DEV Community

Apurba Singh
Apurba Singh

Posted on

I’m a Python Developer — So I Built a Better IAM System for Laravel

#backend #laravel #security #showdev

I’m a Python/FastAPI Developer — So I Built an IAM System in Laravel
As a backend developer working with FastAPI, Django, and Flask, I’ve always cared deeply about clean architecture and scalable authorization systems.
But every time I built a SaaS product, I ran into the same problem:
👉 Permissions become messy… very quickly.

🧠 The Real Problem: Contextual Authority
Let’s say:
• A user is a Manager in Branch A
• The same user is a Viewer in Branch B
Most RBAC systems struggle here.
You either:
• add tons of conditional logic ❌
• or end up with tightly coupled, hard-to-maintain permission rules ❌

😵 The Breaking Point
When systems grow, you start seeing:
• Role explosions (too many roles)
• Nested dependencies
• Hardcoded permission checks
• “Who can do what?” becomes unclear
I faced this repeatedly in Python projects…
and surprisingly, the same issue exists in Laravel.

🚀 So I Built: Laravel IAM (v0.2.0)
Instead of patching the problem, I designed a system that handles:
✔ Contextual permissions (per scope: tenant, team, branch)
✔ Wildcard permissions (expense., *.)
✔ Hierarchical access (manage → all actions)
✔ Dynamic resolution (no hardcoded roles)

⚙️ The Core Idea: “Four Levels of Truth”
The engine resolves permissions using a layered approach:

  1. Direct Permission → exact match
  2. Wildcard Match → resource.*
  3. Hierarchy Rule → resource.manage
  4. Global Access → . This allows instant and predictable permission resolution — even in complex SaaS environments.

🔥 Why Not Just Use Existing Packages?
Packages like Spatie are great for basic RBAC 👏
But they don’t fully solve:
• Context-based access control
• Dynamic multi-tenant systems
• Workflow-aware permission resolution

💡 Example
IAM::can($user, 'expense.approve');
No complex conditionals.
No hardcoded roles.
Just clean, predictable logic.

🛠️ Open Source — Try It
I’ve open-sourced the project and would love feedback from the community:
📦 Packagist: https://packagist.org/packages/apurba-labs/laravel-iam
💻 GitHub: https://github.com/apurba-labs/laravel-iam

💬 Let’s Discuss
How do you handle contextual permissions in your projects?
Have you faced similar issues with RBAC systems?

Laravel #PHP #FastAPI #RBAC #IAM #SaaS #Backend #OpenSource

Top comments (0)