shopify-enterprise-rbac
'Implement Shopify Plus access control patterns with staff permissions,
Allowed Tools
Provided by Plugin
shopify-pack
Claude Code skill pack for Shopify (30 skills)
Installation
This skill is included in the shopify-pack plugin:
/plugin install shopify-pack@claude-code-plugins-plusClick to copy
Instructions
Shopify Enterprise RBAC
Overview
Implement role-based access control for Shopify Plus apps using Shopify's staff member permissions, multi-location features, and Organization-level access.
Prerequisites
- Shopify Plus store (for Organization features)
- Understanding of Shopify's staff permission model
read_usersscope for querying staff permissions
Instructions
Step 1: Query Staff Permissions and Map to App Roles
Query staff members via GraphQL to get their access scopes, then map those scopes to app-level roles (admin, manager, fulfillment, viewer). Staff permissions mirror app scopes like readproducts, writeorders, etc.
See Staff Query and Role Mapping for the complete GraphQL query, role definitions, and matching logic.
Step 2: Permission Middleware and Multi-Location Access
In embedded apps, use online access tokens to get per-staff permissions from session.onlineAccessInfo. For Shopify Plus stores with multiple locations, restrict fulfillment and inventory operations to authorized locations per user.
See Permission Middleware and Location Access for Remix loader examples and location access control.
Step 3: Organization API and Audit Trail
Shopify Plus Organization API enables multi-store management with organization-level, store-level admin, and store-level staff roles. Log all access decisions (allowed and denied) for compliance auditing.
See Organization API and Audit Trail for the Organization query and audit implementation.
Output
- Staff permissions queried and mapped to app roles
- Permission middleware protecting embedded app routes
- Multi-location access control for Shopify Plus
- Audit trail for all access decisions
Error Handling
| Issue | Cause | Solution |
|---|---|---|
No onlineAccessInfo |
Using offline token | Use online access tokens for per-user permissions |
| Staff can't access feature | Merchant restricted their permissions | Staff must request access from store owner |
| Organization API 403 | Not on Shopify Plus | Organization features require Plus plan |
| Location not found | Location deactivated | Query active locations before operations |
Examples
Quick Permission Check in Remix
// Remix action with permission guard
export async function action({ request }: ActionFunctionArgs) {
const { admin, session } = await authenticate.admin(request);
const role = determineRole(
session.onlineAccessInfo?.associated_user_scope?.split(",") || []
);
if (!canPerformAction(role, "manage_products")) {
return json({ error: "Insufficient permissions" }, { status: 403 });
}
// ... perform the action
}