English Português
Demo ao Vivo
Começar Agora
English Português
Demo ao Vivo Começar Agora

Roles & Permissions

SaasKitFy has two completely separate RBAC layers: global roles for platform-wide access and org roles scoped to individual organizations.

Global Roles

Managed via Spatie Permission. These control access to the admin panel and are unrelated to org membership.

  • super_admin — full access to the admin panel (users, orgs, settings, billing config)
  • support_agent — read-only access to admin views for customer support

Org Roles

Each organization has its own role system based on OrgRoleTemplate records. Three roles ship by default:

  • owner — all permissions, cannot be changed or removed. Every org has exactly one owner.
  • admin — broad permissions, can manage members, billing, and settings
  • member — basic access, customizable per org

OrgRoleTemplate Model

Key fields:

  • slug — machine-readable identifier (e.g. admin, member)
  • display_name — human-readable name
  • permissions — JSON array of granted permission slugs
  • is_default — whether this role is assigned to new members by default
  • protected — prevents deletion of built-in roles (owner, admin, member)

Core Permissions

  • manage_members — invite, remove, and change roles of org members
  • manage_billing — access billing portal, change plans, view invoices
  • manage_settings — update org name, avatar, and configuration
  • manage_api_keys — create, revoke, and manage API keys
  • manage_webhooks — configure webhook endpoints
  • view_usage — view usage metrics and analytics

You can define additional custom permissions in config/custom.php.

Owner Bypass

The organization owner always bypasses permission checks. Even if a permission is not listed in the owner role template, the owner is granted access.

Checking Permissions

Backend: Middleware

Use the org.can middleware to protect routes:

Route::put('/settings', [SettingsController::class, 'update'])
    ->middleware('org.can:manage_settings');

Frontend: Can Component

Use the <Can> component to conditionally render UI elements:

<Can permission="manage_billing">
    <BillingSettings />
</Can>

Managing Role Templates

Org admins can create, edit, and delete role templates from the organization settings. Protected roles (owner, admin, member) cannot be deleted but their permissions can be customized (except owner, which always has full access).

Previous Team Invitations Next Tenant Modes