Download PDF Manual Back to Extension
Back to Knowledge Base
Download this page as PDF

Roles & Permissions Add-On

The SubloginRole add-on provides a sophisticated permission system with roles, groups, and 30+ granular permissions.

Overview

The Roles & Permissions add-on extends the base Sublogin module with:

  • Roles: Define custom roles with specific permissions
  • Groups: Hierarchical organization structure
  • Permissions: 30+ predefined permissions covering all aspects
  • Hierarchical Access: All/Same Level/Lower Level permissions

Installation

composer config bearer.repo.softwaresilo.io composer config repositories.softwaresilo composer https://repo.softwaresilo.io/ composer require mageb2b/sublogin-role:* php bin/magento module:enable MageB2B_SubloginRole php bin/magento setup:upgrade php bin/magento cache:flush

Core Concepts

Roles

A role is a collection of permissions that can be assigned to sublogins.

Example Roles:

  • Purchaser: Can view products, add to cart, and place orders
  • Manager: Full access including order approval
  • Sales Rep: Can view products but cannot checkout
  • Viewer: Read-only access to orders and products

Groups

Groups create a hierarchical organization structure.

Example Structure:

Customer Account ├── General (Group, Level 0) │ ├── Branch A (Group, Level 1) │ │ ├── Department 1 (Group, Level 2) │ │ └── Department 2 (Group, Level 2) │ └── Branch B (Group, Level 1) │ ├── Sales Team (Group, Level 2) │ └── Support Team (Group, Level 2)

Permissions

Permissions control what actions sublogins can perform.

Permission Categories:

  • Catalog
  • Checkout
  • Order
  • Invoice
  • Sublogin Management
  • Role Management
  • Wishlist

Available Permissions

Catalog Permissions

  • view_product_list - View product listings
  • view_product_details - View product detail pages
  • view_product_prices - See product prices

Checkout Permissions

  • add_product_to_cart - Add products to cart
  • view_cart - View shopping cart
  • view_checkout - Access checkout page
  • place_order - Complete order placement

Order Permissions

  • view_order_all - View all customer orders
  • view_order_same_level - View orders from same group level
  • view_order_lower_level - View orders from lower group levels

Invoice Permissions

  • view_invoice_all - View all invoices
  • view_invoice_same_level - View invoices from same level
  • view_invoice_lower_level - View invoices from lower levels

Sublogin Management Permissions

  • list - View sublogin list
  • save - Create new sublogins
  • edit_all - Edit all sublogins
  • edit_same_level - Edit sublogins at same level
  • edit_lower_level - Edit sublogins at lower levels
  • login_as_sublogin_all - Impersonate any sublogin
  • login_as_sublogin_same_level - Impersonate same level
  • login_as_sublogin_lower_level - Impersonate lower levels
  • delete_all - Delete any sublogin
  • delete_same_level - Delete same level sublogins
  • delete_lower_level - Delete lower level sublogins
  • delete_own_account - Delete own account

Role Management Permissions

  • list - View roles
  • save - Create/edit roles
  • delete - Delete roles
  • list_group - View groups
  • save_group - Create/edit groups
  • delete_group - Delete groups

Wishlist Permissions

  • view_wishlist - View wishlist

Order Approval Permissions (requires Order Approval add-on)

  • approve_order_all - Approve any order
  • approve_order_same_level - Approve same level orders
  • approve_order_lower_level - Approve lower level orders
  • decline_order_all - Decline any order
  • decline_order_same_level - Decline same level orders
  • decline_order_lower_level - Decline lower level orders

Budget Permissions (requires Budget add-on)

  • view_own_budget - View own budget
  • manage_budget - Manage budgets

Creating Roles

Step 1: Navigate to Roles

  1. Log in to Magento Admin
  2. Go to Customers >Sublogin Roles
  3. Click Add New Role

Step 2: Basic Information

Role Name

Purchaser

Description

Can view products, add to cart, and place orders

Customer Select the customer account this role belongs to.

Step 3: Assign Permissions

Check the permissions this role should have:

For Purchaser Role:

  • view_product_list
  • view_product_details
  • view_product_prices
  • add_product_to_cart
  • view_cart
  • view_checkout
  • place_order
  • view_order_all
  • ☐ edit_all (no sublogin management)
  • ☐ approve_order_all (no approval rights)

Step 4: Save Role

Click Save Role

Creating Groups

Step 1: Navigate to Groups

  1. Go to Customers >Sublogin Groups
  2. Click Add New Group

Step 2: Group Information

Group Name

Branch A

Description

East Coast Branch

Parent Group Select parent group (or "General" for top-level)

Customer Select the customer account

Step 3: Save Group

Click Save Group

The group will be assigned a level automatically based on its parent.

Assigning Roles to Sublogins

Method 1: During Sublogin Creation

  1. Create new sublogin
  2. In "Role" dropdown, select the role
  3. In "Group" dropdown, select the group
  4. Save sublogin

Method 2: Edit Existing Sublogin

  1. Edit sublogin
  2. Change "Role" dropdown
  3. Change "Group" dropdown
  4. Save sublogin

Hierarchical Permissions

Hierarchical permissions use the group structure to determine access.

Example Scenario

Customer Account ├── General (Level 0) │ ├── Branch A (Level 1) │ │ ├── Sublogin A1 (Manager) │ │ └── Sublogin A2 (Employee) │ └── Branch B (Level 1) │ └── Sublogin B1 (Employee)

Sublogin A1 (Manager) with view_order_same_level:

  • Can view orders from: Sublogin A1, Sublogin A2 (same branch)
  • Cannot view orders from: Sublogin B1 (different branch)

Sublogin A1 (Manager) with view_order_lower_level:

  • Can view orders from: Sublogin A2 (lower in hierarchy)
  • Cannot view orders from: Sublogin B1 (different branch)

Sublogin A1 (Manager) with view_order_all:

  • Can view orders from: All sublogins (A1, A2, B1)

Permission Resolution

The system resolves permissions in this order:

  1. Custom Permission Provider (if defined via DI)
  2. Context-Aware Check (collection filtering, entity checks)
  3. Direct Permission Match (sublogin has permission via role)
  4. Default Permission (defined in sublogin_acl.xml)

Default Permissions

Each permission can have a default behavior:

  • allow - Allowed if not explicitly denied
  • disallow - Denied if not explicitly allowed

Custom Permissions

You can add custom permissions via sublogin_acl.xml:

Checking Custom Permissions

use MageB2B\SubloginRole\Model\AclService; class MyClass { private $aclService; public function __construct(AclService $aclService) { $this->aclService = $aclService; } public function myFunction() { if ($this->aclService->isAllowed('MyCompany_MyModule::my_permission')) { // Permission granted } } }

Common Role Examples

Role 1: Full Manager

Permissions: - All catalog permissions - All checkout permissions - view_order_all - view_invoice_all - edit_all, delete_all - approve_order_all, decline_order_all - manage_budget

Role 2: Department Purchaser

Permissions: - All catalog permissions - All checkout permissions - view_order_same_level - view_invoice_same_level - No sublogin management - No approval rights

Role 3: Sales Representative

Permissions: - view_product_list - view_product_details - view_product_prices - add_product_to_cart - view_cart - No checkout permission - view_order_same_level (read-only)

Role 4: Order Approver

Permissions: - view_order_all - view_invoice_all - approve_order_lower_level - decline_order_lower_level - No purchasing permissions

Troubleshooting

Permission Not Working

  1. Check if role is assigned to sublogin
  2. Verify permission is checked in role
  3. Clear cache
  4. Check group hierarchy for hierarchical permissions
  5. Review var/log/system.log for permission errors

Hierarchical Permission Issues

  1. Verify group structure is correct
  2. Check parent-child relationships
  3. Ensure sublogins are assigned to correct groups
  4. Use _all permission for testing

Custom Permission Not Showing

  1. Verify sublogin_acl.xml syntax
  2. Run setup:upgrade
  3. Clear cache
  4. Check showInFrontend and showInAdmin flags

Next Steps

ReportsSample Data

Found an issue with this documentation? Let us know