Granting store access to various users can have several benefits. It is extremely important, however, to carefully manage user permissions. Poorly managing store access permissions can have deleterious consequences for your operation.
Untrained or malicious users with permission to access critical services can cause irreparable loss of data, upheaval in business rules, integrations disruption, template breakdowns and other harmful effects that will ultimately impact your sales.
To avoid this, we're put together several suggestions and best practices for managing users, aimed at helping you protect your store. By following these tips your store is kept even safer.
Frequently review all user permissions
It's recommended to periodically review platform roles. Market practices suggest at least one annual review. Nevertheless, it can be done more often. Some companies, for example, review internal users on a semi-annual basis.
Use corporate login to simplify user management
Using corporate login (SSO) for authentication purposes tends to make it easier to commission and decommission users in processes related to employee hiring and dismissal.
Restrict use of the Super Admin role
Do not grant the Super Admin role to a large number of users. This role can make critical changes to the store. It is important to restrict the number of users who can grant or withdraw authorizations.
For each user, adopt the principle of “lowest permission required”, avoiding a large number of users with too many privileges.
Use corporate e-mail addresses whenever possible
Do not register personal emails from generic domains on the store (@gmail or @hotmail, for example). Opt for corporate emails. There is more control over these domains, and they are subject to company authentication policies, therefore are more secure.
Keep the Sponsor user assigned to your security officer
Assign the Sponsor user only to someone whose real role is to constantly check user changes and creation. In addition, make sure this check actually gets done.
Activate 2FA when using Google to sign-in
Offering the option of Google sign-in will be much more secure if two-factor authentication is required. Avoid allowing this type of access without 2FA. See the documentation for instructions on enabling two-factor authentication (2FA).