PHPackages yamanalali/laravel-scoped-rbac - PHPackages - PHPackages [Skip to content](#main-content)[PHPackages](/)[Directory](/)[Categories](/categories)[Trending](/trending)[Leaderboard](/leaderboard)[Changelog](/changelog)[Analyze](/analyze)[Collections](/collections)[Log in](/login)[Sign up](/register) 1. [Directory](/) 2. / 3. [Authentication & Authorization](/categories/authentication) 4. / 5. yamanalali/laravel-scoped-rbac ActiveLibrary[Authentication & Authorization](/categories/authentication) yamanalali/laravel-scoped-rbac ============================== Multi-tenant scoped RBAC (privileges, functional roles, data scopes, delegations, SoD) for Laravel 10PHP Since Apr 24Pushed 1mo agoCompare [ Source](https://github.com/yamanalali/laravel-scoped-rbac)[ Packagist](https://packagist.org/packages/yamanalali/laravel-scoped-rbac)[ RSS](/packages/yamanalali-laravel-scoped-rbac/feed)WikiDiscussions main Synced 1w ago READMEChangelogDependenciesVersions (1)Used By (0) Laravel scoped RBAC =================== [](#laravel-scoped-rbac) A Laravel package for **organisation-scoped** access control: a **privilege catalog**, **functional roles**, **organisation data scopes**, **session / request scope context**, **privilege delegations**, **segregation-of-duties (SoD) rules**, and **access audit logging**. It targets multi-tenant apps where users have an `organisation_id` (or equivalent) and effective permissions can depend on an **active data scope** (grant, office, organisation-wide, etc.) as well as a privilege code. Requirements ------------ [](#requirements) - PHP **8.2+** - Laravel **12** (this package requires `illuminate/*` **^12.0**) ### Database prerequisites [](#database-prerequisites) Migrations assume: - A **`users`** table with an `id` column (Laravel’s default `users` migration satisfies this). - An **`organizations`** table with an `id` column. Foreign keys use `organizations(id)`. If your tenant table has another name, add your own migration (view, synonym, or bridge table), or adjust the package migrations in a fork before running them. Install ------- [](#install) ### From Packagist [](#from-packagist) When the package is registered on Packagist: ``` composer require yamanalali/laravel-scoped-rbac ``` ### From a local path (development) [](#from-a-local-path-development) In your app’s `composer.json`: ``` { "repositories": [ { "type": "path", "url": "../laravel-scoped-rbac", "options": { "symlink": true } } ], "require": { "yamanalali/laravel-scoped-rbac": "@dev" } } ``` Then run `composer update yamanalali/laravel-scoped-rbac`. ### What the service provider registers [](#what-the-service-provider-registers) `ScopedRbac\ScopedRbacServiceProvider` is **auto-discovered**. It: - Merges **`config/scoped-rbac.php`** into the `scoped-rbac` config key. - Loads **package migrations** from `database/migrations`. - Registers **`RbacRequestContext`** (singleton), **`RbacAccessService`** (singleton), and **`ScopeSummarizer`** → `MinimalScopeSummarizer` by default. - Subscribes to Eloquent **`saved` / `deleted`** on role assignment and role–privilege pivot models to bump RBAC cache version keys. Publish config if you want a copy under `config/`: ``` php artisan vendor:publish --tag=scoped-rbac-config ``` Run migrations: ``` php artisan migrate ``` If your app already defines the same table names, **remove or reconcile** duplicate migrations so tables are not created twice. Environment variables --------------------- [](#environment-variables) Values map to `config/scoped-rbac.php` (see that file for defaults). VariableConfig keyPurpose`RBAC_ENABLED``enabled`When `false` (default), `RbacAccessService::can()` does **not** run the assignment/delegation pipeline; it only uses the **legacy** path (see below). Middleware that checks `config('scoped-rbac.enabled')` becomes a no-op.`RBAC_FALLBACK_TO_ORG_ROLES``fallback_to_org_roles`When RBAC is **enabled** and `true` (default), users who fail functional-role checks may still pass via **`legacyCan()`**: a fixed map of privilege codes to `Gate::forUser($user)->allows(...)` on **`rbacWorkspace()`**, `hasOrgRole()`, `isOrgAdmin()`, etc. **Not** a generic “any Gate” pass.`RBAC_ORG_ADMIN_BYPASS``org_admin_bypass`When RBAC is **enabled** and `true` (default), `isOrgAdmin()` can grant access after assignments/delegations/fallback fail; bypass is **written to the audit log**.`RBAC_CACHE_TTL``cache_ttl_seconds`Seconds for `can()` result caching. Default `120`.`RBAC_CONTEXT_HEADER``context_header`Request header for scope id (default `X-Rbac-Context`).`RBAC_SCOPES_HEADER``scopes_response_header`Response header for JSON scope list (default `X-Rbac-Scopes`).`RBAC_ACTIVE_SCOPE_HEADER``active_scope_response_header`Response header for active scope id (default `X-Rbac-Active-Scope`).`RBAC_ACTOR_MODEL``actor_model`FQCN of the user model; must implement `ScopedRbac\Contracts\RbacActor`. Used when resolving users in HTTP APIs (e.g. `assign`). Default `App\Models\User`.`RBAC_ORGANIZATION_MODEL``organization_model`FQCN of the tenant row; its primary key must match `organisation_id` on users. Default `App\Models\Organization`.`RBAC_REFERENCE_GRANT_MODEL``reference_models.grant`Optional; for validating grant-backed data scopes in `RbacController`.`RBAC_REFERENCE_DEPARTMENT_MODEL``reference_models.department`Optional; department scopes.`RBAC_REFERENCE_WORK_CALENDAR_MODEL``reference_models.work_calendar`Optional; region scopes.`RBAC_REFERENCE_OFFICE_MODEL``reference_models.office`Optional; office scopes.Reference model classes, when configured, must be Eloquent models with an **`organisation_id`** column (see `ReferenceModelGuard`). 1. Implement `RbacActor` on your user model ------------------------------------------- [](#1-implement-rbacactor-on-your-user-model) The authenticated user must implement `ScopedRbac\Contracts\RbacActor` (`Authenticatable` + `Authorizable` plus organisation helpers). Minimal example: ```