Everyone

Managing Staff Accounts

Create, edit, and delete staff accounts in Opterius Commerce, and understand the access control rules.

Last updated 1776211200
  • Account Security Notes

    • Managing Staff Accounts

    Admin → Staff

    Staff accounts give team members access to the admin panel. Only users with the super_admin role or the staff.create permission can create new staff accounts. There is no self-registration flow.

    Creating a Staff Account

    1. Go to Admin → Staff → New Staff Member.
    2. Fill in:
    Field Notes
    Name Full name, shown in activity logs and ticket replies
    Email Used for login and password reset
    Password Minimum 12 characters recommended
    Role Selects a permission preset (see Roles & Permissions)
    1. Optionally fine-tune individual permissions using the permissions matrix below the role dropdown. Role preset buttons load the default permission set for each role as a starting point.
    2. Click Save. The new staff member receives a welcome email with a login link.

    [!TIP] Use role preset buttons when creating accounts — they load the standard permission set for that role in one click. You can then selectively tick or untick individual permissions before saving.

    Staff List View

    The staff list shows each account with:

    • Name and email
    • Role badge (colour-coded)
    • Number of active permissions out of 30
    • Last login timestamp (or "Never" if they haven't logged in yet)

    Editing a Staff Account

    1. Click the staff member's name in the list.
    2. Update name, email, role, or individual permissions.
    3. To reset their password, enter a new value in the New Password field (leave blank to keep current).
    4. Click Save.

    [!IMPORTANT] Changing a staff member's role overwrites their permission matrix with the role's default set. If you have customised individual permissions, change the role last and re-apply any custom overrides.

    Deleting a Staff Account

    1. Open the staff record.
    2. Click Delete Staff Member.
    3. A modal prompts you to enter your own password to confirm.
    4. Click Confirm Delete.

    Deletion rules

    • You cannot delete your own account — the delete button is hidden on your own profile.
    • You cannot delete or demote the last super_admin — Commerce prevents the install from being locked out.
    • Deleting a staff account does not delete tickets, invoices, or activity log entries attributed to that account. Those records show the staff name with a "Deleted" badge.

    Account Security Notes

    • Staff passwords are bcrypt-hashed.
    • Staff can enable two-factor authentication themselves under their profile. See Two-Factor Authentication.
    • Login attempts are rate-limited: 5 failed attempts locks the account for 15 minutes.
    • All logins (successful and failed) are recorded in Admin → Activity Log.
    Previous
    ← Section Toggles
    Next
    Roles & Permissions →