Aurelia Hub uses Spatie Laravel-Permission for role-based access control (RBAC), providing granular control over who can do what.
How It Works
Roles
A role is a named collection of permissions. Users are assigned roles, and through those roles, they receive permissions.
Permissions
Permissions are specific actions a user can perform (e.g., "view products", "create sales", "delete customers").
Managing Roles
Navigate to Settings > Roles (or through the User management interface).
Creating a Role
- Name — Role identifier (e.g., "admin", "manager", "sales")
- Guard — Authentication guard (default: "web")
- Permissions — Select which permissions this role grants
Suggested Roles
Administrator
Full access to all features:
- All product, customer, sale, inventory permissions
- Settings management
- User management
- Role and permission management
Store Manager
Broad access without system configuration:
- Product management (create, edit, view)
- Customer management
- Sales and POS access
- Inventory management
- Marketing campaigns
- Appointment management
- View reports and analytics
Sales Associate
Focused on customer-facing operations:
- POS access (create sales)
- View products
- Customer management (view, create, edit)
- Appointment management
- Gift card redemption
Inventory Manager
Stock and product focused:
- Product management (full CRUD)
- Stock movements
- Warehouse management
- Label printing
- Certification management
Marketing Manager
Campaign and customer engagement:
- Campaign management
- Email template management
- Customer viewing
- Important dates management
- Report viewing
Permission Structure
Permissions typically follow the pattern: action_resource
| Action | Description |
|---|---|
view |
View/read records |
create |
Create new records |
update |
Edit existing records |
delete |
Remove records |
Example Permissions
view_products,create_products,update_products,delete_productsview_customers,create_customers,update_customers,delete_customerscreate_sales,view_salesmanage_settingsmanage_users
Checking Permissions
The system automatically enforces permissions:
- Navigation items are hidden for unauthorized users
- Resource pages check permissions before rendering
- Actions (buttons, links) respect permission checks
- API/form submissions verify authorization
Activity Logging
All permission and role changes are logged:
- Role creation/modification
- Permission changes
- User role assignments
Best Practices
- Start restrictive — Begin with minimal permissions and add as needed
- Use roles, not direct permissions — Assign permissions to roles, roles to users
- Separate duties — Different roles for different responsibilities
- Regular audits — Review role assignments quarterly
- Document roles — Maintain a reference of what each role can do
- Test permissions — After creating roles, test access with a non-admin account