Best practise for assigning roles vs permissions?

[guestisp]

Hi all
Trying to implement a (simple) ACL to an application with laravel-permission

Simple question: should I use roles or directly the permissions on each user ?
In example, should I create a role writer, assign permissions to it and then assign the role to the user or just assign each single permissions to the user ?

Asking this because some users should not have the full role capabilities, in example, there are read-only writers, read-write writers and so on. Keeping tons of roles seems complicated and i didn't find a way to REMOVE a single permission to a user but still keeping the user assigned to the role (ie: read-write roles but with write permission removed for that single user)

What do you suggest ? Should I create individual permissions and work directly with them ?

[erikn69]

Documentation
https://spatie.be/docs/laravel-permission/v5/best-practices/roles-vs-permissions

i didn't find a way to REMOVE a single permission to a user but still keeping the user assigned to the role

You can make your own trait, example: #1895 (comment)
Also you can use gate https://spatie.be/docs/laravel-permission/v5/basic-usage/super-admin#gatebefore
There is many options only you have to read

[salamwaddah]

My understanding from your description of the writer is that a user should be able to write-read. My approach is to either

• Create a reader role and directly attach the writing permissions to specific users (I prefer this)
• Create separate reader with read only, writer with read-write << I understand you're trying to avoid many roles

In general, like documentation suggest you should be checking against permissions so either approaches won't matter.