shopify-enterprise-rbac
Implement Shopify Plus access control patterns with staff permissions, multi-location management, and Shopify Organization features. Trigger with phrases like "shopify permissions", "shopify staff", "shopify Plus organization", "shopify roles", "shopify multi-location".
Best use case
shopify-enterprise-rbac is best used when you need a repeatable AI agent workflow instead of a one-off prompt.
Implement Shopify Plus access control patterns with staff permissions, multi-location management, and Shopify Organization features. Trigger with phrases like "shopify permissions", "shopify staff", "shopify Plus organization", "shopify roles", "shopify multi-location".
Teams using shopify-enterprise-rbac should expect a more consistent output, faster repeated execution, less prompt rewriting.
When to use this skill
- You want a reusable workflow that can be run more than once with consistent structure.
When not to use this skill
- You only need a quick one-off answer and do not need a reusable workflow.
- You cannot install or maintain the underlying files, dependencies, or repository context.
Installation
Claude Code / Cursor / Codex
Manual Installation
- Download SKILL.md from GitHub
- Place it in
.claude/skills/shopify-enterprise-rbac/SKILL.mdinside your project - Restart your AI agent — it will auto-discover the skill
How shopify-enterprise-rbac Compares
| Feature / Agent | shopify-enterprise-rbac | Standard Approach |
|---|---|---|
| Platform Support | Not specified | Limited / Varies |
| Context Awareness | High | Baseline |
| Installation Complexity | Unknown | N/A |
Frequently Asked Questions
What does this skill do?
Implement Shopify Plus access control patterns with staff permissions, multi-location management, and Shopify Organization features. Trigger with phrases like "shopify permissions", "shopify staff", "shopify Plus organization", "shopify roles", "shopify multi-location".
Where can I find the source code?
You can find the source code on GitHub using the link provided at the top of the page.
Related Guides
Best AI Skills for Claude
Explore the best AI skills for Claude and Claude Code across coding, research, workflow automation, documentation, and agent operations.
ChatGPT vs Claude for Agent Skills
Compare ChatGPT and Claude for AI agent skills across coding, writing, research, and reusable workflow execution.
SKILL.md Source
# Shopify Enterprise RBAC
## Overview
Implement role-based access control for Shopify Plus apps using Shopify's staff member permissions, multi-location features, and Organization-level access.
## Prerequisites
- Shopify Plus store (for Organization features)
- Understanding of Shopify's staff permission model
- `read_users` scope for querying staff permissions
## Instructions
### Step 1: Query Staff Member Permissions
```typescript
// Query staff members and their permissions via GraphQL
const STAFF_QUERY = `{
staffMembers(first: 50) {
edges {
node {
id
email
firstName
lastName
isShopOwner
active
locale
permissions: accessScopes {
handle
description
}
}
}
}
}`;
// Staff permissions match app access scopes:
// "read_products", "write_products", "read_orders", etc.
// A staff member can only use app features matching their store permissions
```
### Step 2: App-Level Role Mapping
Map Shopify staff permissions to your app's roles:
```typescript
type AppRole = "admin" | "manager" | "viewer" | "fulfillment";
interface RoleMapping {
role: AppRole;
requiredScopes: string[];
allowedActions: string[];
}
const ROLE_MAPPINGS: RoleMapping[] = [
{
role: "admin",
requiredScopes: ["write_products", "write_orders", "write_customers"],
allowedActions: ["*"],
},
{
role: "manager",
requiredScopes: ["write_products", "read_orders"],
allowedActions: ["manage_products", "view_orders", "view_analytics"],
},
{
role: "fulfillment",
requiredScopes: ["read_orders", "write_fulfillments"],
allowedActions: ["view_orders", "create_fulfillment", "update_tracking"],
},
{
role: "viewer",
requiredScopes: ["read_products"],
allowedActions: ["view_products", "view_analytics"],
},
];
function determineRole(staffScopes: string[]): AppRole {
// Find the highest-privilege role the staff member qualifies for
for (const mapping of ROLE_MAPPINGS) {
if (mapping.requiredScopes.every((s) => staffScopes.includes(s))) {
return mapping.role;
}
}
return "viewer"; // fallback
}
function canPerformAction(role: AppRole, action: string): boolean {
const mapping = ROLE_MAPPINGS.find((m) => m.role === role);
if (!mapping) return false;
return mapping.allowedActions.includes("*") || mapping.allowedActions.includes(action);
}
```
### Step 3: Embedded App Permission Middleware
```typescript
// In an embedded Shopify app, the session token contains the staff member info
import { authenticate } from "../shopify.server";
// Remix loader with permission check
export async function loader({ request }: LoaderFunctionArgs) {
const { admin, session } = await authenticate.admin(request);
// session.onlineAccessInfo contains staff permissions for online tokens
const staffInfo = session.onlineAccessInfo;
if (!staffInfo) {
// Offline token — no per-user permissions available
return json({ role: "admin" });
}
const scopes = staffInfo.associated_user_scope.split(",");
const role = determineRole(scopes);
// Check permission for this specific page
if (!canPerformAction(role, "view_orders")) {
throw new Response("Forbidden", { status: 403 });
}
return json({ role, user: staffInfo.associated_user });
}
```
### Step 4: Multi-Location Access Control
```typescript
// Shopify Plus stores can have multiple locations
// Control which locations a staff member can access
const LOCATIONS_QUERY = `{
locations(first: 50) {
edges {
node {
id
name
isActive
address {
city
province
country
}
fulfillmentService {
serviceName
}
}
}
}
}`;
// Restrict operations to authorized locations
interface LocationPermission {
locationId: string;
canFulfill: boolean;
canAdjustInventory: boolean;
canViewOrders: boolean;
}
async function checkLocationAccess(
userId: string,
locationId: string,
action: "fulfill" | "adjust_inventory" | "view_orders"
): Promise<boolean> {
const permissions = await db.locationPermissions.findFirst({
where: { userId, locationId },
});
if (!permissions) return false;
switch (action) {
case "fulfill": return permissions.canFulfill;
case "adjust_inventory": return permissions.canAdjustInventory;
case "view_orders": return permissions.canViewOrders;
default: return false;
}
}
```
### Step 5: Shopify Plus Organization API
```typescript
// Shopify Plus Organization features (multi-store management)
// Access via the Organization API
const ORG_STORES_QUERY = `{
organizationStores(first: 50) {
edges {
node {
id
name
shopDomain
plan {
displayName
}
staff(first: 10) {
edges {
node {
email
role
}
}
}
}
}
}
}`;
// Organization-level roles:
// - Organization admin: full access to all stores
// - Store-level admin: full access to assigned stores
// - Store-level staff: permission-based access
```
### Step 6: Audit Trail for Access
```typescript
interface AccessAuditEntry {
timestamp: Date;
userId: string;
userEmail: string;
role: AppRole;
action: string;
resource: string;
shopDomain: string;
locationId?: string;
allowed: boolean;
ipAddress?: string;
}
async function auditAccess(entry: AccessAuditEntry): Promise<void> {
await db.accessAudit.create({ data: entry });
// Alert on denied access attempts
if (!entry.allowed) {
console.warn(
`[ACCESS DENIED] ${entry.userEmail} attempted ${entry.action} ` +
`on ${entry.resource} in ${entry.shopDomain}`
);
}
}
```
## Output
- Staff permissions queried and mapped to app roles
- Permission middleware protecting embedded app routes
- Multi-location access control for Shopify Plus
- Audit trail for all access decisions
## Error Handling
| Issue | Cause | Solution |
|-------|-------|----------|
| No `onlineAccessInfo` | Using offline token | Use online access tokens for per-user permissions |
| Staff can't access feature | Merchant restricted their permissions | Staff must request access from store owner |
| Organization API 403 | Not on Shopify Plus | Organization features require Plus plan |
| Location not found | Location deactivated | Query active locations before operations |
## Examples
### Quick Permission Check in Remix
```typescript
// Remix action with permission guard
export async function action({ request }: ActionFunctionArgs) {
const { admin, session } = await authenticate.admin(request);
const role = determineRole(
session.onlineAccessInfo?.associated_user_scope?.split(",") || []
);
if (!canPerformAction(role, "manage_products")) {
return json({ error: "Insufficient permissions" }, { status: 403 });
}
// ... perform the action
}
```
## Resources
- [Shopify Staff Permissions](https://help.shopify.com/en/manual/your-account/staff-accounts/staff-permissions)
- [Online vs Offline Tokens](https://shopify.dev/docs/apps/build/authentication-authorization/access-tokens)
- [Shopify Plus Organization](https://help.shopify.com/en/manual/shopify-plus/organization)
- [Multi-Location Inventory](https://shopify.dev/docs/apps/build/orders-fulfillment/inventory-management-apps)
## Next Steps
For major migrations, see `shopify-migration-deep-dive`.Related Skills
windsurf-enterprise-rbac
Configure Windsurf enterprise SSO, RBAC, and organization-level controls. Use when implementing SSO/SAML, configuring role-based seat management, or setting up organization-wide Windsurf policies. Trigger with phrases like "windsurf SSO", "windsurf RBAC", "windsurf enterprise", "windsurf admin", "windsurf SAML", "windsurf team management".
webflow-enterprise-rbac
Configure Webflow enterprise access control — OAuth 2.0 app authorization, scope-based RBAC, per-site token isolation, workspace member management, and audit logging for compliance. Trigger with phrases like "webflow RBAC", "webflow enterprise", "webflow roles", "webflow permissions", "webflow OAuth scopes", "webflow access control", "webflow workspace members".
vercel-enterprise-rbac
Configure Vercel enterprise RBAC, access groups, SSO integration, and audit logging. Use when implementing team access control, configuring SAML SSO, or setting up role-based permissions for Vercel projects. Trigger with phrases like "vercel SSO", "vercel RBAC", "vercel enterprise", "vercel roles", "vercel permissions", "vercel access groups".
veeva-enterprise-rbac
Veeva Vault enterprise rbac for enterprise operations. Use when implementing advanced Veeva Vault patterns. Trigger: "veeva enterprise rbac".
vastai-enterprise-rbac
Implement team access control and spending governance for Vast.ai GPU cloud. Use when managing multi-team GPU access, implementing spending controls, or setting up API key separation for different teams. Trigger with phrases like "vastai team access", "vastai RBAC", "vastai enterprise", "vastai spending controls", "vastai permissions".
twinmind-enterprise-rbac
Configure TwinMind Enterprise with on-premise deployment, custom AI models, SSO integration, and team-wide transcript sharing. Use when implementing enterprise rbac, or managing TwinMind meeting AI operations. Trigger with phrases like "twinmind enterprise rbac", "twinmind enterprise rbac".
supabase-enterprise-rbac
Implement custom role-based access control via JWT claims in Supabase: app_metadata.role, RLS policies with auth.jwt() ->> 'role', organization-scoped access, and API key scoping. Use when implementing role-based permissions, configuring organization-level access, building admin/member/viewer hierarchies, or scoping API keys per role. Trigger: "supabase RBAC", "supabase roles", "supabase permissions", "supabase JWT claims", "supabase organization access", "supabase custom roles", "supabase app_metadata".
speak-enterprise-rbac
Configure Speak for schools and organizations: SSO, teacher/student roles, class management, and usage reporting. Use when implementing enterprise rbac, or managing Speak language learning platform operations. Trigger with phrases like "speak enterprise rbac", "speak enterprise rbac".
snowflake-enterprise-rbac
Configure Snowflake enterprise RBAC with system roles, custom role hierarchies, SSO/SCIM integration, and least-privilege access patterns. Use when implementing role-based access control, configuring SSO with SAML/OIDC, or setting up organization-level governance in Snowflake. Trigger with phrases like "snowflake RBAC", "snowflake roles", "snowflake SSO", "snowflake SCIM", "snowflake permissions", "snowflake access control".
windsurf-enterprise-sso
Configure enterprise SSO integration for Windsurf. Activate when users mention "sso configuration", "single sign-on", "enterprise authentication", "saml setup", or "identity provider". Handles enterprise identity integration. Use when working with windsurf enterprise sso functionality. Trigger with phrases like "windsurf enterprise sso", "windsurf sso", "windsurf".
shopify-upgrade-migration
Upgrade Shopify API versions and migrate from REST to GraphQL with breaking change detection. Use when upgrading API versions, migrating from deprecated REST endpoints, or handling Shopify's quarterly API release cycle. Trigger with phrases like "upgrade shopify", "shopify API version", "shopify breaking changes", "migrate REST to GraphQL", "shopify deprecation".
shopify-security-basics
Apply Shopify security best practices for API credentials, webhook HMAC validation, and access scope management. Use when securing API keys, validating webhook signatures, or auditing Shopify security configuration. Trigger with phrases like "shopify security", "shopify secrets", "secure shopify", "shopify HMAC", "shopify webhook verify".