Roles & Permissions Add-On
The SubloginRole add-on provides a sophisticated permission system with roles, groups, and 30+ granular permissions.
Overview
The Roles & Permissions add-on extends the base Sublogin module with:
- Roles: Define custom roles with specific permissions
- Groups: Hierarchical organization structure
- Permissions: 30+ predefined permissions covering all aspects
- Hierarchical Access: All/Same Level/Lower Level permissions
Installation
composer config bearer.repo.softwaresilo.io <token>
composer config repositories.softwaresilo composer https://repo.softwaresilo.io/
composer require mageb2b/sublogin-role:*
php bin/magento module:enable MageB2B_SubloginRole
php bin/magento setup:upgrade
php bin/magento cache:flush
Core Concepts
Roles
A role is a collection of permissions that can be assigned to sublogins.
Example Roles:
- Purchaser: Can view products, add to cart, and place orders
- Manager: Full access including order approval
- Sales Rep: Can view products but cannot checkout
- Viewer: Read-only access to orders and products
Groups
Groups create a hierarchical organization structure.
Example Structure:
Customer Account
├── General (Group, Level 0)
│ ├── Branch A (Group, Level 1)
│ │ ├── Department 1 (Group, Level 2)
│ │ └── Department 2 (Group, Level 2)
│ └── Branch B (Group, Level 1)
│ ├── Sales Team (Group, Level 2)
│ └── Support Team (Group, Level 2)
Permissions
Permissions control what actions sublogins can perform.
Permission Categories:
- Catalog
- Checkout
- Order
- Invoice
- Sublogin Management
- Role Management
- Wishlist
Available Permissions
Catalog Permissions
view_product_list- View product listingsview_product_details- View product detail pagesview_product_prices- See product prices
Checkout Permissions
add_product_to_cart- Add products to cartview_cart- View shopping cartview_checkout- Access checkout pageplace_order- Complete order placement
Order Permissions
view_order_all- View all customer ordersview_order_same_level- View orders from same group levelview_order_lower_level- View orders from lower group levels
Invoice Permissions
view_invoice_all- View all invoicesview_invoice_same_level- View invoices from same levelview_invoice_lower_level- View invoices from lower levels
Sublogin Management Permissions
list- View sublogin listsave- Create new subloginsedit_all- Edit all subloginsedit_same_level- Edit sublogins at same leveledit_lower_level- Edit sublogins at lower levelslogin_as_sublogin_all- Impersonate any subloginlogin_as_sublogin_same_level- Impersonate same levellogin_as_sublogin_lower_level- Impersonate lower levelsdelete_all- Delete any sublogindelete_same_level- Delete same level subloginsdelete_lower_level- Delete lower level subloginsdelete_own_account- Delete own account
Role Management Permissions
list- View rolessave- Create/edit rolesdelete- Delete roleslist_group- View groupssave_group- Create/edit groupsdelete_group- Delete groups
Wishlist Permissions
view_wishlist- View wishlist
Order Approval Permissions (requires Order Approval add-on)
approve_order_all- Approve any orderapprove_order_same_level- Approve same level ordersapprove_order_lower_level- Approve lower level ordersdecline_order_all- Decline any orderdecline_order_same_level- Decline same level ordersdecline_order_lower_level- Decline lower level orders
Budget Permissions (requires Budget add-on)
view_own_budget- View own budgetmanage_budget- Manage budgets
Creating Roles
Step 1: Navigate to Roles
- Log in to Magento Admin
- Go to Customers > Sublogin Roles
- Click Add New Role
Step 2: Basic Information
Role Name
Purchaser
Description
Can view products, add to cart, and place orders
Customer Select the customer account this role belongs to.
Step 3: Assign Permissions
Check the permissions this role should have:
For Purchaser Role:
- view_product_list
- view_product_details
- view_product_prices
- add_product_to_cart
- view_cart
- view_checkout
- place_order
- view_order_all
- ☐ edit_all (no sublogin management)
- ☐ approve_order_all (no approval rights)
Step 4: Save Role
Click Save Role
Creating Groups
Step 1: Navigate to Groups
- Go to Customers > Sublogin Groups
- Click Add New Group
Step 2: Group Information
Group Name
Branch A
Description
East Coast Branch
Parent Group Select parent group (or "General" for top-level)
Customer Select the customer account
Step 3: Save Group
Click Save Group
The group will be assigned a level automatically based on its parent.
Assigning Roles to Sublogins
Method 1: During Sublogin Creation
- Create new sublogin
- In "Role" dropdown, select the role
- In "Group" dropdown, select the group
- Save sublogin
Method 2: Edit Existing Sublogin
- Edit sublogin
- Change "Role" dropdown
- Change "Group" dropdown
- Save sublogin
Hierarchical Permissions
Hierarchical permissions use the group structure to determine access.
Example Scenario
Customer Account
├── General (Level 0)
│ ├── Branch A (Level 1)
│ │ ├── Sublogin A1 (Manager)
│ │ └── Sublogin A2 (Employee)
│ └── Branch B (Level 1)
│ └── Sublogin B1 (Employee)
Sublogin A1 (Manager) with view_order_same_level:
- Can view orders from: Sublogin A1, Sublogin A2 (same branch)
- Cannot view orders from: Sublogin B1 (different branch)
Sublogin A1 (Manager) with view_order_lower_level:
- Can view orders from: Sublogin A2 (lower in hierarchy)
- Cannot view orders from: Sublogin B1 (different branch)
Sublogin A1 (Manager) with view_order_all:
- Can view orders from: All sublogins (A1, A2, B1)
Permission Resolution
The system resolves permissions in this order:
- Custom Permission Provider (if defined via DI)
- Context-Aware Check (collection filtering, entity checks)
- Direct Permission Match (sublogin has permission via role)
- Default Permission (defined in
sublogin_acl.xml)
Default Permissions
Each permission can have a default behavior:
allow- Allowed if not explicitly denieddisallow- Denied if not explicitly allowed
Custom Permissions
You can add custom permissions via sublogin_acl.xml:
<config xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<acl>
<resources>
<resource id="Magento_Sublogin::all">
<resource id="MyCompany_MyModule::all" title="Custom Permissions" sortOrder="100">
<resource
id="MyCompany_MyModule::my_permission"
title="My Custom Permission"
sortOrder="10"
showInFrontend="true"
showInAdmin="false"
defaultPermission="allow"
priority="200"
/>
</resource>
</resource>
</resources>
</acl>
</config>
Checking Custom Permissions
use MageB2B\SubloginRole\Model\AclService;
class MyClass {
private $aclService;
public function __construct(AclService $aclService) {
$this->aclService = $aclService;
}
public function myFunction() {
if ($this->aclService->isAllowed('MyCompany_MyModule::my_permission')) {
// Permission granted
}
}
}
Common Role Examples
Role 1: Full Manager
Permissions:
- All catalog permissions
- All checkout permissions
- view_order_all
- view_invoice_all
- edit_all, delete_all
- approve_order_all, decline_order_all
- manage_budget
Role 2: Department Purchaser
Permissions:
- All catalog permissions
- All checkout permissions
- view_order_same_level
- view_invoice_same_level
- No sublogin management
- No approval rights
Role 3: Sales Representative
Permissions:
- view_product_list
- view_product_details
- view_product_prices
- add_product_to_cart
- view_cart
- No checkout permission
- view_order_same_level (read-only)
Role 4: Order Approver
Permissions:
- view_order_all
- view_invoice_all
- approve_order_lower_level
- decline_order_lower_level
- No purchasing permissions
Troubleshooting
Permission Not Working
- Check if role is assigned to sublogin
- Verify permission is checked in role
- Clear cache
- Check group hierarchy for hierarchical permissions
- Review
var/log/system.logfor permission errors
Hierarchical Permission Issues
- Verify group structure is correct
- Check parent-child relationships
- Ensure sublogins are assigned to correct groups
- Use
_allpermission for testing
Custom Permission Not Showing
- Verify
sublogin_acl.xmlsyntax - Run
setup:upgrade - Clear cache
- Check
showInFrontendandshowInAdminflags