Be part of JetBrains PHPverse 2026 on June 9 – a free online event bringing PHP devs worldwide together.

awarren's avatar

Relationships, RBAC, and Entities

I'm working on a prototype app that is using RBAC. Right now I'm using just roles with Kodeine but I'm open to suggestions.

Here's the scenario. There is an existing/parent system that can share information with "agencies". In order to do that, the agency must submit information on a separate system (the prototype app) about their agency along with primary contact information and a PDF file containing a signed contract and optionally a user confidentiality agreement. Contacts can submit additional confidentiality agreements at a later date. A user confidentiality agreement must be cosigned by an agency contact. Once the agency and contact information is submitted on the prototype app, an admin verifies the participation agreement and creates an agency record on the parent system. Users can then register on the parent system as a member of the agency. An admin checks for a signed confidentiality agreement for the user and either activates their account or sets it as pending. The parent system is proprietary and integrating this into the existing code base would be cost prohibitive.

The basic rules are:

  1. In this context, user means a user on the parent system.
  2. An agency must have a participation contract on file.
  3. There must be at least one primary contact.
  4. There may be multilple contacts.
  5. Every parent sytem user must have a confidentiality agreement on file.
  6. A User confidentiality agreement is only valid for a single agency.
  7. Users may be tied to multiple agencies.
  8. Contacts may be tied to multiple agencies.

As you can see, it's quite a jumbled mess but I don't get to make the rules. You can have a look at the preliminary ER diagram - here.

On the prototype/Laravel side, only agency contacts will register and have access. I can probably figure out the tables and relationships but I'm struggling on the RBAC side of things. Especially when it comes to adding permissions. It seems that besides permissions I need groups - one for each agency. That's easy enough. Perhaps just make an agency a group. And then, if a group gets a permission, that needs a slug. Still thinking about that one.

My brain is hurting at this point so any suggestions would be much appreciated.

0 likes
0 replies

Please or to participate in this conversation.