Magento provides an interesting case for security and audit requirements because you’re in a situation where a large mix of staff, including CSR’s, product entry specialists, and high level admins and everyone needs varying levels of access to the system. Your admins need full access to keep the system running while you may only want a CSR editing orders or customer accounts.
Levels of Access
Magento provides a fairly complex system to manage different levels of access for users and groups. To get started on a restricted access group, log into Magento and navigate to System >> Permissions >> Roles. Create a new role. This could be something like CSR. After you’ve created the roll, click on it again and click “Roll Resources”. Here you’re going to be able to select a series of actions that a CSR is allowed to take in the Magento administrator. In this case, let’s say you select everything under “Sales” and everything under “Customers”. Once you’ve selected everything you need, click “Save Role” at the top right corner of the screen.
Now that you’ve created a role, navigate to System >> Permissions >> Users. You can either add a new user or select an existing user here. During user creation, or after for existing users, click on “User Role” and select the role you’d like the new user to have. Save the user and you’re done. The user in question should have access to only the actions you’re allowing them to have.
We’ve restricted access, but there are multiple concerns to address here. Namely, who did what? How do you know which CSR helped which customer and what they did? This is what led us to write Advanced Order Edit & Tracking for Magento. This extension focuses on allowing order edit without re-creating the order as well as tracking who the last person to modify an order was and what they did. This will assist in leaving a solid audit trail and can improve customer service by allowing you to more accurately track customer interaction. Check out the link below for more information.