3 Admin Roles You Need To Properly Secure Your Magento Store
One of the most overlooked pieces in launching a new store is securing the proper access to your Magento Admin panel. Magento Commerce provides roles and permissions to create different levels of access to the Admin.
Let’s take a look at 3 roles that should be used to restrict the level of permissions on a “need to know” basis. You should always have 1 Administrator role with full access, ideally, this is tied to a master email account that isn’t controlled by a single employee.
In creating your customer service role, identify the key tasks and menu items your customer service agents access do help your customers and your team with orders. Minimally you should grant access to the following high-level items:
Let’s now take a deep dive into the individual elements that your Customer Service agents will need access to and what each element offers access to:
Operations - this covers all aspects of Sales which includes Order, Invoices, and Shipments. You also have the option to allow an order to be canceled, edited or the payment captured. Typically, you would allow all here unless you didn't allow a specific change like editing or canceling placed orders.
Shopping Cart Management - this allows your agents to view a customer’s cart and interact with it
Inventory- under this menu you will want to select Products and Read Customer Price, this way your agent can quickly search for products for customer support.
Categories- this will allow your agent to see the structure of your catalog browsing as well as see possible private categories
All Customers- this is crucial for agents to manage and assist customers
Online Now- this is a quick filter to show logged in customers in the prior 15 minutes
Promotions - enable Cart Price Rules for your agents to view coupon codes that are active, if you want them to edit, be sure to allow Edit Cart Price Rules. If you offer Gift Cards, you may want to consider allowing your agents to see this menu as well.
For Catalog Management, we typically assign this to users who have responsibility for adding/editing products or categories, updating pricing, creating pricing rules and managing the search. For users you manage your catalog (sometimes called Merchandisers), they should have full access to the below items minimally.
With the Marketing role, this will be the users who will create promotions, update content or create landing pages. Let’s explore the areas that Sales, Marketing and Content Specialists will need access to:
This will allow your team to create custom categories which can drive Landing Pages and custom left-hand navigation filters.
Segments- this is a true power of Magento for creating personalized pricing, content, and products
You can safely enable all elements under this level. This allows for managing Dotmailer (if used), Promotions (which includes Catalog Price Rules, Related Product Rules and Cart Price Rules), Gift Card Accounts, Private Sales, Communications (includes Magento Transactional Email Templates), and SEO & Search.
There is no right or wrong way to set up security and roles in Magento as long as you have thought out in advance how to organize your users. Make sure you don’t allow account sharing since Magento Commerce logs all activity in the Admin.