forgetCachedPermissions(); $permissions = [ // User Management 'user.view', 'user.create', 'user.edit', 'user.delete', 'user.restore', 'user.force-delete', 'user.export', 'user.import', // Role Management 'role.view', 'role.create', 'role.delete', 'role.manage', // Notification broadcast 'notifications.view', 'notifications.send', // Activity Logs 'activity-logs.view', 'activity-logs.delete', // System Settings 'settings.view', 'settings.edit', 'settings.test-email', // Internal Documentation 'documentation.view', ]; foreach ($permissions as $permission) { Permission::firstOrCreate(['name' => $permission, 'guard_name' => 'web']); Permission::firstOrCreate(['name' => $permission, 'guard_name' => 'api']); } // user — read-only basic access $user = Role::firstOrCreate(['name' => 'user', 'guard_name' => 'web']); $user->syncPermissions([ 'user.view', ]); // admin — full operational, governance, and reporting access, no raw system configuration $admin = Role::firstOrCreate(['name' => 'admin', 'guard_name' => 'web']); $admin->syncPermissions([ 'user.view', 'user.create', 'user.edit', 'user.delete', 'user.restore', 'user.export', 'user.import', 'role.view', 'role.create', 'role.delete', 'role.manage', 'notifications.view', 'notifications.send', 'activity-logs.view', ]); // super-admin — absolute root access $superAdmin = Role::firstOrCreate(['name' => 'super-admin', 'guard_name' => 'web']); $superAdmin->syncPermissions(Permission::where('guard_name', 'web')->get()); } }