{"id":246,"date":"2025-08-27T16:01:35","date_gmt":"2025-08-27T16:01:35","guid":{"rendered":"https:\/\/1v0.net\/blog\/?p=246"},"modified":"2025-08-27T16:01:37","modified_gmt":"2025-08-27T16:01:37","slug":"how-to-create-a-multi-level-role-permission-system-in-laravel","status":"publish","type":"post","link":"https:\/\/1v0.net\/blog\/how-to-create-a-multi-level-role-permission-system-in-laravel\/","title":{"rendered":"How to Create a Multi-Level Role & Permission System in Laravel"},"content":{"rendered":"\n

As applications grow, a simple \u201cAdmin vs User\u201d setup is rarely enough. You might need multiple levels of access: Super Admins<\/strong> who control everything, Managers<\/strong> who oversee teams, and Users<\/strong> who only manage their own data. In Laravel 12<\/strong>, you can build a flexible multi-level role and permission system<\/strong> using the Spatie Permissions<\/strong> package.<\/p>\n\n\n\n

In this guide, we\u2019ll walk through creating hierarchical roles and assigning permissions at different levels. We\u2019ll also add a UI so admins can manage roles dynamically, without writing code.<\/p>\n\n\n\n

<\/div>\n\n\n\n

1 – Setting Up Spatie Permissions<\/strong><\/h2>\n\n\n\n

Make sure you\u2019ve installed and configured Spatie Permissions. If not, follow our installation guide<\/a>. Once set up, add the HasRoles<\/code> trait to your User<\/code> model and run the migrations.<\/p>\n\n\n\n

<\/div>\n\n\n\n

2 – Defining Multi-Level Roles<\/strong><\/h2>\n\n\n\n

Let\u2019s create three levels of roles: Super Admin<\/strong>, Manager<\/strong>, and User<\/strong>. Super Admins have all permissions, Managers have elevated access, and Users have limited access.<\/p>\n\n\n

\/\/ database\/seeders\/MultiLevelRolesSeeder.php<\/span>\nnamespace<\/span> Database<\/span>\\Seeders<\/span>;\n\nuse<\/span> Illuminate<\/span>\\Database<\/span>\\Seeder<\/span>;\nuse<\/span> Spatie<\/span>\\Permission<\/span>\\Models<\/span>\\Role<\/span>;\nuse<\/span> Spatie<\/span>\\Permission<\/span>\\Models<\/span>\\Permission<\/span>;\n\nclass<\/span> MultiLevelRolesSeeder<\/span> extends<\/span> Seeder<\/span>\n<\/span>{\n    public<\/span> function<\/span> run<\/span>()<\/span>\n    <\/span>{\n        $superAdmin = Role::create(['name'<\/span> => 'super-admin'<\/span>]);\n        $manager = Role::create(['name'<\/span> => 'manager'<\/span>]);\n        $user = Role::create(['name'<\/span> => 'user'<\/span>]);\n\n        \/\/ Permissions<\/span>\n        $manageUsers = Permission::create(['name'<\/span> => 'manage users'<\/span>]);\n        $viewReports = Permission::create(['name'<\/span> => 'view reports'<\/span>]);\n        $editProfile = Permission::create(['name'<\/span> => 'edit profile'<\/span>]);\n\n        \/\/ Assign permissions<\/span>\n        $superAdmin->givePermissionTo([$manageUsers, $viewReports, $editProfile]);\n        $manager->givePermissionTo([$viewReports, $editProfile]);\n        $user->givePermissionTo([$editProfile]);\n    }\n}<\/code><\/span>Code language:<\/span> PHP<\/span> (<\/span>php<\/span>)<\/span><\/small><\/pre>\n\n\n
This creates three distinct access levels. Each level includes the permissions of the one below it.<\/p>\n\n\n\n
<\/div>\n\n\n\n
3 – Middleware Protection<\/strong><\/h2>\n\n\n\n
Now, protect routes based on roles or permissions:<\/p>\n\n\n
\/\/ routes\/web.php<\/span>\n\n\/\/ Super Admin only<\/span>\nRoute::middleware(['auth'<\/span>,'role:super-admin'<\/span>])->group(function<\/span> ()<\/span> <\/span>{\n    Route::get('\/admin\/settings'<\/span>, function<\/span> ()<\/span> <\/span>{\n        return<\/span> 'Settings Page'<\/span>;\n    });\n});\n\n\/\/ Managers and above<\/span>\nRoute::middleware(['auth'<\/span>,'role:manager|super-admin'<\/span>])->group(function<\/span> ()<\/span> <\/span>{\n    Route::get('\/reports'<\/span>, function<\/span> ()<\/span> <\/span>{\n        return<\/span> 'Reports Page'<\/span>;\n    });\n});\n\n\/\/ All authenticated users<\/span>\nRoute::middleware(['auth'<\/span>,'role:user|manager|super-admin'<\/span>])->group(function<\/span> ()<\/span> <\/span>{\n    Route::get('\/profile'<\/span>, function<\/span> ()<\/span> <\/span>{\n        return<\/span> 'Profile Page'<\/span>;\n    });\n});<\/code><\/span>Code language:<\/span> PHP<\/span> (<\/span>php<\/span>)<\/span><\/small><\/pre>\n\n\n
Using multiple roles in the middleware ensures a hierarchy of access \u2014 higher-level roles automatically get lower-level privileges.<\/p>\n\n\n\n
<\/div>\n\n\n\n
4 – Role Inheritance with Gates<\/strong><\/h2>\n\n\n\n
If you want a more formal hierarchy, you can extend roles via custom logic. For example, treat super-admin<\/code> as having all permissions without assigning them manually.<\/p>\n\n\n
\/\/ app\/Providers\/AuthServiceProvider.php<\/span>\nuse<\/span> Illuminate<\/span>\\Support<\/span>\\Facades<\/span>\\Gate<\/span>;\n\npublic<\/span> function<\/span> boot<\/span>()<\/span>\n<\/span>{\n    $this<\/span>->registerPolicies();\n\n    Gate::before(function<\/span> ($user, $ability)<\/span> <\/span>{\n        return<\/span> $user->hasRole('super-admin'<\/span>) ? true<\/span> : null<\/span>;\n    });\n}<\/code><\/span>Code language:<\/span> PHP<\/span> (<\/span>php<\/span>)<\/span><\/small><\/pre>\n\n\n
This ensures that super-admins can do anything, regardless of specific permissions.<\/p>\n\n\n\n
<\/div>\n\n\n\n
5 – Admin UI for Multi-Level Roles<\/strong><\/h2>\n\n\n\n
Finally, let\u2019s create a simple admin panel where Super Admins can assign roles to users. This UI helps non-technical admins manage multi-level access.<\/p>\n\n\n
\/\/ routes\/web.php<\/span>\nuse<\/span> App<\/span>\\Http<\/span>\\Controllers<\/span>\\Admin<\/span>\\UserRoleController<\/span>;\n\nRoute::middleware(['auth'<\/span>,'role:super-admin'<\/span>])->group(function<\/span> ()<\/span> <\/span>{\n    Route::get('\/admin\/users\/{user}\/roles'<\/span>, [UserRoleController::class, 'edit'<\/span>])->name('admin.users.roles.edit'<\/span>);\n    Route::put('\/admin\/users\/{user}\/roles'<\/span>, [UserRoleController::class, 'update'<\/span>])->name('admin.users.roles.update'<\/span>);\n});<\/code><\/span>Code language:<\/span> PHP<\/span> (<\/span>php<\/span>)<\/span><\/small><\/pre>\n\n
\/\/ app\/Http\/Controllers\/Admin\/UserRoleController.php<\/span>\nnamespace<\/span> App<\/span>\\Http<\/span>\\Controllers<\/span>\\Admin<\/span>;\n\nuse<\/span> App<\/span>\\Http<\/span>\\Controllers<\/span>\\Controller<\/span>;\nuse<\/span> App<\/span>\\Models<\/span>\\User<\/span>;\nuse<\/span> Illuminate<\/span>\\Http<\/span>\\Request<\/span>;\nuse<\/span> Spatie<\/span>\\Permission<\/span>\\Models<\/span>\\Role<\/span>;\n\nclass<\/span> UserRoleController<\/span> extends<\/span> Controller<\/span>\n<\/span>{\n    public<\/span> function<\/span> edit<\/span>(User $user)<\/span>\n    <\/span>{\n        $roles = Role::all();\n        return<\/span> view('admin.users.edit-roles'<\/span>, compact('user'<\/span>,'roles'<\/span>));\n    }\n\n    public<\/span> function<\/span> update<\/span>(Request $request, User $user)<\/span>\n    <\/span>{\n        $user->syncRoles($request->roles);\n        return<\/span> redirect()->back()->with('status'<\/span>,'Roles updated successfully'<\/span>);\n    }\n}<\/code><\/span>Code language:<\/span> PHP<\/span> (<\/span>php<\/span>)<\/span><\/small><\/pre>\n\n\n
Blade view (resources\/views\/admin\/users\/edit-roles.blade.php<\/code>):<\/p>\n\n\n
@extends('layouts.app'<\/span>)\n\n@section('content'<\/span>)\n<div class<\/span><\/span>=\"container\"<\/span>>\n  <h2<\/span>><\/span>Assign Roles to {{ $user->name }}<\/h2<\/span>><\/span><\/span>\n  <form<\/span> method<\/span>=\"POST\"<\/span> action<\/span>=\"{{ route('admin.users.roles.update',$user) }}\"<\/span>><\/span>\n    @csrf\n    @method('PUT')\n    @foreach($roles as $role)\n      <div<\/span> class<\/span>=\"form-check\"<\/span>><\/span>\n        <input<\/span> class<\/span>=\"form-check-input\"<\/span> type<\/span>=\"checkbox\"<\/span> name<\/span>=\"roles[]\"<\/span> value<\/span>=\"{{ $role->name }}\"<\/span>\n          {{ $user-<\/span>><\/span>hasRole($role->name) ? 'checked' : '' }}>\n        <label<\/span> class<\/span>=\"form-check-label\"<\/span>><\/span>{{ ucfirst($role->name) }}<\/label<\/span>><\/span>\n      <\/div<\/span>><\/span>\n    @endforeach\n    <button<\/span> type<\/span>=\"submit\"<\/span> class<\/span>=\"btn btn-primary mt-3\"<\/span>><\/span>Save<\/button<\/span>><\/span>\n  <\/form<\/span>><\/span>\n<\/div<\/span>><\/span><\/span>\n@endsection<\/code><\/span>Code language:<\/span> JavaScript<\/span> (<\/span>javascript<\/span>)<\/span><\/small><\/pre>\n\n\n
This lets Super Admins manage roles across all levels, ensuring fine-grained access control in your application.<\/p>\n\n\n\n
<\/div>\n\n\n\n
Wrapping Up<\/h2>\n\n\n\n
We built a multi-level role and permission system in Laravel 12<\/strong> using Spatie Permissions. Roles like Super Admin, Manager, and User provide hierarchical access, with middleware and Gates ensuring proper control. By adding an admin UI, you empower administrators to manage roles dynamically, without writing code.<\/p>\n\n\n\n
<\/div>\n\n\n\n
What\u2019s Next<\/h2>\n\n\n\n