Permissions
User permissions​
The user permissions are divided into data and channel permissions.
Data permissions allow access to certain data types, such as orders and products.
Channel permissions allow access to that data with restrictions to specific channels.
For example, a user with MANAGE_ORDERS and channel_USD permissions can only access
orders from the channel_USD channel.
The channel restriction affects the access to data restricted by the following permissions:
MANAGE_ORDERS
Instead of assigning permissions directly to the user, we define them on a group basis. Organizing access rights in Groups helps in determining the roles of team members.
Examples of groups:
- Translators -
MANAGE_TRANSLATIONSpermission. - Customer support -
MANAGE_ORDERSandMANAGE_USERSpermissions. - Customer support for USD channel -
MANAGE_ORDERSandMANAGE_USERSpermissions,channel_USDchannel.
When a user is a member of multiple groups, their permissions are summed up. This means that if the user is in at least one group that has not restricted channel access, they will have access to data from all channels.
Creating and removing groups​
To create a new group, use the permissionGroupCreate mutation.
Creating the group without channel restriction​
Request:
mutation {
permissionGroupCreate(
input: {
addPermissions: [MANAGE_GIFT_CARD, MANAGE_DISCOUNTS]
addUsers: []
name: "Sale managers"
restrictedAccessToChannels: false
addChannels: []
}
) {
errors {
message
}
group {
id
name
permissions {
name
}
restrictedAccessToChannels
accessibleChannels {
slug
}
}
}
}
A successful response:
{
"data": {
"permissionGroupCreate": {
"errors": [],
"group": {
"id": "R3JvdXA6NDM=",
"name": "Sale managers",
"permissions": [
{
"name": "Manage sales and vouchers."
},
{
"name": "Manage gift cards."
}
]
"restrictedAccessToChannels": false,
"accessibleChannels": [
{
"slug": "channel-pln"
},
{
"slug": "default-channel"
}
]
}
}
}
}
Creating a group with channel restrictions​
Request:
mutation {
permissionGroupCreate(
input: {
addPermissions: [MANAGE_ORDERS]
addUsers: []
name: "Order managers for channel USD"
restrictedAccessToChannels: true
addChannels: ["Q2hhbm5lbDoy"]
}
) {
errors {
message
}
group {
id
name
permissions {
name
}
restrictedAccessToChannels
accessibleChannels {
slug
}
}
}
}
A successful response:
{
"data": {
"permissionGroupCreate": {
"errors": [],
"group": {
"id": "R3JvdXA6MjY=",
"name": "Order managers for USD channel",
"permissions": [
{
"name": "Manage orders."
}
],
"restrictedAccessToChannels": true,
"accessibleChannels": [
{
"slug": "channel-pln"
}
]
}
}
}
}
As we can see, the accessibleChannels field differs from the previous example. The users from this
group will have access only to data from the channel-pln channel.
When the restrictedAccessToChannels flag is set to false, the channels provided
in addChannels field will be ignored.
Removing a group​
To remove a group, use the permissionGroupDelete mutation:
mutation {
permissionGroupDelete(
id: "R3JvdXA6NDM="
) {
errors {
message
}
}
Modifying a group​
Managing the group members​
The permissionGroupUpdate mutation takes a list of user IDs you would like to add or remove from the group. Having the same user in both lists will result in an error.
Example request:
mutation {
permissionGroupUpdate(
id: "R3JvdXA6NDM="
input: {
name: "Sale managers"
addPermissions: []
removePermissions: []
addUsers: ["VXNlcjozMg=="]
removeUsers: []
}
) {
errors {
message
}
}
}
Managing the group channels​
The permissionGroupUpdate mutation takes a list of channel IDs you would like to add or remove from the group. Having the same channels in both lists will result in an error.
Example request:
mutation {
permissionGroupUpdate(
id: "R3JvdXA6MjY="
input: {
addPermissions: []
removePermissions: []
addChannels: ["Q2hhbm5lbDox"]
removeChannels: ["Q2hhbm5lbDoy"]
}
) {
errors {
message
}
}
}
When the restrictedAccessToChannels flag is changed from true to false, all currently assigned channels will be cleared.
When the restrictedAccessToChannels flag is set to false, the channels provided
in addChannels and removeChannels fields will be ignored.
App permissions​
App permissions are defined on a per-app basis. Access can be assigned during the app installation and modified later using the appUpdate mutation. The apps don't have channel restrictions, so all channels data can be visible by the app with the proper permission.
JWT token and permissions​
JWT tokens have a list of assigned permissions. By decoding payload using RS256 algorithm you will get:
{
"iat": 1624013260,
"iss": "example.com",
"token": "AixxXXXxzF",
"email": "john@example.com",
"type": "access",
"user_id": "VXNlcjozMg==",
"is_staff": true,
"exp": 1624049260,
"oauth_access_key": "",
"permissions": [
"MANAGE_TRANSLATIONS",
"MANAGE_PRODUCTS",
"MANAGE_PRODUCT_TYPES_AND_ATTRIBUTES"
]
}
To check the token online and learn more about JWT visit https://jwt.io.
Since Saleor reads permissions from the JWT token, generating a new token is necessary when the user changes permissions.
Available permissions​
Available permissions are kept in the PermissionEnum.
| Name | Description |
|---|---|
| HANDLE_PAYMENTS | Handle payments |
| HANDLE_CHECKOUTS | Handle checkouts |
| MANAGE_APPS | Manage apps |
| MANAGE_CHECKOUTS | Manage checkout |
| MANAGE_DISCOUNTS | Manage discounts |
| MANAGE_GIFT_CARD | Manage gift cards |
| MANAGE_MENUS | Manage the structure of menus |
| MANAGE_ORDERS | Access to orders data |
| MANAGE_ORDERS_IMPORT | Manage order imports |
| MANAGE_PAGES | Manage pages |
| MANAGE_PLUGINS | Manage plugins |
| MANAGE_PRODUCT_TYPES_AND_ATTRIBUTES | Manage product types and attributes |
| MANAGE_PRODUCTS | Manage products |
| MANAGE_SETTINGS | Manage shop settings |
| MANAGE_SHIPPING | Manage shipping |
| MANAGE_STAFF | Access to staff users data |
| MANAGE_TRANSLATIONS | Manage translations |
| MANAGE_USERS | Access to customers data |