Who can do what in the admin.
Staff users
CMS staff sign in at /admin. Each user has one or more roles; roles grant permissions such as edit_content, manage_content_types, or manage_plugins.
Managing users
- Go to System → Users.
- Click Add user or edit an existing account.
- Assign one or more roles.
- Save. The user receives credentials or resets password via email flow.
Common permissions
| Permission | Allows |
|---|---|
edit_content | Create and edit entries |
manage_content_types | Define types, fields, content lists |
manage_pages | Edit site pages |
manage_media | Upload and organize media |
manage_plugins | Install and activate plugins |
manage_commerce | Orders, coupons, commerce settings |
manage_portability | Blueprints, config sync, import/export |
Best practice
- Give editors only content permissions they need—avoid granting
manage_pluginsto editorial staff. - Restrict plugin installation to technical roles.
- Enable two-factor authentication for privileged accounts.
- Review role assignments when team members change jobs or leave.
Customers vs staff
Storefront customers (commerce) use PHPAuth accounts on the public site for order history—they do not access the CMS staff admin. Customer accounts are created at checkout or via registration on the storefront.
Troubleshooting
- 403 on save — Your role lacks the permission for that action.
- Cannot see Commerce menu — Requires
manage_commerceor equivalent admin role.