← Go Back

Simple Permissions, Powerful Consequences

Shopify's old permissions system was too broad, granting excessive access and posing security risks. As Lead Designer on Shopify Plus' Ability team, I led efforts to introduce fine-grained access controls and integrate Shopify Flow, allowing merchants to create dynamic, conditional policies.

This improved security, reduced errors, and increased operational efficiency. Within 90 days, adoption was high, with measurable improvements in compliance, refunds, and user management.

Role

Lead Product Designer

Involvement

End-to-end, 4 shipped iterations

Timespan

6 months, Concept to Final Iteration

A System in Need of Change

As the Lead Designer on Shopify Plus’ Ability team, my mission was to redefine how high-growth merchants managed access and security within their organizations. These businesses operate at scale, with dozens or even hundreds of employees requiring precise control over store operations.

However, Shopify’s existing permission system wasn’t built for this level of complexity. Permissions were vague, binary, and often granted users far more control than necessary.

Existing permissions in Shopify

Existing permissions were both vague in their description, and gave users near all-encompassing ability to make changes.

Merchants struggled with an all-or-nothing approach that lacked transparency. For example, granting an employee permission to edit orders also unlocked access to sensitive financial data, refunds, and customer details. From a security and compliance standpoint—especially under GDPR—this was a ticking time bomb.

Designing Granular Control

The first challenge was clear: permissions needed to be more refined. Without granular control, businesses faced unnecessary risks—customer data exposure, unintentional refunds, and the reliance on external tools to enforce internal policies.

To address this, I led the design efforts in a two-phase approach:

  • Introduce fine-grained access controls to restrict permissions more effectively.
  • Leverage Shopify Flow’s WYSIWYG interface to allow merchants to build custom policies tailored to their operations.

After conducting extensive interviews with over two dozen large-scale Shopify Plus merchants, a common theme emerged: conditional access was critical. A Customer Service Representative (CSR) should have access to certain order details but only within defined limits, Frontend Developers shouldn’t have access to order or customer data at all, etc.

Adding more granularity

Layering in granularity allowed us to expand the scope of the existing, list-based approach

As an example, merchants wanted policies such as: “Allow refunds only within specific timeframes” or “Restrict access to orders above a certain value.” My role was to translate these business needs into an intuitive, scalable permissions framework that ensured businesses could enforce their own internal policies natively within Shopify, reducing errors and eliminating unauthorized access.

Unlocking Flexibility with Flow

The challenge with predefined permission sets is that they become outdated as business needs evolve. A static system of checkboxes would quickly grow unwieldy, making it harder—not easier—for merchants to manage user access.

As Lead Designer, I worked closely with engineering and product leadership to integrate Shopify Flow into the permissions system. While Flow was typically used for tagging orders, detecting fraud, and streamlining fulfillment, we recognized its potential to revolutionize permissions. Since Flow had access to all objects within Shopify—including users and roles—it could serve as a dynamic policy engine.

Integrating Shopify Flow

Flow allows the merchant to set as many conditional checks on permissions as needed

By leveraging Flow, we enabled merchants to define intricate, logic-based policies within Shopify itself. Consider the following real-world example:

Example Policy

A user attempts to refund an order. They can only do so if all conditions are met.

  • The user has the CSR role.
  • The order was placed within the last 90 days and is not tagged as Final Sale.
  • The action takes place within business hours, and originates from a known office IP address.
  • The order value is less than $500 and the daily refund total is less than $2000.

If any of these conditions fail, the refund action is automatically blocked—without requiring managerial intervention.

As part of my design process, I focused on ensuring these rules were easy to configure while maintaining flexibility. Rather than merchants relying on an ever-growing list of checkboxes, Flow empowered them to create their own policies, streamlining security and access control.

A Measurable Impact.

By shifting permissions from a static structure to an adaptive, rule-based system, we gave merchants unprecedented control over access and security. As Lead Designer, I helped create an experience that seamlessly integrated automation, compliance, and ease of use. The result? A self-sustaining permissions model that reduced risk while empowering teams with the right level of access—nothing more, nothing less.

The results were immediate and substantial. Within 90 days of launch, nearly 67% of interviewed merchants had adopted the new system. Key performance indicators highlighted its success

43%

Decrease in Customer Support Escalations

66.4%

Adoption Rate Among Interviewed Merchants

58%

Reduction in Accidental Refunds

6,450+

Total Policies Created in 90 Days Post-Rollout