How to Enhance Security of Your Magento Store (Access Management)
The question about website security is always on the surface, however, it becomes especially important when you work not alone, but there is a staff you are working with. Basically, employees are usually in charge of some tasks only, but have access to all data. Thus, when something goes wrong or if there some actions made by accident, you would hardly know who is responsible and whom to blame.
In just about any system that involves more than one person managing the content on a site, the good idea is to entrust each employee or shop manager his/her own role with permissions. This way you will empower people to work only with the sections of your shoppig cart that you as site owner decide.
Store Manager for Magento allows you to know who is going to be modifying the site content and decide what type of access to data system needs to be granted.
This way, you can create different accounts for different people involved in website management with access only to those sections of the application that person is supposed to work with. So, to each manager or employee will be assigned definite role with managing permissions.
Let’s see how access management can be set up and how is it working.
At the very top of the application you will see small padlock button. If you click it, you will see drop-down with actions to select.
Please note that if you select this option additional database tables for access management accounts will be created.
Next you will see tabs “Users” and “Roles”.
Magento “User” is simply an account (username and password) that someone who manages your shop can use to access it and manage, change or only view information there. “User role” is the detailed description of what parts of the site a user can access and change.
Small hint: it is more comfortable and time-saving to create first roles with assigned permissions and then simply create account for your employees, indicating their roles.
Naturally, that you as the owner will have admin access with all permissions granted.
For other people involved in handling of your shop, you need to create one or a few roles. For example, let’s create role “Content Manager”. Next, to grant particular permissions, you have to uncheck the box “Administrator rights”. You will see checkboxes that correspond to particular section of the application. So, content manager most likely would access to import/export of product categories, attributes, attribute sets, custom options etc. At the same time you can restrict access to some sections like orders, like orders, reports, backup etc. Moreover, some options you can make available just for view, not modification.
When all the rights are assigned to the role, return to tab “Users” and create account for person you are working with. Creating user you can assign role. One and the same role can be assigned to multiple users.
These options allow you to enter or exit particular session. This way when you have finished managing your portion of information, you can log out and next person can indicate his/her access details and continue working without having to re-start the application.
Using this option you will be able to disable access management and remove all accounts and roles.
Any site that is going to be managed by more than one person needs proper system of access management. Creating individual accounts for each person involved with the website, and ensuring each user has the appropriate permissions to your site is a worthwhile step toward having and maintaining an online business that is secure.