Shopify Staff Permissions for Contractors (2026)

Why Oversharing Admin Access Is the Most Expensive Mistake New Merchants Make

Most first-time Shopify merchants hand their freelancer the keys to the whole castle on day one. They invite a contractor as "staff with full permissions" because it is faster than reading the permissions table, and three months later that same contractor still has the ability to export the customer list, change payout accounts, or install rogue apps. The store owner has moved on. The access has not.

This guide is the role-scoping playbook we wish every merchant had before hiring their first designer, developer, VA, or fulfillment helper. You will learn how Shopify's permission system works, which permissions each contractor role actually needs, the real difference between staff and collaborators, and a repeatable offboarding checklist. For broader operational hygiene, our business strategy category covers vendor management, bookkeeping, and legal setup.

Proper Shopify staff permissions for contractors are not a bureaucratic exercise — they are the cheapest form of business insurance you can set up, and the entire process takes less than an hour once you know what to click.

How Shopify's Permission System Actually Works

Shopify splits access into three structural layers, and most of the confusion new merchants feel comes from treating them as interchangeable. They are not.

The first layer is the store owner — the one account that created the store or was transferred ownership. The owner is the only account that can change the billing plan, update the legal business address on the Shopify Payments account, or remove the account owner role itself. You cannot delegate "owner" to a contractor. You can only transfer ownership, which you almost never want to do.

The second layer is staff accounts. These are full logins attached to email addresses you invite from Settings > Users. Staff count against your plan's user limit — the SaasAnt breakdown of Shopify staff user permission levels is a useful side-by-side of seat limits per plan, but the important thing is that staff accounts are designed for people who will be working in your admin repeatedly. Employees, virtual assistants, in-house marketers.

The third layer is collaborator accounts, which are designed for Shopify Partners — agencies, freelancers, theme developers — to request scoped access without ever using one of your staff seats. Collaborators log in through the Partner Dashboard, not through your store login page. Shopify's own Partners blog piece on collaborator accounts describes them as the default recommendation for any external expert working on your store.

The three questions you must answer before inviting anyone

• Will this person need access for more than 90 days? If no, strongly prefer a collaborator.
• Is this person a registered Shopify Partner? If yes, collaborator is almost always correct.
• Does this person need to see revenue, payouts, or customer PII? If no, remove those permissions before the invite goes out — not after.

If you are still deciding whether to hire at all, our guide on hiring a Shopify developer covers the scoping conversation that should happen before any invite is sent.

Staff Accounts vs Collaborator Accounts: The Honest Comparison

The single most underused feature in Shopify is the collaborator account. Merchants default to staff invites because the staff page is easier to find, but collaborators are objectively the better choice for most contractor work. Here is the comparison merchants wish they had seen on day one.

The 90-day auto-expiration on collaborator accounts is the quiet superpower — the Storetasker freelancer guide to Shopify collaborator accounts walks through the inactivity window and the request flow. If you forget to offboard a freelancer who built you a product feed three months ago, Shopify does it for you. Staff accounts never do that.

When to use staff anyway

Staff accounts still win in two situations. First, when the contractor is not a Shopify Partner and has no Partner Dashboard account — you cannot invite them as a collaborator without one. Second, when the person will be doing long-term operational work (daily customer service, for example) where logging in through the Partner Dashboard would add friction. In both cases you should still scope permissions tightly, which brings us to role recipes.

Role-Specific Permission Recipes

The Shopify admin exposes roughly 30 distinct permissions across products, orders, customers, marketing, analytics, apps, and settings. Giving a contractor "all permissions" is the equivalent of giving a plumber the keys to your safe. Instead, use the recipes below as starting points — each covers the minimum permissions a role actually needs to do its job.

Theme designer / front-end contractor

A designer needs to see how content looks in context and publish theme changes, nothing more. They almost never need to see a real customer record or a live order.

• Themes: View, edit, and publish
• Online Store: Manage (navigation, pages, blog posts)
• Products: View and edit (they will need to preview real products)
• Files: Upload and manage
• Analytics: View (for reviewing homepage conversion)
• Apps: View only (so they can see which apps render sections)

Never grant: Customers, Orders, Gift Cards, Finances, Shopify Payments, Staff.

Shopify developer (Liquid, app, or custom function work)

A developer needs deeper access than a designer — they may need to install apps or test checkout flows — but they still should not be able to see payouts or modify billing.

• Themes: Full access
• Apps and sales channels: Manage (with named app allowlist if possible)
• Products, Collections, Inventory: Manage
• Orders: View and edit test orders
• Customers: View only (so they can test logged-in states)
• Online Store, Files, Content: Manage

Never grant: Shopify Payments, Finances overview, Staff, plan management, domain transfer.

If the developer is a Shopify Partner, prefer a collaborator account with exactly this scope. Our companion piece on how to create a Shopify app from scratch walks through the API-side scopes a developer also needs in the Partner Dashboard.

Marketing VA / email + social manager

A marketing contractor writes campaigns, builds discount codes, and pulls reports. They should not be able to cancel orders or refund customers.

• Marketing: Manage (campaigns, automations, segments)
• Discounts: Manage
• Customers: View (needed for segmenting)
• Products: View
• Analytics: View
• Apps: Limited to marketing apps (Klaviyo, Mailchimp, Meta, etc.)

Never grant: Orders (edit), Refunds, Finances, Shopify Payments, Staff, Settings.

Customer service agent

Customer service is the role where merchants most often over-grant, because agents need to handle live orders. The fix is to allow order management but block finance and configuration.

• Orders: View, edit, refund (with a refund cap if possible)
• Customers: View and edit
• Draft orders: Create and manage
• Products: View
• Inventory: View
• Reports: Limited (sales by customer, returns)

Never grant: Finances overview, Shopify Payments, Staff, Apps install, Themes, Settings, Domains.

Fulfillment / shipping helper

The person packing your orders needs the narrowest scope of all. They rarely need to touch anything outside the order queue.

• Orders: View, fulfill, print labels
• Products: View
• Inventory: Adjust (so they can mark damages)
• Shipping: Manage carrier accounts if they run the shipping station

Never grant: Customers edit, Refunds, Analytics (full), Finances, Themes, Apps, Settings.

If you are moving from personally packing every order to handing the station to a contractor, pair this recipe with our guide to automating Shopify order tagging and fulfillment — automation reduces how many permissions the human actually needs.

How to Create a Custom Role (The Actual Clicks)

Shopify lets you bundle permissions into reusable roles, which is the secret to onboarding future contractors in under two minutes each. Instead of clicking 15 checkboxes every time you hire a new marketing VA, you save the recipe once.

1. From the Shopify admin, go to Settings > Users.
2. Click the Roles tab, then Add role.
3. Choose the role category (Store, Organization, or POS).
4. Name the role something unambiguous — Contractor - Theme Designer is better than Designer.
5. Tick only the permissions from the recipe above. Shopify will auto-add any required dependencies.
6. Save the role.
7. When inviting the contractor, select this role instead of "Full access" or "Limited permissions."

The Hulk Apps walkthrough of Shopify collaborator vs staff flexibility mirrors the same flow with extra screenshots if you prefer visual steps. The big win is auditability — six months later you can open the role, see exactly what every "Contractor - Theme Designer" has access to, and revoke a permission from all of them in a single click.

Reuse roles across similar contractors

If you rehire the same designer next quarter, you do not need to rebuild the role. Delete the old user, keep the role, invite the new user into it. This is a material time-saver once you are working with three or four contractors at once.

Temporary Access Tactics (Because Projects End)

Almost every contractor engagement is temporary, and Shopify does not have a native "expire this access on March 31" toggle for staff accounts. You have to build that discipline yourself.

Use collaborator accounts as your default timer

Collaborators auto-expire after 90 days of inactivity. For anything shorter than a quarter, this is your built-in insurance. If the contractor finishes in three weeks and never logs back in, the account disables itself.

Calendar the end date the moment you send the invite

This sounds trivial, and that is exactly why merchants skip it. The day you invite a contractor, put a calendar event titled Revoke Shopify access — [Contractor Name] on the contract's end date. Also create one seven days before as a reminder to wrap up any final tasks. Without this, access drifts. With this, you never forget.

Prefer one-off access over standing access

If a developer only needs to push a theme update once, grant access, let them push, and remove access in the same day. You can always invite them again. Standing access is convenient for you and catastrophic when the contractor's email later gets compromised. The Shopify store security best practices guide on Talk Shop covers this principle in broader detail.

Use draft theme access for review-only work

If the freelancer's job is to show you a new landing page you might publish, they do not need publish permissions. Give them theme edit access only and publish it yourself. This removes an entire class of "oops, I pushed it live on Black Friday morning" incidents.

Revoking Access When the Contract Ends

Removing a contractor is the part most merchants get wrong — not because it is hard, but because they stop at step one. There are actually four layers to a clean removal.

Layer 1: Remove the user from Shopify

• Go to Settings > Users, click the user, then Remove (or Remove collaborator account).
• Shopify may prompt you for your account password — set one if you normally log in via Google/Apple SSO, then retry.
• Confirm the removal.

Layer 2: Revoke any API tokens the contractor created

If the contractor installed a custom app or used the Shopify Admin API, they may have generated API tokens that survive user deletion. Go to Apps > Develop apps (if visible) and rotate or delete any tokens created during their tenure. Our Shopify Admin API overview explains what these tokens can do.

Layer 3: Rotate any shared credentials

If the contractor ever had a password manager entry, a DNS provider login, a Klaviyo login, a Google Business Profile manager seat, or any analytics access, rotate those now. Merchants forget that Shopify is only one of many systems a contractor touches.

Layer 4: Audit the activity log for the last 30 days of their tenure

Open Settings > Log, filter to the contractor's user, and skim the last 30 days of activity. Look for app installs, discount code creation, theme publishes, and any changes you did not sanction. If something unexpected appears, deal with it now — not in three months when a customer complaint makes you open the log anyway.

Enforce 2FA on Every Contractor

Two-step authentication is the single highest-return security control you can enforce on a Shopify store. Compromised passwords are how most store takeovers start, and 2FA defeats most of them.

On all plans, each individual user can enable 2FA on their own account from Account settings > Security. On Shopify Plus, the store owner can require 2FA for all users at the organization level — Shopify's two-step authentication for users documentation covers the exact toggle. If you are not on Plus, make 2FA a contractual requirement instead.

What to put in your contractor agreement

• "Contractor will enable two-step authentication on their Shopify account prior to first login."
• "Contractor will not share login credentials with any other person."
• "Contractor will use an authenticator app or hardware key, not SMS, for the second factor."

SMS-based 2FA can be defeated by SIM-swap attacks, so authenticator apps (Google Authenticator, 1Password, Authy) or hardware keys are strictly better. Industry guides like Byradiant's 2026 Shopify 2FA walkthrough and the OCD Tech Shopify MFA setup guide are worth forwarding to contractors who have never set it up before.

Verify before you grant permissions

Ask the contractor to screenshot their Account settings > Security page showing 2FA enabled before you approve the invitation. It takes them 30 seconds and removes the single biggest attack vector.

Read the Audit Log Like a Security Camera

Shopify's activity log is the most underused admin page on the platform. It records every significant admin action — logins, setting changes, app installs, theme edits, permission changes, discount creations — and it is the only reliable way to answer "what did that contractor actually do?" after the fact.

A weekly 10-minute audit routine

• Open Settings > Log every Monday.
• Filter by Last 7 days.
• Scan for: new apps installed, users added, discounts created without a campaign, theme publishes outside your release window, refunds above your usual threshold.
• If something looks off, click into it for detail, then message the responsible contractor the same day.

Making this a ritual prevents the far nastier scenario where you scroll through 90 days of logs after a problem has already occurred. The EComposer Shopify login history guide goes deep on what each log entry means, and the Shero Commerce quarterly Shopify user permissions audit playbook is a good template if you prefer a formal 90-day review cadence.

Export logs before removing a user

Before you remove a contractor, export the last 90 days of their activity and save it to a folder you control. If there is ever a downstream dispute — disputed work, chargebacks, data leak allegations — you will want the record. Shopify does not retain this history forever, and a removed user's actions can become harder to filter afterwards.

Common Mistakes to Avoid

Most permission disasters on Shopify are not exotic attacks. They are a handful of predictable shortcuts that compound over time.

The silent mistake: not training your contractors

Even with perfect permissions, a contractor who has never seen a Shopify admin before can still break things by accident. Spend 15 minutes on a screen share walking through the areas they can and cannot touch. The investment pays for itself the first time they do not need to message you a panicked "I clicked the wrong thing."

The Contractor Offboarding Checklist (Print This)

Use this checklist every time a contract ends. Paste it into your project management tool as a template so you cannot forget a step under time pressure.

• Notify the contractor in writing that access will be revoked on date X
• Export the activity log filtered to their user for the full engagement
• Collect any deliverables, design files, or code from shared storage
• Remove them from Settings > Users (staff or collaborator)
• Revoke or rotate any Shopify Admin API tokens created during their tenure
• Rotate shared passwords on connected services (Klaviyo, DNS, email, analytics)
• Remove them from any shared password manager vault
• Disable any scheduled automations they owned (Shopify Flow, Zapier)
• Check the activity log for unexpected actions in the final 7 days
• Remove them from Slack, email groups, or whatever comms channel they had
• Document which internal role now owns their work
• Confirm in writing (email) that access has been revoked and thank them

Industry offboarding templates like Deel's IT offboarding checklist are useful if you want to map this against a broader HR process when your team grows. For the Shopify-specific slice, the 12-step version above is sufficient for the vast majority of merchant-contractor relationships.

Bringing It All Together

Proper Shopify staff permissions for contractors are not about distrust. They are about protecting the contractor as much as the merchant — a freelancer whose account gets compromised is far less exposed when their scope was narrow to begin with. The core discipline is simple: prefer collaborator accounts over staff where possible, build reusable role recipes that encode the minimum necessary access, enforce 2FA before the first login, calendar the revocation date the moment you grant access, and run a 10-minute weekly audit of your activity log.

Do this once, and every future contractor hire becomes a two-minute task instead of a permissions negotiation. Skip it, and you are one careless password reuse away from a bad week. The time cost of doing it right is trivial. The cost of doing it wrong scales with your revenue.

If you want to keep leveling up your store operations as you bring on more help, browse our shopify-development category for deeper dives on development workflows, or drop by the Talk Shop community to compare notes with other merchants who are building their first team.

What is the one contractor role you are about to hire for — and which permissions from the recipes above will you remove before the invite goes out?

About Talk Shop

The Talk Shop team — insights from our community of Shopify developers, merchants, and experts.