Access Control

Open-Admin has built-inRBAC permissions control module, expand the left sidebar Auth, you can see user, permissions and roles management panel, the use of permissions control as follows:

Route permission

In the Open-Admin, the permissions and routes are bound together, in the edit permission page which set the current permissions can access the routing, in the HTTP method select box to select the method of access to the path, in the HTTP path textarea fill in the path to access.

For example, to add a permission, the permission can access the path /admin/users in GET method, then HTTP method select GET, HTTP path fill in /users.

If you want to access all paths with the prefix /admin/users, then the HTTP path fill in /users*, if the permissions include multiple access paths, wrap the line for each path.

Page permission

If you want to control the user's permissions in the page, you can refer to the following example


For example, there is now a scene, here is a article module, we use create articles as an example

At first open http://localhost/admin/auth/permissions, fill up slug field with text create-page, and Create Page in name field, then assign this permission to a role.

In your AdminController action:

use OpenAdmin\Admin\Auth\Permission;
use OpenAdmin\Admin\Layout\Content;

// hook into the an Admincontroller
class PageController extends AdminController
    public function create(Content $content)
        // check permission, only the roles with permission `create-page` can visit this action
        return parent::create($content);


If you want to control the page elements of the user's display, then you need to first define permissions, such as delete-image and view-title-column, respectively, to control the permissions to delete pictures and display a column in grid, then assign these two permissions to roles, add following code to the grid:

$grid->actions(function ($actions) {

    // The roles with this permission will not able to see the delete button in actions column.
    if (!Admin::user()->can('delete-image')) {

// Only roles with permission `view-title-column` can view this column in grid
if (Admin::user()->can('view-title-column')) {

Other methods

Get current user object.


Get current user id.


Get user's roles.


Get user's permissions.


Note: only permission direcly assigned to uses, so not the permissions from the assigned roles)

User is role.


User has permission.


User don't has permission.


Is user super administrator.


Is user in one of roles.

Admin::user()->inRoles(['editor', 'developer']);

Permission middleware

You can use permission middleware in the routes to control the routing permission

// Allow roles `administrator` and `editor` access the routes under group.
    'middleware' => 'admin.permission:allow,administrator,editor',
], function ($router) {

    $router->resource('users', UserController::class);


// Deny roles `developer` and `operator` access the routes under group.
    'middleware' => 'admin.permission:deny,developer,operator',
], function ($router) {

    $router->resource('users', UserController::class);


// User has permission `edit-post`、`create-post` and `delete-post` can access routes under group.
    'middleware' => 'admin.permission:check,edit-post,create-post,delete-post',
], function ($router) {

    $router->resource('posts', PostController::class);