Magento 2 User Roles and Permissions

🔐 Magento 2 User Roles & Permissions

Magento 2 provides a flexible user roles and permissions system that lets you assign specific access rights to different admin users. This is super useful for teams—developers, content editors, marketers, and support staff can all have tailored access without interfering with each other’s work.

👤 Why Use User Roles?

Instead of giving everyone full access to your admin panel (which is risky!), you can:

  • Restrict who can change products or prices
  • Limit access to customer data (for privacy)
  • Let support staff only view orders
  • Allow developers access to system tools only

⚙️ How to Create a User Role in Magento 2

  1. Log in to the Admin Panel.
  2. Go to System > Permissions > User Roles.
  3. Click Add New Role.
  4. Under Role Info, enter a name like “Product Manager”.
  5. Under Role Resources, choose the exact resources this role can access (e.g., Catalog, Sales).
  6. Click Save Role.

👥 Assigning the Role to an Admin User

  1. Go to System > Permissions > All Users.
  2. Edit a user or click Add New User.
  3. In the User Role tab, assign the role you just created.
  4. Save the user.

🔧 Example: Creating a Custom Role Programmatically

Here’s how you can create a user role using a Magento 2 setup script:

/* File: app/code/Vendor/Module/Setup/Patch/Data/CreateUserRole.php */

namespace Vendor\Module\Setup\Patch\Data;

use Magento\Authorization\Model\RoleFactory;
use Magento\Authorization\Model\RulesFactory;
use Magento\Framework\Setup\Patch\DataPatchInterface;

class CreateUserRole implements DataPatchInterface
{
    protected $roleFactory;
    protected $rulesFactory;

    public function __construct(
        RoleFactory $roleFactory,
        RulesFactory $rulesFactory
    ) {
        $this->roleFactory = $roleFactory;
        $this->rulesFactory = $rulesFactory;
    }

    public function apply()
    {
        $role = $this->roleFactory->create();
        $role->setName('Custom Role')
             ->setPid(0)
             ->setRoleType('G') // 'G' means admin role group
             ->save();

        $this->rulesFactory->create()->setRoleId($role->getId())
            ->setResources(['Magento_Backend::all']) // Or use a list of specific ACL resources
            ->saveRel();
    }

    public static function getDependencies() { return []; }
    public function getAliases() { return []; }
}

Try It Now

🔎 Understanding ACL Resources

Permissions in Magento 2 are controlled by ACL (Access Control List) resources. These are defined in each module’s acl.xml file.

🔧 Example: Defining ACL Resources


<acl xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
     xsi:noNamespaceSchemaLocation="urn:magento:framework:Acl/etc/acl.xsd">
    <resources>
        <resource id="Magento_Backend::admin">
            <resource id="Vendor_Module::config" title="My Module Config" sortOrder="10"/>
        </resource>
    </resources>
</acl>

Try It Now

🏁 Conclusion

Magento 2 makes it easy to assign specific roles and permissions to different users. Whether you’re securing access manually from the admin or programmatically through your modules, the ACL system gives you powerful control over who sees what.

Use roles to reduce risk, keep your team focused, and protect sensitive data—all from one secure admin panel!