When working with Agencies and Freelancers on your Magento store there are often times when you will want to give them access.


Here is a process to follow that will make it easy to manage, maintain and update as the services you use the agency change or end.


Create a new Agency User Roles

You will most likely have user roles set up internally for your business. When working with agencies we find it useful to have a User Role per Agency.  Reasons to do it this way include:


  • Control access to functions of the site by Agency
  • Add more people from that agency to the user role
  • If your agency changes, you do not need to create a new User Role or worry about them not having access to the part of the website they need.


  1. Go to System > Permissions > User Roles
  2. Create a new role such as SEO Agency, PPC Agency, Content Agency



  3. Under Role Resources choose the functions this agency will be allowed to perform



  4. Save the role


Add users to your new agency role


  1. Go to System > Permissions > All Users  and Add New User
  2. When you create their password create a strong 32 character password. At this moment is really doesnt matter what the password is. You will not be sending it to the user.  (If you are using TwoFactorAuthenication this process might look a little different but the sentiment is the same.)
  3. Once you have completed the user's account details you can select the User Role tab and add them to the agency user role you have created.

  4. Save the user

Give Magento admin access to the new user

This is the important part. A password is only as secure as a secret. Sending an email to the new user with their password gives away their email address and password to the would-be cyber-criminal.


The best way for the new agency user to access the account is to set their own password via the password reset link.


Email your new user and let them know an account has been created for them, and they must now reset their password.


---


Hi [NAME]


I have created an account for you here. If you haven't already received an auto-generated email from our website you can go to this link [YOUR-MAGENTO-ADMIN-URL] and set your password by clicking "Forgot your password"


You'll receive an email to reset your password and get access to the admin of the site.


---


And that's it. Once they have reset the password via the admin page they will be able to access the admin of the site.


This process can be used for pretty much any website CMS. Setting a super-secure password then redirecting your user to set there own via the Forgot Password link is much safer than sending people a password.