[Bug] Order Staff Member ID

JordanFinners · July 31, 2025, 10:57am

Hi,
On orders if you want to access the staff member who sold an item you need the magic read_users permission to access the staffMember.
However, I believe we should be able to access the ID only without the read users permission.
We used to be able to do this on REST in user_id and can access the staff ids on other resources without this permission.

KyleG-Shopify · July 31, 2025, 5:14pm

Hey @JordanFinners,

I can take a look in to this to see if it’s expected or not with Graphql, as staffMember does require that scope.

I tested a few other objects but all staff member id fields required this permission. Do you mean other resources in the REST api or do you see this in Graphql?

Looking at alternatives, the order events connection has the author field that would be the staff name that is attributed to certain events, but doesn’t have the GID. Possible workaround when the specific GID isn’t needed.

JordanFinners · August 1, 2025, 8:20am

Sorry so what I mean is we could access the IDs so we could provide some information to merchants without the full scope. As there is little harm/risk in providing an ID.

For example:

In REST we could always access the ID even if we couldn’t access the full user resource so we could atleast provide some information
In the webhooks we still have these IDs available to us so I could get it from there and save it to my database but trying to use Shopify API.
With Customer information we can access the ID but then there is addition PII forms to fill out for customer name etc which makes sense.
We can access the users ID in the session token/online access token so why not allow us to see the user ID here.

I understand the permission issue causing the ability to not access the field but I think we should be able to access the ID field without permission as it low risk and we can access it in other places anyway

KyleG-Shopify · August 1, 2025, 3:13pm

Thanks for the clarification Jordan. I’m consulting with our teams about this.

KyleG-Shopify · August 7, 2025, 2:27pm

Hey @JordanFinners

Closing the loop here. I’ve talked with our teams and the current scopes are the expected behaviour.

I’ve submitted a feature request both for adjusting the scope requirement for the id field (as it’s available in other places already) or alternatively adding a new staff id field specifically to the orderObject.

Topic		Replies	Views
Access scope to access StaffMember Id with public apps GraphQL Admin API Troubleshooting general-gql-troubles	4	137	March 12, 2025
Public Non-Financial Apps Need read_users Scope GraphQL Admin API Troubleshooting general-gql-troubles	5	179	October 7, 2025
Issue getting pos staff accounts GraphQL Admin API Troubleshooting general-gql-troubles	3	94	January 13, 2025
Access to StaffMemberPrivateData GraphQL Admin API Troubleshooting rest-migration , general-gql-troubles	8	215	March 6, 2025
Why isn't the `read_users` access scope documented as "custom app" only? GraphQL Admin API Troubleshooting general-gql-troubles	13	195	February 12, 2026

[Bug] Order Staff Member ID

Related topics