Roles & permissions (RBAC)
Sellub uses Vendure’s roles + custom platform-tier roles defined in apps/sellub/sellub-server/admin-config/admins.json.
Role catalog
| Role | Tier | What it can do |
|---|---|---|
SuperAdmin | Owner | Everything. Can create/destroy admins, change billing, run dangerous ops. Restrict to 1–2 humans. |
Platform Admin | Staff | Day-to-day platform operations. Approve sellers, manage catalog, view all orders. Cannot manage other admins. |
Platform Operations | Staff | Heavy lifters for ops & support. Can edit sellers, refund orders, manage withdrawals. Cannot edit roles. |
Platform Support | Staff | Read-mostly. Investigate orders, look up customers, view sellers. Cannot edit money or seller records. |
Platform Support Tier 2 | Staff | Support + ability to suspend sellers, reset passwords, refund orders. Bridge to Operations. |
Platform Onboarding | Staff | Approve/reject seller applications. Cannot touch finance or existing sellers’ data. |
Platform Marketing | Staff | Edit marketplace collections, featured products, promotions. Read-only on orders/customers. |
Platform Integrations | Staff | API keys, webhooks, integration configs. No financial or PII access. |
Finance Admin | Staff | Wallets, withdrawals, reconciliation, adjustments. No catalog edits. |
Seller | Tenant | The merchant role — see Seller User Guide. Scoped to one channel. |
How permissions are evaluated
- Admin signs in.
- Vendure loads their
Administratorrecord + assignedRoles. - Each
Rolehas a list ofPermissions and a list ofChannels. - For every action, Vendure checks: does any of the admin’s roles grant this permission on the current channel?
- The dashboard hides UI for actions the admin isn’t permitted to perform.
The _unmanaged_accounts field
admins.json has an _unmanaged_accounts array. These are accounts the sync script will not touch — historical accounts, partner integrations, or test accounts. Useful when you want a record to exist in the database but not be controlled by the JSON.
⚠️
Don’t use _unmanaged_accounts to bypass auditing. Every admin should be in admins.json with a clear role unless there’s a documented reason.
Adding a new role
See Developers → RBAC internals for the code-level details. From an operator’s view:
- Edit
admins.json, add the new role toroles. - List its
permissionsfrom Vendure’sPermissionenum. - Pick its
channels(__default_channel__, or specific channel codes, or*for all). - Open a PR. After merge, run
pnpm sync-adminsagainst the target environment.
Adding an admin
See Managing admins.