# Webshop permissions reference

> Find the Unity roles required to administer Unity Webshops in the Dashboard or through the Admin API.

Unity Cloud roles control access to webshops. Use the dedicated webshop roles for least-privilege administration. Broader Unity Cloud user types, such as Owner, Manager, and User, also include webshop permissions through inheritance.

This page lists the available roles, what each role grants, and which role each operation requires.

## Dedicated webshop roles

The dedicated webshop roles are part of the **Monetization** role suite and apply at the project level. You can assign them to users and Service Accounts.

| Role               | Webshop access                                                                                                                                                                                                  | Permissions granted                                                                                                                                                               |
| ------------------ | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| **Webshop Viewer** | Read-only access to a project's webshops and webshop configurations.                                                                                                                                            | `webshop.configs.get`, `webshop.configs.list`                                                                                                                                     |
| **Webshop Editor** | Full webshop administration, including creating, updating, deleting, publishing, unpublishing, generating themes, uploading branding, switching environments, and applying non-production drafts to production. | `webshop.configs.get`, `webshop.configs.list`, `webshop.configs.create`, `webshop.configs.update`, `webshop.configs.delete`, `webshop.configs.publish`, `webshop.themes.generate` |

For Service Accounts, use the dedicated roles when possible. They grant only the webshop permissions required for administration.

## Roles that inherit webshop access

Standard [user types](/cloud/organizations/roles-and-permissions.md) include webshop permissions through their existing scopes. A team member who already has one of these roles can access webshops without an additional role.

| Role        | Scope        | Webshop access                                                                                             |
| ----------- | ------------ | ---------------------------------------------------------------------------------------------------------- |
| **Owner**   | Organization | Full webshop administration, plus the broader organization-level permissions that the Owner role inherits. |
| **Manager** | Organization | Full webshop administration.                                                                               |
| **User**    | Project      | Read-only access with `webshop.configs.get`, `webshop.configs.list`.                                       |

Dashboard users often already have access through a role. Use the dedicated Webshop Viewer and Webshop Editor roles when you want to grant only webshop permissions without the broader privileges of a role. This is especially useful for Service Accounts that you use in automation.

## Operations and required role

The following table lists each webshop operation, the dedicated role it requires, and the inheriting role that also grants it.

| Operation                                         | Required role                | Inheriting role                     |
| ------------------------------------------------- | ---------------------------- | ----------------------------------- |
| List webshops                                     | **Webshop Viewer** or higher | **User**, **Manager**, or **Owner** |
| Get a webshop's configuration                     | **Webshop Viewer** or higher | **User**, **Manager**, or **Owner** |
| Create a webshop                                  | **Webshop Editor**           | **Manager** or **Owner**            |
| Update slug, name, or deep link target            | **Webshop Editor**           | **Manager** or **Owner**            |
| Upload branding media (hero banner, thumbnail)    | **Webshop Editor**           | **Manager** or **Owner**            |
| Upload reference screenshots for theme generation | **Webshop Editor**           | **Manager** or **Owner**            |
| Generate a theme with AI                          | **Webshop Editor**           | **Manager** or **Owner**            |
| Save a theme to a draft                           | **Webshop Editor**           | **Manager** or **Owner**            |
| Apply a non-production draft to production        | **Webshop Editor**           | **Manager** or **Owner**            |
| Publish or unpublish a webshop                    | **Webshop Editor**           | **Manager** or **Owner**            |
| Delete a webshop                                  | **Webshop Editor**           | **Manager** or **Owner**            |

## Service Accounts

Assign Service Account roles in the **Service Accounts** section of the Unity Dashboard. Use **Webshop Editor** for full Admin API access, or **Webshop Viewer** for read-only programmatic access.

The Admin API also requires the Unity Environments Viewer role to resolve environment IDs. Without this role, environment-scoped requests fail with a `403` response.

For instructions on creating a Service Account, assigning roles, and generating a base64-encoded key, refer to the [Service Account authentication guide](https://services.docs.unity.com/docs/service-account-auth/).

## Dashboard access

Dashboard access uses the account permissions of the signed-in user, not Service Account roles. A team member with the **Webshop Viewer** role or any inheriting role such as **User**, **Manager**, or **Owner** can see the **Webshop** section and administer the webshop in the Dashboard according to their level of access.
