How to Build a Multi-Role Permission System in Laravel (Step-by-Step + GitHub)

In any modern web application like a SaaS platform, an eCommerce store, or a content management system different users need different levels of access.

For example, an Admin should be able to manage everything, while an Editor can only update content, and a User may only view content.

That’s where a Laravel multi-role permission system comes into play.

Implementing solid role-based access control in Laravel ensures your app stays secure, scalable, and future-ready.

Whether you’re a developer building an MVP or an entrepreneur scaling your product, using Laravel’s role logic helps you control who can access what and when.

In this blog, you can learn about Laravel roles and permissions with code.

Plus we also tried to showcase Laravel multi-role permission system so you can use it directly in your code.

What Is Role-Based Access Control (RBAC) in Laravel?

RBAC (Role-Based Access Control) is a security model where access is granted based on a user’s role in the system.

Instead of assigning permissions to each user individually, you assign permissions to roles, and users are assigned those roles.

This makes managing access easier, especially as your app grows.

Role vs Permission vs Policy in Laravel

• Roles: Labels like Admin, Manager, or Customer.
• Permissions: Actions like edit-post, delete-user, or view-orders.
• Policies: Laravel’s built-in way to authorize user actions on models (used when fine-grained control is needed).

So, when should you use RBAC over gates or policies alone?

Use Laravel RBAC when you:

• Need to define multiple roles.
• Want to control access across different modules (users, settings, etc.).
• Prefer a more centralized and scalable permission model.

By combining Laravel roles and permissions, you can build apps that are modular, secure, and easier to maintain.

What Are the Tools That You’ll Need to Build Multi-Role Permission System in Laravel?

To follow this Spatie Laravel permission tutorial and build your own Laravel RBAC system, make sure you have the following tools ready:

• Laravel 10+ (or the latest stable version)
• Spatie Laravel Permission Package: The go-to package for multi-role RBAC logic
• VS Code or any modern code editor
• Composer: For dependency management
• MySQL (or any supported database)
• Access to GitHub to fork or download the sample project

This setup will allow you to implement a Laravel RBAC package quickly and efficiently, whether you’re starting from scratch or integrating it into an existing Laravel app.

How to Set Up the Laravel Project?

Before learning about Laravel roles and permissions, let’s set up a fresh Laravel app from scratch.

Step 1: Install Laravel via Composer

Open your terminal and run:

          composer create-project laravel/laravel laravel-multi-role
        

Navigate into your new Laravel project:

          cd laravel-multi-role
        

This will help to build the Laravel permission system from scratch.

Step 2: Set Up Database and Environment

Edit your .env file and add your database credentials:

          
            DB_DATABASE=laravel_roles
            DB_USERNAME=root
            DB_PASSWORD=yourpassword
          
        

Then create the database manually in MySQL (or use phpMyAdmin).

Step 3: Run Migrations

Run the default migrations to set up users and password resets:

          php artisan migrate
        

If everything runs without error, your Laravel app is ready to implement roles and permissions.

How to Install & Configure Spatie Laravel-Permission Package?

We’ll use the popular Spatie Laravel permission package to manage roles and permissions easily.

Step 1: Install the Package

Add a new field called validation in your schema.

          
              composer require spatie/laravel-permission
          
        

Step 2: Publish Migrations & Config

          
              Php artisan vendor:publish --provider="Spatie\Permission\PermissionServiceProvider"
          
        

This creates the config and migration files.

Step 3: Run Permission Migrations

          
              php artisan migrate
          
        

Now your database has the necessary roles, permissions, and model_has_roles tables.

How to Create Roles and Permissions? (Code Examples)

Let’s create three common roles, Admin, Editor, and Viewer, and assign them relevant permissions.

Step 1: Add Spatie’s HasRoles Trait

In your User.php model:

          
           use Spatie\Permission\Traits\HasRoles;
            class User extends Authenticatable
            {
              use HasRoles;
            }
          
        

Step 2: Create Roles and Permissions (Seeder or Tinker)

You can do this using Tinker or inside a seeder. Example via Tinker:

          
           php artisan tinker
            
            use Spatie\Permission\Models\Role;
            use Spatie\Permission\Models\Permission;
            
            $admin = Role::create(['name' => 'Admin']);
            $editor = Role::create(['name' => 'Editor']);
            $viewer = Role::create(['name' => 'Viewer']);
            
            Permission::create(['name' => 'edit articles']);
            Permission::create(['name' => 'delete articles']);
            Permission::create(['name' => 'view articles']);
            
            $admin->givePermissionTo(['edit articles', 'delete articles', 'view articles']);
            $editor->givePermissionTo(['edit articles', 'view articles']);
            $viewer->givePermissionTo(['view articles']);

          
        

Step 3: Assign Roles to Users

          
            $user = \App\Models\User::find(1);
            $user->assignRole('Admin');
          
        

You can even assign multiple roles like this:

          
            $user->assignRole(['Editor', 'Viewer']);
          
        

See the GitHub code for Multi-Role Permission in Laravel.

How to Implement Middleware for Access Control?

Middleware helps protect your app routes based on roles.

Step 1: Create Middleware to Check Roles

              
                php artisan make:middleware RoleMiddleware
              
            

Update RoleMiddleware.php:

              
                public function handle($request, Closure $next, $role)
                {
                  if (!auth()->check() || !auth()->user()->hasRole($role)) {
                      abort(403);
                  }
                  return $next($request);
                }
              
            

Step 2: Register Middleware in Kernel.php

              
                protected $routeMiddleware = [
                  'role' => \App\Http\Middleware\RoleMiddleware::class,
                ];
              
            

Step 3: Use It in Routes

              
                Route::get('/admin', function () {
                  return 'Welcome, Admin!';
                })->middleware('role:Admin');
              
            

This is how you build a secure Laravel app using Laravel role permission middleware.

How to Protect Routes and Views Based on Roles?

Laravel Blade gives us powerful directives for permission-based UI.

Step 1: Use @role and @can in Blade

              
                @role('Admin')
                    <p>Welcome, Admin!</p>
                @endrole
                
                @can('edit articles')
                  <button>Edit Article</button>
                @endcan
              
        

Step 2: Show/Hide Views by Role

              
                @if(auth()->user()->hasRole('Viewer'))
                  <p>You have read-only access.</p>
                @endif
              
        

This is a perfect way to show content based on your role in Laravel.

How Seven Square Can Help You Build Secure Role-Based Laravel Applications?

At Seven Square, we specialize in creating secure, scalable, and high-performing Laravel applications according to your business needs.

Whether you’re building a multi-user SaaS platform, an admin dashboard, or an enterprise solution, we make complex role and permission logic simple and effective.

Here’s how we can help you:

• Custom Multi-Role Logic Development: We design and implement flexible role-permission systems from simple Admin-User setups to complex multi-layered access hierarchies.
• API and Web Route Protection with Middleware: We implement role-based middleware logic to protect APIs, admin panels, and internal routes from unauthorized access.
• Role-Based Dashboards & Conditional UI Logic: Need a different interface for Admins, Editors, and Users? We create dynamic views using Blade directives to render UI based on roles and permissions.
• Consultation & Code Audit for Existing Laravel Apps: Already have a Laravel app? We’ll audit your current permission logic and upgrade it to a robust RBAC architecture.

Want a Customized Laravel App? Contact Us Now!

What Are the Advanced Policies, Gates & Custom Guards That You Might Want to Add?

While Spatie’s package handles most RBAC needs, sometimes you need more granular control. That’s when Laravel’s native policies and gates shine.

When Should You Use Policies?

• When you want to authorize actions based on specific models.
• When access depends on custom logic, not just roles.

Example Use Case:

Let’s say only Admins can delete posts, but Editors can only edit their own. You can define this in a Laravel policy with roles like:

              
                public function delete(User $user, Post $post)
                {
                  return $user->hasRole('Admin');
                }
              
        

You can also use a Laravel gate with permissions when the logic doesn’t involve eloquent models, like showing/hiding sections in the UI.

These advanced features enhance security and give you flexibility when Spatie alone isn’t enough.