PHPackages                             apurba-labs/laravel-iam - PHPackages - PHPackages  [Skip to content](#main-content)[PHPackages](/)[Directory](/)[Categories](/categories)[Trending](/trending)[Leaderboard](/leaderboard)[Changelog](/changelog)[Analyze](/analyze)[Collections](/collections)[Log in](/login)[Sign up](/register)

1. [Directory](/)
2. /
3. [Authentication &amp; Authorization](/categories/authentication)
4. /
5. apurba-labs/laravel-iam

ActiveLibrary[Authentication &amp; Authorization](/categories/authentication)

apurba-labs/laravel-iam
=======================

Laravel IAM (Identity &amp; Access Management) package with hierarchical permissions, wildcard support, and SaaS-ready design.

v1.5.0(1mo ago)64011MITPHPPHP ^8.1

Since Apr 2Pushed 4w agoCompare

[ Source](https://github.com/apurba-labs/laravel-iam)[ Packagist](https://packagist.org/packages/apurba-labs/laravel-iam)[ RSS](/packages/apurba-labs-laravel-iam/feed)WikiDiscussions main Synced 1mo ago

READMEChangelogDependencies (8)Versions (15)Used By (1)

Laravel IAM (Identity &amp; Access Management)
==============================================

[](#laravel-iam-identity--access-management)

[![Latest Version on Packagist](https://camo.githubusercontent.com/a3c52d7448e427833690e16b2dffc80fd2bfc0163e41f57fdc29a0876c3ffaf2/68747470733a2f2f696d672e736869656c64732e696f2f7061636b61676973742f762f6170757262612d6c6162732f6c61726176656c2d69616d2e7376673f7374796c653d666c61742d737175617265)](https://packagist.org/packages/apurba-labs/laravel-iam)[![Total Downloads](https://camo.githubusercontent.com/91f88d1035ae6af655f7ac120a2582c910e27d71371af79e672420bafcbb1355/68747470733a2f2f696d672e736869656c64732e696f2f7061636b61676973742f64742f6170757262612d6c6162732f6c61726176656c2d69616d2e7376673f7374796c653d666c61742d737175617265)](https://packagist.org/packages/apurba-labs/laravel-iam)[![License](https://camo.githubusercontent.com/55c0218c8f8009f06ad4ddae837ddd05301481fcf0dff8e0ed9dadda8780713e/68747470733a2f2f696d672e736869656c64732e696f2f62616467652f6c6963656e73652d4d49542d627269676874677265656e2e7376673f7374796c653d666c61742d737175617265)](LICENSE.md)

A powerful, context-aware Identity and Access Management (IAM) system for Laravel. Inspired by AWS IAM, built for modern SaaS architectures.

Quick Example
-------------

[](#quick-example)

```
IAM::can($user, 'inventory.approve', $branchId);
IAM::can($user, 'post.edit')
IAM::usersWithPermission('approval.finance.approve')
IAM::usersWithRole('manager')
IAM::rolesForUser($user)
IAM::permissionsForUser($user)
```

```
Example:
IAM::rolesForUser(auth()->user())

Use cases:
profile screens
admin UI
audit ordebug
```

```
Example:
IAM::permissionsForUser(auth()->user())

Use cases:
effective permission display
debug tools
admin dashboards
policy introspection
```

---

Installation
------------

[](#installation)

Install the package via composer:

```
composer require apurba-labs/laravel-iam
```

Run migrations:

```
php artisan migrate
```

---

Key Features
------------

[](#key-features)

- **Contextual Scopes:** Assign roles to users for specific branches or tenants.
- **Wildcard Logic:** Support for `resource.*`, `*.action`, and `*.*` overrides.
- **Action Aliasing:** Built-in `manage` capability (grants all actions for a resource).
- **Developer Friendly:** Dynamic Resource &amp; Action registration.
- **Performance First:** Built-in caching for permission resolution.

---

⚖️ Design Philosophy: Contextual Authority
------------------------------------------

[](#️-design-philosophy-contextual-authority)

Most RBAC (Role-Based Access Control) packages treat permissions as "Global Flags." In modern SaaS and Enterprise applications, authority is rarely that simple.

**Laravel IAM** is built on the principle that power is **Contextual**. A user might be a `Manager` in the *Dhaka Branch* but only a `Viewer` in the *Chittagong Branch*. Our engine resolves this complexity using a prioritized hierarchy we call the **Four Levels of Truth**.

### 🧠 The "Four Levels of Truth"

[](#-the-four-levels-of-truth)

When you check a permission like `invoice.approve`, the engine doesn't just look for a string match. It evaluates authority from the broadest scope to the most specific to ensure maximum flexibility and security.

#### 🔑 Permission Hierarchy: "Context-Aware RBAC"

[](#-permission-hierarchy-context-aware-rbac)

LevelTypeExampleDescription**1**`Global``*.*`**Full Access**: Absolute power across all resources and actions.**2**`Resource``invoice.*`**Module Control**: Full authority over a specific resource.**3**`Action``*.approve`**Action Specialist**: Specific action allowed system-wide.**4**`Atomic``invoice.approve`**Task Specific**: One specific action on one resource.> **Performance Note:** The engine uses a "Fast-Pass" strategy. If Level 1 or 2 is satisfied, the resolution exits immediately, ensuring that administrative accounts experience zero latency during authorization checks.

---

🧱 Architectural Design Patterns
-------------------------------

[](#-architectural-design-patterns)

Laravel IAM is not just a collection of scripts; it is a structured engine built using industry-standard patterns to ensure scalability and maintainability.

### 🗄️ Registry Pattern

[](#️-registry-pattern)

We use a **Registry Pattern** for Resource and Action management. This decouples your application's domain logic from the database, allowing you to register permissions dynamically via Service Providers without hitting the database on every boot.

### 🛡️ Singleton &amp; Manager Pattern

[](#️-singleton--manager-pattern)

The `IAMManager` acts as a **Singleton** within the Laravel Service Container. This ensures a single source of truth for authorization checks during a request lifecycle, enabling efficient memory usage and consistent caching.

### 🔌 Facade &amp; Proxy Pattern

[](#-facade--proxy-pattern)

By providing a **Facade**, we offer a clean, expressive API (`IAM::can()`). Internally, this proxies calls to the underlying `PermissionResolver`, shielding the developer from the complexity of the hierarchical resolution logic.

### 🔍 Strategy Pattern

[](#-strategy-pattern)

The `PermissionResolver` employs a **Strategy Pattern** to evaluate permissions. It switches between "Global," "Wildcard," and "Atomic" strategies to find the fastest path to an authorization decision.

---

🛠 Usage
-------

[](#-usage)

### 1. Setup your Model

[](#1-setup-your-model)

```
Implement the Authorizable contract and add the HasRoles trait to your User model. This unlocks the relationship and authority checks.
```

```
use ApurbaLabs\IAM\Traits\HasRoles;
use ApurbaLabs\IAM\Contracts\Authorizable;

class User extends Authenticatable implements Authorizable {
    use HasRoles;
}
```

### 2. Registering Resources &amp; Actions

[](#2-registering-resources--actions)

```
Define your application's domain in AppServiceProvider.php. This populates the internal registry used for the "Four Levels of Truth" engine.
Register your modules in `AppServiceProvider.php`:
```

```
use ApurbaLabs\IAM\Facades\IAM;

public function boot(): void
{
    IAM::registerResources([
        'expense' => 'Expense Approval',
        'requisition' => 'Requisition',
    ]);

    IAM::registerActions([
        'view',
        'create',
        'approve',
        'reject',
    ]);
}
```

---

### Default Actions

[](#default-actions)

The IAM system includes a set of built-in default actions.
If you do not explicitly register actions, these defaults will be used automatically.

#### Default Actions

[](#default-actions-1)

- `create`
- `read`
- `update`
- `delete`
- `list`

#### Workflow Actions

[](#workflow-actions)

- `publish`
- `approve`
- `reject`
- `refund`

#### Special Actions

[](#special-actions)

- `manage` → Grants all actions for a resource
- `*` (wildcard) → Full system-level access

#### Custom Actions

[](#custom-actions)

If needed, you can override defaults:

```
IAM::registerActions([
    'submit',
    'approve',
    'archive',
]);
```

💡 Tip: Default actions are recommended for most use cases and ensure consistency across modules.
------------------------------------------------------------------------------------------------

[](#-tip-default-actions-are-recommended-for-most-use-cases-and-ensure-consistency-across-modules)

### 3. Sync Permissions

[](#3-sync-permissions)

Run:

```
php artisan iam:sync-permissions
```

This will generate permissions like:

- expense.view
- expense.approve
- requisition.create

💡 This approach allows fully dynamic and scalable permission management.

### 4. Authorization Logic

[](#4-authorization-logic)

```
#### Via Facade
The Facade is the most flexible way to check authority, especially for multi-tenant or scoped applications.
```

```
// Global Check (Is this user an Admin anywhere?)
IAM::can($user, 'inventory.view');

// Contextual Check (Is this user a Manager specifically for Branch 101?)
IAM::can($user, 'inventory.approve', 101);
```

```
#### Via Middleware

Perfect for protecting API routes. The middleware automatically looks for an X-Scope-ID header to evaluate contextual permissions.
```

```
// Single permission check
Route::middleware('iam:inventory.view')->get('/inventory', ...);

// Multiple permissions (OR logic)
Route::middleware('iam:payroll.edit|payroll.manage')->post('/payroll', ...);
```

### 5. UI Integration (Blade Magic)

[](#5-ui-integration-blade-magic)

```
We’ve provided expressive Blade directives to keep your templates clean. No more messy @if blocks.
#### Permission Checks
{{-- Checks if the user can approve in the current branch context --}}
@iam('invoice.approve', 101)
    Approve Invoice
@else
    Read-only Access
@endiam
```

#### Role Checks

[](#role-checks)

```
@{{-- Check for a role in a specific scope --}}
@role('manager', 101)
    Branch Manager
@endrole
```

#### Global UI logic

[](#global-ui-logic)

```
{{-- If you omit the second argument, the system checks for Global authority (where scope_id is null):}}
@role('admin')
    System Settings
@endrole
```

```
### 6. Workflow Resolution
Need to find who to notify? Use the resolver to find users with specific authority within a specific scope.
```PHP
// Returns a collection of Users who can approve invoices for Branch 101
$approvers = IAM::usersWithPermission('invoice.approve', 101);
```

---

Roadmap
-------

[](#roadmap)

We are committed to making **Laravel IAM** the standard for contextual authorization. Here is what's coming next:

### v0.3.0 - The "Developer Experience" Update

[](#v030---the-developer-experience-update)

- **Custom Middleware Aliases:** Support for `@iam:invoice.view,scope_id` directly in routes.
- **Policy Integration:** Seamless bridge between `IAM::can` and Laravel's native `Gate` and `Policy` system.
- **Audit Logs:** A built-in observer to log every permission change for compliance.

### v0.4.0 - The "Admin UI" Update

[](#v040---the-admin-ui-update)

- **Blade Component Library:** Pre-built Tailwind components for Role/Permission management.
- **Visual Permission Matrix:** A console command to generate a table of who-can-do-what across scopes.

### v1.0.0 - Stability &amp; Performance

[](#v100---stability--performance)

- **Caching Layer:** Redis integration for high-performance permission resolution.
- **API Documentation:** Comprehensive documentation site with real-world use cases.
- **Stable Release:** Long-term support (LTS) version.

---

```
## 🌟 Support the Project

If this package saved you time or simplified your authorization logic:

👉 Give it a **⭐ Star on GitHub**

Your support helps grow the project and bring more advanced features to the community 🚀
---
📄 License
The MIT License (MIT). Please see License File for more information.
```

###  Health Score

44

—

FairBetter than 90% of packages

Maintenance92

Actively maintained with recent releases

Popularity17

Limited adoption so far

Community9

Small or concentrated contributor base

Maturity50

Maturing project, gaining track record

 Bus Factor1

Top contributor holds 100% of commits — single point of failure

How is this calculated?**Maintenance (25%)** — Last commit recency, latest release date, and issue-to-star ratio. Uses a 2-year decay window.

**Popularity (30%)** — Total and monthly downloads, GitHub stars, and forks. Logarithmic scaling prevents top-heavy scores.

**Community (15%)** — Contributors, dependents, forks, watchers, and maintainers. Measures real ecosystem engagement.

**Maturity (30%)** — Project age, version count, PHP version support, and release stability.

###  Release Activity

Cadence

Every ~5 days

Total

9

Last Release

47d ago

Major Versions

v0.4.1 → v1.5.02026-05-13

PHP version history (2 changes)v0.1.0PHP ^8.1

v0.5.0PHP ^8.4

### Community

Maintainers

![](https://www.gravatar.com/avatar/cf451535411e28149e4b7f65d90625f54be2dc4f9a37bd119eee6204d3f73566?d=identicon)[apurbasingh](/maintainers/apurbasingh)

---

Top Contributors

[![apurba-singh](https://avatars.githubusercontent.com/u/22034705?v=4)](https://github.com/apurba-singh "apurba-singh (1 commits)")

---

Tags

laravelauthorizationpermissionsrbacsaasaccess-controliam

###  Code Quality

TestsPHPUnit

### Embed Badge

![Health badge](/badges/apurba-labs-laravel-iam/health.svg)

```
[![Health](https://phpackages.com/badges/apurba-labs-laravel-iam/health.svg)](https://phpackages.com/packages/apurba-labs-laravel-iam)
```

###  Alternatives

[casbin/laravel-authz

An authorization library that supports access control models like ACL, RBAC, ABAC in Laravel.

331368.6k4](/packages/casbin-laravel-authz)[hasinhayder/tyro

Tyro - The ultimate Authentication, Authorization, and Role &amp; Privilege Management solution for Laravel 12 &amp; 13

6783.6k6](/packages/hasinhayder-tyro)[hosseinhezami/laravel-permission-manager

Advanced permission manager for Laravel.

383.3k](/packages/hosseinhezami-laravel-permission-manager)[amdadulhaq/guard-laravel

Guard is Role and Permission management system for Laravel

135.5k](/packages/amdadulhaq-guard-laravel)

PHPackages © 2026

[Directory](/)[Categories](/categories)[Trending](/trending)[Changelog](/changelog)[Analyze](/analyze)
