Modern SaaS platforms like Shopify allow multiple staff members to manage stores with fine-grained access controls. Admins, managers, support teams โ each role needs the right balance between access, security, and performance.
When designing such a system, two questions immediately appear:
- 1. How do we authenticate staff (who are they)?
- 2. How do we authorize them (what can they do)?
And the big architectural question behind all of this:
Where do we store and fetch those permissions โ Redis, SQL, or MongoDB?
In this post, we'll explore how Shopify-like platforms structure staff permissions, compare three backend options โRedis-only, Postgres/MySQL + Redis, and MongoDB + Redis โ and finish with a practical recommendation based on cost, performance, and durability.
โ๏ธ How Staff Authentication & Authorization Work (Shopify Style)
- โข Authentication (AuthN) confirms identity โ typically via password, OAuth, or SSO.
- โข Authorization (AuthZ) defines access โ via roles and permissions.
- โข Audit trail tracks every permission or role change.
Shopify applies Role-Based Access Control (RBAC) layered with Store Scope. Each staff user belongs to one or more roles that define permissions (e.g., read_orders, write_products).
๐งฑ Design Requirements
When building this for your own SaaS or retail platform, these are your non-negotiables:
๐ Option 1: Redis-Only
โ Pros
- โข Ultra-fast reads (sub-millisecond)
- โข Simple โ no joins or ORM needed
- โข Great for prototypes or edge-cache style setups
โ Cons
- โข Durability risk (Redis is memory-first)
- โข No query power โ can't easily list "all staff with X permission"
- โข Higher memory costs at scale
- โข Recovery complexity if data lost
๐งฉ Option 2: Postgres/MySQL + Redis (Recommended)
โ Pros
- โข Full durability + ACID transactions
- โข Easy to audit and query
- โข Low-latency reads (cached)
- โข Cost-efficient (Redis only holds hot data)
โ Cons
- โข Cache invalidation logic required
- โข Slightly more complex architecture
๐ฟ Option 3: MongoDB + Redis
โ Pros
- โข Flexible schema โ evolve quickly
- โข Ideal for denormalized permission models
- โข Easier to embed custom scopes per store
โ Cons
- โข Harder to run relational queries
- โข Multi-document transactions slower
- โข More ops complexity (clusters, sharding)
๐พ Schema Example (Postgres + Redis)
CREATE TABLE roles ( id UUID PRIMARY KEY, name TEXT NOT NULL ); CREATE TABLE permissions ( id TEXT PRIMARY KEY ); CREATE TABLE role_permissions ( role_id UUID REFERENCES roles(id), permission_id TEXT REFERENCES permissions(id), PRIMARY KEY(role_id, permission_id) ); CREATE TABLE store_role_assignments ( store_id UUID, user_id UUID, role_id UUID REFERENCES roles(id), scope JSONB, PRIMARY KEY(store_id, user_id) );
Redis Key Pattern
store:{storeId}:user:{userId}:permsJSON Value Example
{
"permissions": ["read_orders", "write_customers"],
"version": 3,
"expires_in": 300
}๐ฐ Cost & Performance Snapshot
| Option | Durability | Read Speed | Query Power | Cost | Recommended For |
|---|---|---|---|---|---|
| Redis-only | Low | โกโกโก | ๐ธ Minimal | ๐ธ High (RAM) | Prototypes |
| Postgres/MySQL + Redis | High | โกโก | โ Strong | ๐ฐ Balanced | Production |
| MongoDB + Redis | High | โกโก | โ๏ธ Medium | ๐ฐ+ | Flexible schemas |
๐ Security Tips
๐งญ Final Recommendation
โ Postgres + Redis = Durability + Performance + Cost Efficiency
Together, they form a scalable, Shopify-grade permission backbone.
๐งฑ MBTEdge Takeaway
Designing staff authorization isn't about the fastest tech โ it's about balancing correctness, consistency, and cost.
Author: MBTEdge Engineering Team
Tags: #Shopify #Redis #Postgres #MongoDB #Architecture #MBTEdge #SaaS #AuthZ #RBAC