Skip to main content

Roles & Permissions

SaaSykit Tenancy comes built-in with a roles & permissions system that allows you to offer your tenants the ability of assigning roles & permissions to their team members, so they can control what each team member can do in the tenant.

SaaSykit's uses Spatie's Laravel Permission package under the hood to manage roles & permissions.

Change team member role

By default, SaaSykit Tenancy comes with the following tenant roles:

  • Admin: The admin has full control over the tenant, they can invite users, assign roles & permissions, remove users, manage subscriptions, billing and more.
  • User: This is a limited role that allows tenant user to pretty much only view the tenant panel. You can extend this role with more permissions that fit your application's needs.

Defining new roles & permissionsโ€‹

To define new roles & permissions for your tenants, you can do that in the RolesAndPermissionsSeeder in database/seeders/RolesAndPermissionsSeeder.php.

Particularly you can have a look at the called multiTenancyRolesAndPermissions where all the default roles & permissions are defined.

Assigning & checking against roles & permissionsโ€‹

SaaSykit Tenancy allows users to be part of multi tenants. This means that the User and Tenant models have a many-to-many relationship.

This means that permissions & roles are not directly assigned to the User model, but rather to the pivot table role_user which is used to manage the roles & permissions of a user in a tenant.

SaaSykit Tenancy offers a helper class that allows you to check & assign roles & permissions to a user in a tenant, which is the TenantPermissionService class, you can find it in app/Services/TenantPermissionService.php.

Permission-aware implementation with Filamentโ€‹

If you'd like to add resources to the tenant panel (the dashboard panel) and you want to make sure that only users with certain roles can access these resources, you can do that by using Laravel Policies.

For each new resource you add to the tenant panel, you can create a policy that checks if the user has the required role to access the resource.

You can check the pre-existing policies in app/Policies (like SubscriptionPolicy and OrderPolicy) to see how they are implemented.