88% of data breaches involve stolen credentials, according to Verizon's 2025 DBIR. The source is rarely a sophisticated attack; it's usually an account nobody remembered to remove. A former contractor still holding product editing rights. An admin who needed billing access for one project three years ago.
A quarterly Shopify user permissions audit closes those gaps before they become incidents. Here's how to run one, read the findings, and build a policy your team will actually follow.
How Shopify structures user roles
Shopify offers a range of predefined user roles with varying levels of access and permissions. This feature allows store owners and managers to assign different roles to employees with set limits.
There are three major role categories as detailed in Shopify’s official guide on Role Categories.
| Description | Permissions | |
|---|---|---|
| Organization Role | Roles and permissions that grant access to organization-wide features across all stores in the organization. Staff accounts must be created for each store before they can be accessed. | - View organization settings - Manage stores within the organization - Create and manage staff accounts - View and manage billing - Configure Shopify Plus features |
| Store Role | Roles and permissions within the specific store are applicable to the store admin level. If part of an organization, store permissions can be applied across multiple stores within that organization. | - Manage store settings - Modify store-level settings - View customer data - Access product and order management - Install and manage apps - Edit themes and content |
| Point of Sale (POS) | Roles and permissions for Point of Sale (POS) locations. These roles have access limited to POS locations and relevant features. | - Access POS system features - Manage POS settings - View and manage POS transactions - Modify inventory at the POS location - Set up POS hardware |
Shopify also lets you create custom roles and add external collaborators with limited access to the team.
That's three layers of access, each with its own failure points, and each one that grows harder to track as your team scales. Here's how to audit all of them
How to manage user permissions in Shopify
User permissions can be set in the Shopify Admin Settings > Users & Permissions. The practical side is very simple; complexities arise when conflicts between users are reflected in the storefront and the customer experience.
Shopify user permissions audit
1. Gather user data
Start by pulling all active users, their roles, and their last login dates into one place. There is no native export button to download a CSV of all user roles, emails, permissions, and their last login data. The latter is often the first signal of a security flaw and potential GDPR compliance issues.
Head to Settings > Users and Permissions to view the users and their roles.
You could either manually export the data and use our template to easily analyze it, or use a custom solution to pull data programmatically.
Shopify user permissions reporting template
Before you start the audit, you need a central reference point for all users. The Template below provides an overview of all users, their roles, email addresses, and permissions. You will need this, or a similar doc for the procedure to be efficient.
It also included a handy Audit Checklist you can tick off as you go.
Download our Shopify user permission audit template
2. Review user roles and permissions
With the spreadsheet in front of you, first thing, review roles and permissions for each of these three layers
Staff: Check that each account has only the access it needs. Confirm that all former staff have been fully revoked.
For example, does your marketing manager have billing access? Does a former contractor still have product editing rights? Flag these mismatches for review.
Admins: Ensure they have access to critical store settings like products, billing, and orders. Check if:
- Each admin has a legitimate business reason for full access
- No admin accounts use personal email addresses
- All admins have 2FA enabled
Limited Staff: Ensure they are restricted to relevant features, such as managing orders, inventory, or specific apps. Staff with product, theme, and customer data access should always be monitored.
If a limited staff member needs broader access, consider whether their role has changed.
3. Review and remove stale collaborators
Here is where the last login info becomes very useful. For this step, start targeting Inactive Collaborators (those who haven’t logged in for a specific period, such as 90 days).
For each inactive collaborator, do one of the following:
- If a collaborator hasn't logged in for 90 days and has no active project tied to your store, revoke access fully. If you're unsure, downgrade to read-only and give the store owner 5 business days to confirm. If there is no response, remove them.
- Create a plan to eliminate or merge roles to keep them to a minimum.
The team behind your store's development should have a clear policy for handling data and user permissions after the final handover.
4. Confirm owner and billing access
Confirm who owns billing access and ensure the account is locked down. By default, Shopify grants billing access to the store owner, but ownership is often transferred during team changes and not revisited
5. Enforce 2FA (Two-Factor Authentication) for roles
Every role should have 2FA enabled. Even though the store owner and admin are the first who need it, a data breach could come from anywhere.
Note: By default, all collaborators now have to go through 2FA. A code is needed each time a collaborator requests access to your store. You generate and edit code in the Shopify admin, then share it.
6. Review User Permissions Across Multiple Stores (If Applicable)
If you manage multiple Shopify stores within a single Shopify Organization, ensure user permissions are consistent and appropriately configured across all stores. This means repeating the same procedure as above for all separate stores.
Tip: In the spreadsheet template, duplicate the first sheet and assign one to each store.
7. Score your findings using an AI prompt
Now that you've gathered all user data, use this AI prompt to automatically score each user's risk level.
I have a CSV file containing audit data for Shopify user permissions, and I need you to help me score the risk level for each user based on the following criteria:
Role Risk:
- Admin: +15 points
- Staff with Sensitive Access (orders, customer data, etc.): +10 points
- Collaborator: +5 points
- POS User: +2 points
Inactivity Risk:
- Last login > 90 days: +20 points
- No last login recorded: +10 points
2FA Risk:
- No 2FA enabled: +20 points
- 2FA partially enforced (admins only): +10 points
External Access Risk:
- External email (non-company domain): +10 points
Here is the data from the CSV file:
[PASTE THE CSV CONTENT HERE]
Please score each user based on the above criteria and provide the following for each user:
- User Name
- Total Risk Score
- Risk Level: Low Risk (0-40 points), Medium Risk (41-70 points), or High Risk (71+ points)
- Suggested Actions: Recommendations based on the risk level (e.g., enforce 2FA, remove inactive users, revoke external access)
Please provide the results in a table format with the calculated scores and suggested actions.
8. Create and share the audit report
The goal of this final step is to document the findings, share the report, and give a basis for further decisions. The findings should include:
- Total number of users and their roles.
- Permissions granted (e.g., admin, staff, collaborator).
- Inactive users or accounts that require review.
- Security improvements, such as enforcing 2FA.
Share the completed report with the store owner, IT lead, or dedicated security officer within 48 hours of completing the audit, and repeat the process every 90 days.
Shopify user permission policy
Your audit findings become actionable when you have a permission policy in place. Growing enterprises need one, as user counts often change with every new onboarding and offboarding.
The following is the Shopify user permission policy you can customize and share with your team. Remember, this is a living document that is continuously updated in line with Shopify security updates, your system upgrades, business process updates, and staff.
The document should be owned by HR and IT, unless your company has a dedicated security officer who can coordinate between the two.
Download the Shopify user permission policy here
Final thoughts on user permission and security
You've completed your first user permissions audit. Now schedule the next one in 90 days.
If your audit flagged more than 5 high-risk users, you're managing permissions across multiple stores, or you need help enforcing 2FA organization-wide, book a technical review. We'll help you build a scalable permissions policy and show you how to automate future audits using Shopify's API.
