels
accessibleChannels {
slug
}
}
}
}
Expand ▼

A successful response:

{
"data": {
"permissionGroupCreate": {
"errors": [],
"group": {
"id": "R3JvdXA6NDM=",
"name": "Sale managers",
"permissions": [
{
"name": "Manage sales and vouchers."
},
{
"name": "Manage gift cards."
}
]
"restrictedAccessToChannels": false,
"accessibleChannels": [
{
"slug": "channel-pln"
},
{
"slug": "default-channel"
}
]
}
}
}
}
Expand ▼

Creating a group with channel restrictions

Request:

mutation {
permissionGroupCreate(
input: {
addPermissions: [MANAGE_ORDERS]
addUsers: []
name: "Order managers for channel USD"
restrictedAccessToChannels: true
addChannels: ["Q2hhbm5lbDoy"]
}
) {
errors {
message
}
group {
id
name
permissions {
name
}
restrictedAccessToChannels
accessibleChannels {
slug
}
}
}
}
Expand ▼

A successful response:

{
"data": {
"permissionGroupCreate": {
"errors": [],
"group": {
"id": "R3JvdXA6MjY=",
"name": "Order managers for USD channel",
"permissions": [
{
"name": "Manage orders."
}
],
"restrictedAccessToChannels": true,
"accessibleChannels": [
{
"slug": "channel-pln"
}
]
}
}
}
}
Expand ▼

As we can see, the accessibleChannels field differs from the previous example. The users from this group will have access only to data from the channel-pln channel.

info

When the restrictedAccessToChannels flag is set to false, the channels provided in addChannels field will be ignored.

Removing a group

To remove a group, use the permissionGroupDelete mutation:

mutation {
permissionGroupDelete(
id: "R3JvdXA6NDM="
) {
errors {
message
}
}

Modifying a group

Managing the group members

The permissionGroupUpdate mutation takes a list of user IDs you would like to add or remove from the group. Having the same user in both lists will result in an error.

Example request:

mutation {
permissionGroupUpdate(
id: "R3JvdXA6NDM="
input: {
name: "Sale managers"
addPermissions: []
removePermissions: []
addUsers: ["VXNlcjozMg=="]
removeUsers: []
}
) {
errors {
message
}
}
}

Managing the group channels

The permissionGroupUpdate mutation takes a list of channel IDs you would like to add or remove from the group. Having the same channels in both lists will result in an error.

Example request:

mutation {
permissionGroupUpdate(
id: "R3JvdXA6MjY="
input: {
addPermissions: []
removePermissions: []
addChannels: ["Q2hhbm5lbDox"]
removeChannels: ["Q2hhbm5lbDoy"]
}
) {
errors {
message
}
}
}
info

When the restrictedAccessToChannels flag is changed from true to false, all currently assigned channels will be cleared.

When the restrictedAccessToChannels flag is set to false, the channels provided in addChannels and removeChannels fields will be ignored.

App permissions

App permissions are defined on a per-app basis. Access can be assigned during the app installation and modified later using the appUpdate mutation. The apps don't have channel restrictions, so all channels data can be visible by the app with the proper permission.

JWT token and permissions

JWT tokens have a list of assigned permissions. By decoding payload using RS256 algorithm you will get:

{
"iat": 1624013260,
"iss": "example.com",
"token": "AixxXXXxzF",
"email": "john@example.com",
"type": "access",
"user_id": "VXNlcjozMg==",
"is_staff": true,
"exp": 1624049260,
"oauth_access_key": "",
"permissions": [
"MANAGE_TRANSLATIONS",
"MANAGE_PRODUCTS",
"MANAGE_PRODUCT_TYPES_AND_ATTRIBUTES"
]
}

To check the token online and learn more about JWT visit https://jwt.io.

note

Since Saleor reads permissions from the JWT token, generating a new token is necessary when the user changes permissions.

Available permissions

Available permissions are kept in the PermissionEnum.

NameDescription
HANDLE_PAYMENTSHandle payments
HANDLE_CHECKOUTSHandle checkouts
MANAGE_APPSManage apps
MANAGE_CHECKOUTSManage checkout
MANAGE_DISCOUNTSManage discounts
MANAGE_GIFT_CARDManage gift cards
MANAGE_MENUSManage the structure of menus
MANAGE_ORDERSAccess to orders data
MANAGE_ORDERS_IMPORTManage order imports
MANAGE_PAGESManage pages
MANAGE_PLUGINSManage plugins
MANAGE_PRODUCT_TYPES_AND_ATTRIBUTESManage product types and attributes
MANAGE_PRODUCTSManage products
MANAGE_SETTINGSManage shop settings
MANAGE_SHIPPINGManage shipping
MANAGE_STAFFAccess to staff users data
MANAGE_TRANSLATIONSManage translations
MANAGE_USERSAccess to customers data

Was this page helpful?