Access to StaffMemberPrivateData

Merchants are using our application to do reporting on their user permissions using the users query in REST and we are migrating now to use the StaffMembers query in GraphQL. In GraphQL the user permissions are available via the StaffMembers query in the StaffMemberPrivateData object (staffMembers.nodes.privateData.permissions) but although the merchants have the read_users scope when querying the StaffMemberPrivateData we get the following error;

{
“message”: “UserPrivateData access denied”,
“locations”: [
{
“line”: 14,
“column”: 23
}
],
“path”: [
“nodes”,
0,
“privateData”
],
“extensions”: {
“code”: “ACCESS_DENIED”,
“documentation”: “Shopify API access scopes
}
},

Which access scope are we missing?

Note that the merchants have access to other StaffMamber data fields like names, phone and email.

Hi Mathieu,

So just to confirm, your app does have the read_users access scope?

Hi Liam. Yes this is correct.

It does sound like a scope issue, but if the read_users scope is applied - this should work. If you make the same call in the GraphiQL app, do you get the same error?

Hi Liam. Yes we get the same result. FYI we are using version 2024-10 of the API.

When you added the new scopes, did you re-authenticate the app?

Yes and I can see it is working as all other StaffMember fields can be queried

Can you get these two fields:


I’m thinking permissions is not working due to being deprecated, but the error message suggests it’s related to scopes.

@Liam-Shopify thank you for your suggestion but I just tried to request these 2 fields and same result. See below;
Query:
“{
nodes(ids: gid://shopify/StaffMember/123456789])
{
__typename
id
… on StaffMember
{
email
firstName
lastName
isShopOwner
phone
accountType
privateData
{
accountSettingsUrl
createdAt
}
}
}
}”

Result:
"
{
“errors”: [
{
“message”: “UserPrivateData access denied”,
“locations”: [
{
“line”: 14,
“column”: 9
}
],
“path”: [
“nodes”,
0,
“privateData”
],
“extensions”: {
“code”: “ACCESS_DENIED”,
“documentation”: “Shopify API access scopes
}
}
]
}
"