Best way to systematically determine all permissions needed for my Laravel ticketing system app?

Best systematic way to plan all permissions for Laravel 12 ticketing system API with Spatie?

I'm building a comprehensive ticketing system API using Laravel 12 with Spatie Laravel-Permission for role-based authorization (roles like admin, manager, agent, customer).

I've implemented controllers for:

Tickets (CRUD)
Roles/permissions management (assign/revoke/view for roles)
User search/filtering

Current permissions (snake_case pattern): tickets: view_any_ticket, view_ticket, create_ticket, update_ticket, delete_ticket, assign_ticket roles: view_role_permissions, assign_role_permissions, revoke_role_permissions, update_role_permissions permissions: view_any_permission, create_permission, update_permission, delete_permission

My approach:

Map permissions to controller actions (create_ticket, update_ticket_status)
Policies + Gates (TicketPolicy::viewAny() checks $user->can('view_any_ticket'))
Artisan command to seed permissions

Code example RolesPermissionsController@assign:

public function assign(Request $request, Role $role)
{
    Gate::authorize('assign_permission_to_role', Permission::class);
    $role = RoleService::assignRole($role, $request->permissions);
    return PermissionsResource::collection(PermissionService::getPermissionsOfRole($role));
}

Struggling to identify ALL permissions without missing edge cases or over-engineering.

Questions:

What's the best systematic process to discover/plan permissions for ticketing system? (routes analysis, user stories, audit logs?)

Common permission patterns for ticketing apps?

    Ticket assignment

    Status changes

    Comments/attachments

    Escalations

    Reports/SLAs?

Granularity level?

    update_ticket (all fields)

    OR update_ticket_priority, update_ticket_status, update_ticket_assignee?

Tools/scripts to auto-generate permission seeds from routes/controllers?

Role/permission management auth?

    Direct Spatie: $user->can('view_role_permissions')

    OR Policies wrapping Spatie checks?

LaryAI

2 months ago

Level 58

Great questions! Here’s a systematic approach to planning permissions for your Laravel ticketing app:

1. Start With User Stories & Actions:
List all user actions (based on real scenarios), not just CRUD. For a ticketing system, actions might include: create, view, update, delete, assign, escalate, comment, upload_attachment, change_status, export_report, view_sla, etc.

2. Map Actions to Permissions:
Decide on permission granularity. For fields that require distinct access patterns (like assigning vs updating status), create separate permissions:

update_ticket_details
update_ticket_status
assign_ticket
add_ticket_comment
upload_ticket_attachment
escalate_ticket

Start granular; you can always group in roles later.

3. Controller/Route Analysis:
Walk through each controller and route method. For each, mark the user action required and map to a permission. Build a spreadsheet or mindmap—this exposes gaps and avoids overlaps.

4. Permissions Generator:
Consider a custom command to yank all controllers, reflect on their methods, and suggest permission names (e.g., analyze methods prefixed with CRUD verbs). This isn’t perfect but can highlight missing ones.

Example basic seeder using arrays

$permissions = [
    'view_any_ticket', 'view_ticket', 'create_ticket', 'update_ticket_details', 'update_ticket_status',
    'assign_ticket', 'add_ticket_comment', 'upload_ticket_attachment', 'escalate_ticket',
    'view_report', 'view_sla', /* etc. */
];

foreach ($permissions as $perm) {
    Permission::findOrCreate($perm);
}

5. Patterns & Recommendations:

Permissions per action, not per field unless your workflow demands deep granularity.
Permissions for meta-actions: assign_role, revoke_role, manage_permissions.
Use Policies for complex logic (e.g., "can update ticket if agent assigned"), but simple can() for basic permissions.
Audit log access should have its own permission.

6. Tools:
No definitive auto-generator, but laravel-permission works well with simple arrays. For semi-automatic discovery, try spatie/laravel-route-discovery for insight.

Summary:

List app-specific user stories.
Extract every meaningful action.
Map each to a permission.
Review by controller.
Use Policies where logic gets hairy.
Simple scripts or arrays suffice for seeding.
Err on the side of "too many" fine-grained permissions—roles glue them together anyway.

And don’t stress too much! This stuff is iterative—add to your set as you find new workflows or edge cases.

1 like

jlrdw

2 months ago

Level 75

Why would this be an API? Sounds like a regular web app would work?

minaremonshaker

2 months ago

Level 6

What do you mean by reguler web app do you mean app that uses blade or react ?

DigitalArtisan

2 months ago

Best Answer

Level 2

Struggling to identify ALL permissions without missing edge cases or over-engineering.

You should write tests.

Authorization tests help you discover missing permissions and edge cases early, and prevent over-engineering. If a permission rule is hard to test, it’s usually too complex or unclear.

Please or to participate in this conversation.