Fri Mar 09, 2018 3:58 pm
As much as I love Shopify, I was shocked to find out that permissions you set for access are not honoured when it comes to apps: if you give access to someone to work in your store, and you set their permissions so that they cannot see any customer data/orders, but you DO give them permission to work on Apps, then they can see your customer data/orders in any apps that deal with those things e.g. Shopify's own digital downloads app, loyalty, wishlist apps etc.
I've argued about this with them for months, but they say nothing can be done and they are compliant. I doubt whether I can be compliant, because of the way their system works. So it's an issue for me.
Just making others aware too, because you would think 'no customer data' means just that.
"If you are worried about this then you may need to consult with a lawyer to see how best to proceed. As it stands however, these are the limits of the permissions of our staff accounts. As the European Union have not deemed this as going against their data protection act, it has not been changed."
"There is currently no way unfortunately to be able to restrict a staff account from one particular app. You have the ability to either grant a staff account access to apps, or to not grant access to apps. It would require a lot of additional custom coding to create the ability to block only certain apps from view to a staff account. You could try reaching out to a Shopify Expert to see if they could possibly code this into your theme for you but I do feel that it is unlikely they'd be able to do so, or that it would end up being very expensive. At the moment, the staff accounts can be allowed or disallowed access to certain areas of your admin, but our platform does not have the ability to drill down further into the permissions. I am unaware of any platform that would allow you to limit staff access on a per app basis in fact. As it stands, if you give access to a developer to apps then you need to be comfortable with them having access to all of your apps. If there was a breach in data then that would need to be reviewed by our legal team depending on what data was leaked. I'm afraid it is not possible grant access to only some apps though and not others."