User and Permissions
The User and Permissions section is where you manage your team's access. By assigning specific permissions, you ensure that staff members (like designers, developers, or marketers) only see the data and tools relevant to their specific roles.
Location: Settings → User and permissions
What Is User and Permissions?
User and Permissions is the access control system for your Soppiya admin panel. It lets you invite team members, assign granular permissions for store resources (products, orders, themes), and control access to installed third-party apps.
- Staff Accounts - Invite team members with their Soppiya email
- Store Permissions - Control read, create, update, and delete access per resource
- App Permissions - Grant full, limited, or no access to installed applications
- Capacity Tracking - Monitor staff count against your subscription plan limit
Every staff member should have their own unique account. Sharing login credentials makes it impossible to track who made changes in the Activity Log.
Quick Start Guide
If you're adding your first team member, follow these steps:
- Click "Add staff" — Enter the staff member's Soppiya-registered email
- Set store permissions — Toggle read, create, update, and delete for each resource
- Set app permissions — Choose Full, Limited, or Denied access to installed apps
- Save — The staff member now appears in your team list with their assigned roles
For detailed instructions, continue reading below.
Staff Overview
The main screen provides a clear snapshot of your current team structure.
1. Staff Capacity
Located at the top left (e.g., Staff 6 of 25). This counter shows how many staff accounts you have occupied versus the total limit allowed by your current subscription plan.
2. The Staff List
The main area displays a list of all users currently associated with your store. Each row contains:
- Profile: The staff member's avatar and name.
- Access Badges: Visual labels that indicate the user's high-level authority.
Full Store Access: Can view and modify all core store settings.Full App Access: Can open and use all installed applications.Limited App Access: Restricted to specific, selected applications only.
Adding New Staff
To invite a new team member to your store:
- Click the Add staff button in the top right corner.
- Email: Enter the staff member's email address.
The email address you enter must belong to an existing Soppiya user. If your staff member does not have an account yet, they must register on Soppiya first. You cannot invite an email address that does not exist in our system.
Configuring Permissions
Once the email is entered, you must define exactly what the user is allowed to do. Permissions are divided into Store Resources and App Access.
Store Permissions (Resource Access)
This section controls access to native features (like Products, Orders, or Themes). You can toggle specific actions for each category by clicking the permission tags.
Permission Actions Explained
| Tag | Meaning | What the user can do |
|---|---|---|
read | View Only | See data but cannot change anything. |
create | Add New | Create new items (e.g., Add a new Product). |
update | Edit | Modify existing settings or items. |
delete | Remove | Permanently delete items (Use with caution). |
To allow a Content Writer to manage your blog but prevent them from seeing sales data:
- Enable:
read_blog,create_blog,update_blog - Disable: All tags related to
orderorpayment.
App Permissions
Manage access to installed third-party tools (e.g., Marketing tools, Page Builders).
- Limited: Select this to hand-pick specific apps. Check the box next to the app name (e.g.,
Shop) to grant access. - Denied: The user is blocked from opening any installed apps.
Managing & Removing Staff
You can modify a user's role or revoke their access at any time.
- Click on the staff member's name from the list.
- Edit Access: Toggle permissions on or off to update their role immediately.
- Remove Staff:
- Scroll to the bottom of the profile to the Manage staff access section.
- Click the red Remove [Staff Name] button.
- Confirm the action in the pop-up window.
Removing a staff member is permanent. If you remove them by mistake, you must re-invite them and manually re-configure their permissions from scratch.
Real World Examples
Example 1: Content Writer Role
Goal: Allow a content writer to manage the blog without accessing financial data.
Configuration:
| Resource | Permissions |
|---|---|
| Blog | read, create, update |
| Article | read, create, update |
| Page | read, create, update |
| Product | ❌ None |
| Order | ❌ None |
| Payment | ❌ None |
| App Access | Denied |
Why this works:
- Writer can create and edit blog posts and pages
- No access to products, orders, or payments protects sensitive data
- Denied app access prevents interaction with third-party tools
Example 2: Fulfillment Manager Role
Goal: Allow a warehouse manager to process orders and manage inventory.
Configuration:
| Resource | Permissions |
|---|---|
| Order | read, update |
| Product | read, update |
| Customer | read |
| Theme | ❌ None |
| Settings | ❌ None |
| App Access | Limited (Shipping App only) |
Why this works:
- Can read and update orders for fulfillment processing
- Can update product inventory counts
- Read-only customer access for delivery coordination
- No access to theme or settings prevents accidental changes
Troubleshooting
I can't add a staff member — email not found
Possible causes:
- The email address doesn't belong to a registered Soppiya user
Solution:
- Ask the staff member to register at Soppiya first
- Once they have a Soppiya account, return to Settings → User and Permissions
- Click Add staff and enter their registered email
Staff member can't access a specific feature
Possible causes:
- The required permission tags are not enabled for that resource
Solution:
- Go to Settings → User and Permissions
- Click on the staff member's name
- Find the resource (e.g., Products) and enable the needed permission tags (read, create, update, delete)
- Save the changes — access takes effect immediately
I've reached my staff limit
Possible causes:
- Your subscription plan has a maximum staff count
Solution:
- Check the counter at the top of the User and Permissions page (e.g., "Staff 25 of 25")
- Remove inactive staff members to free up slots
- Or upgrade your Soppiya subscription plan for more capacity
If you're still experiencing issues, contact Soppiya support with the staff member's email and the specific resource they can't access.
Best Practices
User and Permissions Best Practices
Access Control
- Follow the principle of least privilege — only grant the minimum permissions needed
- Use unique accounts — never share credentials; individual accounts enable accountability via Activity Logs
- Review permissions quarterly — remove inactive staff and update roles as responsibilities change
Role Planning
- Map out roles before inviting staff — define Writer, Manager, Admin, etc. with specific resource access
- Use app permissions strategically — limit third-party app access to prevent data leaks
- Be cautious with
deletepermissions — only grant to trusted staff as deletions are often irreversible
Common Mistakes to Avoid
- ❌ Sharing one admin account among multiple staff — impossible to track who did what
- ❌ Granting full access to everyone — increases risk of accidental changes or data exposure
- ❌ Forgetting to remove former employees — ex-staff with active accounts is a security risk
- ❌ Not planning roles before inviting — leads to inconsistent, hard-to-manage permission sets
Summary
User and Permissions controls who can access your Soppiya admin panel and what they can do. By assigning granular permissions per resource and per app, you maintain security while enabling your team to work effectively.
Key takeaways:
- Every staff member needs their own Soppiya account (email must be registered first)
- Permissions are divided into Store Resources (read, create, update, delete) and App Access (full, limited, denied)
- Staff capacity is limited by your subscription plan
- Removing a staff member is permanent — you must re-invite and re-configure from scratch
- Use unique accounts for accountability in the Activity Log
- Follow the principle of least privilege — grant only the permissions each role requires
If you're just getting started, invite your first team member with read-only permissions, then gradually grant more access as trust and training progress.