{"section":"tutorials","requestedLocale":"en","requestedSlug":"best-practices-for-store-access-management","locale":"en","slug":"best-practices-for-store-access-management","path":"docs/en/tutorials/security/store-security/best-practices-for-store-access-management.md","branch":"main","content":"Properly managing store access is essential to ensuring security and operational continuity. User permissions must be handled carefully to minimize risks and ensure that each user only has the access needed to perform their tasks.\n\nAllowing multiple users to access your store may be convenient, but inadequate permission management can lead to serious consequences, including data loss, process failures, integration disruptions, and impact on sales.\n\nTo mitigate these risks, follow these best practices for access management and keep your store secure.\n\n## Restrict the use of the Admin Super role\n\nThe [Admin Super role](/en/docs/tutorials/roles) allows critical changes to the store. You should limit its use to as few users as possible. Additionally, restrict the number of users who can grant or revoke authorizations.\n\n## Regularly review user and API key permissions\n\nReview the administrative user and API key [roles](/en/docs/tutorials/roles) of the store at least once a year to ensure that only necessary users and keys have access permissions.\n\nFollow the **principle of least privilege**, granting users only the permissions they strictly need. This minimizes the risk of improper access and reduces the impact of operational errors or malicious actions. \n\nSegregating responsibilities also enhances security, ensuring each user or key has permissions aligned with their role in the organization.\n\nTo do this, create different roles with access levels tailored to specific job responsibilities. Learn how to create custom roles in [Creating roles](/en/docs/tutorials/creating-roles#creating-custom-roles).\n\n## Use single sign-on (SSO)\n\nUsing [single sign-on (SSO)](https://developers.vtex.com/docs/guides/login-integration-guide) simplifies access management, allowing automation for granting and revoking access as employees move within the company.\n\n## Use corporate emails whenever possible\n\nAvoid using personal emails from generic domains such as `@gmail` or `@hotmail`. Instead, use corporate emails , which provide greater control and security, as they follow company authentication policies.\n\n## Don't share generic email accounts\n\nAvoid using shared accounts, as when several users have the credentials of a generic email. Instead of `admin@company.com`, assign individual accounts such as `joana@company.com`, ensuring that each email is accessed exclusively by a single employee. Each user must have an account in the Admin, with permissions that match their access needs.\n\nShared accounts also make it difficult to use multifactor authentication (MFA) — a highly recommended security layer. MFA requires user confirmation, as the account is linked to a specific person or device. By assigning individual accounts and roles, MFA can be enabled per user without disrupting access. Learn how to activate MFA in [Enabling two-factor authentication (2FA)](/en/docs/tutorials/enabling-2-factor-authentication-login).\n\n## Define a sponsor user for account security\n\nAssign the [sponsor user](/en/docs/tutorials/what-is-the-sponsor-user) only to someone who actually oversees access management, or in other words, who constantly monitors user creation and updates. They should regularly review permissions and ensure that only authorized users have access.\n\n## Require two-factor authentication (2FA) for Google login\n\nIf your store allows login via Google, require two-factor authentication (2FA). This extra layer of security significantly reduces unauthorized access risks. See [Enabling two-factor authentication (2FA)](/en/docs/tutorials/enabling-2-factor-authentication-login) to learn how to enable this feature.\n\n## Learn more\n\n* [Access control](/en/subcategory/access-control--1HSqkejwuYcQSMC400uY84) \n* [Roles](/en/docs/tutorials/roles)  \n* [Login (SSO)](https://developers.vtex.com/docs/guides/login-integration-guide)   \n* [Enabling two-factor authentication login](/en/docs/tutorials/enabling-2-factor-authentication-login)"}