Shopify Enterprise RBAC

Step 2: Permission Middleware and Multi-Location Access

In embedded apps, use online access tokens to get per-staff permissions from session.onlineAccessInfo. For Shopify Plus stores with multiple locations, restrict fulfillment and inventory operations to authorized locations per user.

See Permission Middleware and Location Access for Remix loader examples and location access control.

Step 3: Organization API and Audit Trail

Shopify Plus Organization API enables multi-store management with organization-level, store-level admin, and store-level staff roles. Log all access decisions (allowed and denied) for compliance auditing.

See Organization API and Audit Trail for the Organization query and audit implementation.

Output

• Staff permissions queried and mapped to app roles
• Permission middleware protecting embedded app routes
• Multi-location access control for Shopify Plus
• Audit trail for all access decisions

Error Handling

Examples

Quick Permission Check in Remix

// Remix action with permission guard
export async function action({ request }: ActionFunctionArgs) {
  const { admin, session } = await authenticate.admin(request);

  const role = determineRole(
    session.onlineAccessInfo?.associated_user_scope?.split(",") || []
  );

  if (!canPerformAction(role, "manage_products")) {
    return json({ error: "Insufficient permissions" }, { status: 403 });
  }

  // ... perform the action
}

Resources

• Shopify Staff Permissions
• Online vs Offline Tokens
• Shopify Plus Organization
• Multi-Location Inventory