Agent-Skills.md

Agent Skills: Shopify Enterprise RBAC

|

UncategorizedID: jeremylongshore/claude-code-plugins-plus-skills/shopify-enterprise-rbac

Repository

jeremylongshore/claude-code-plugins-plus-skills
jeremylongshoreLicense: NOASSERTION
1,723221

Install this agent skill to your local

pnpm dlx add-skill https://github.com/jeremylongshore/claude-code-plugins-plus-skills/tree/HEAD/plugins/saas-packs/shopify-pack/skills/shopify-enterprise-rbac

Skill Files

Browse the full folder contents for shopify-enterprise-rbac.

Download Skill

Loading file tree…

plugins/saas-packs/shopify-pack/skills/shopify-enterprise-rbac/SKILL.md

Skill Metadata

Name
shopify-enterprise-rbac
Description
'Implement Shopify Plus access control patterns with staff permissions,

Shopify Enterprise RBAC

Overview

Implement role-based access control for Shopify Plus apps using Shopify's staff member permissions, multi-location features, and Organization-level access.

Prerequisites

  • Shopify Plus store (for Organization features)
  • Understanding of Shopify's staff permission model
  • read_users scope for querying staff permissions

Instructions

Step 1: Query Staff Permissions and Map to App Roles

Query staff members via GraphQL to get their access scopes, then map those scopes to app-level roles (admin, manager, fulfillment, viewer). Staff permissions mirror app scopes like read_products, write_orders, etc.

See Staff Query and Role Mapping for the complete GraphQL query, role definitions, and matching logic.

Step 2: Permission Middleware and Multi-Location Access

In embedded apps, use online access tokens to get per-staff permissions from session.onlineAccessInfo. For Shopify Plus stores with multiple locations, restrict fulfillment and inventory operations to authorized locations per user.

See Permission Middleware and Location Access for Remix loader examples and location access control.

Step 3: Organization API and Audit Trail

Shopify Plus Organization API enables multi-store management with organization-level, store-level admin, and store-level staff roles. Log all access decisions (allowed and denied) for compliance auditing.

See Organization API and Audit Trail for the Organization query and audit implementation.

Output

  • Staff permissions queried and mapped to app roles
  • Permission middleware protecting embedded app routes
  • Multi-location access control for Shopify Plus
  • Audit trail for all access decisions

Error Handling

| Issue | Cause | Solution | |-------|-------|----------| | No onlineAccessInfo | Using offline token | Use online access tokens for per-user permissions | | Staff can't access feature | Merchant restricted their permissions | Staff must request access from store owner | | Organization API 403 | Not on Shopify Plus | Organization features require Plus plan | | Location not found | Location deactivated | Query active locations before operations |

Examples

Quick Permission Check in Remix

// Remix action with permission guard
export async function action({ request }: ActionFunctionArgs) {
  const { admin, session } = await authenticate.admin(request);

  const role = determineRole(
    session.onlineAccessInfo?.associated_user_scope?.split(",") || []
  );

  if (!canPerformAction(role, "manage_products")) {
    return json({ error: "Insufficient permissions" }, { status: 403 });
  }

  // ... perform the action
}

Resources