Spatie's Laravel Permission package does not natively support role hierarchy or inheritance out of the box. This means it does not have built-in functionality for defining parent-child relationships between roles where a parent role automatically inherits all permissions of its child roles.
How Spatie Handles Roles and Permissions
- Roles and permissions are stored as separate entities in the database.
- Permissions are assigned directly to roles.
- Users are assigned roles, and through those roles, they gain the associated permissions.
- You can also assign permissions directly to users.
- When checking permissions, the package looks at all permissions assigned directly to the user plus those inherited via roles.
Role Hierarchy and Inheritance
- The package treats roles as flat entities without any hierarchy.
- There is no built-in mechanism to assign one role to another or to have a "parent role" that automatically inherits all permissions of "child roles" [1][4].
- Users can have multiple roles assigned, which allows for flexibility in combining permissions from different roles rather than relying on hierarchical inheritance [2].
Common Approaches to Implement Role Hierarchy with Spatie
Since Spatie does not support role inheritance, developers often implement workarounds such as:
- Assigning all permissions explicitly to higher-level roles: Instead of inheriting permissions from child roles, you manually assign all relevant permissions to each role, including higher-level roles like "super-admin" having all permissions of lower roles [2][5].
- Ranking roles with integer values: Some developers assign a rank or level to roles (e.g., 1 for user, 2 for moderator, 3 for admin) and then implement logic in their application to grant permissions based on the user's role rank, effectively simulating hierarchy [2].
- Multiple roles per user: Assign multiple roles to users who need combined permissions from different roles, avoiding the need for hierarchical roles [2].
Summary
- Spatie's package focuses on managing roles and permissions as separate, flat entities.
- It encourages assigning permissions directly to roles and users without role-to-role inheritance.
- Role hierarchy and inheritance must be implemented manually if needed, typically by assigning permissions explicitly or using custom ranking logic.
- This design avoids potential issues where a parent role's permissions depend on child roles, which could cause security or management complexities [1][2][4].
Thus, while Spatie provides a robust and flexible permissions system, it does not handle role hierarchy and inheritance internally; developers must design their own strategies to simulate such behavior if required.
Citations:
[1] https://github.com/spatie/laravel-permission/issues/685
[2] https://www.reddit.com/r/laravel/comments/jrhkc9/struggling_to_create_hierarchy_of_permissions_in/
[3] https://spatie.be/docs/laravel-permission/v6/introduction
[4] https://stackoverflow.com/questions/67520321/how-to-implement-hierarchical-rbac-in-laravel
[5] https://www.interserver.net/tips/kb/how-to-implement-role-based-access-control-in-laravel/
[6] https://www.reddit.com/r/laravel/comments/1e78vct/strategy_for_permission_and_authorisation_design/
[7] https://www.youtube.com/watch?v=3hSBJCVwh78
[8] https://spatie.be/docs/laravel-permission/v6/basic-usage/role-permissions
[9] https://stackoverflow.com/questions/78213905/hierarchical-roles-for-a-user-with-child-roles-having-different-permissions-on
[10] https://stackoverflow.com/questions/75772209/spatie-role-plugin-for-laravel-seed-users-with-roles-doesnt-assignrole
[11] https://dev.to/varzoeaa/spatie-permissions-vs-laravel-policies-and-gates-handling-role-based-access-1bdn