By default, in our Team Multi-Tenancy module, every member of the team sees all entries of their team, and team users are managed only by the system administrator. Customers were asking us how to add a new role of “Team Admin” to manage users of their own team. So we created a demo-project with a repository.

As a starting position, I assume that you have already generated the adminpanel with Multi-Tenancy module and chose “Team” multi-tenancy, not “User”.

Next, I will show you the actions in 6 steps, how to add “team admin”.


Step 1. Add new field in User model

We won’t add a new role to the existing ones (Admin & User), we will just add a field: users.team_admin – you can add it in QuickAdminPanel as a checkbox, or after download as “boolean” field in migrations and app/User.php.

Default should be false.

Schema::table('users', function (Blueprint $table) {
    $table->boolean('team_admin')->default(0)->nullable();
});

Step 2. User Model: Is Team Admin – Attribute

Let’s add another attribute to app/User.php that would check if user is system admin or team admin:

// That method exists by default in QuickAdminPanel
public function getIsAdminAttribute()
{
    return $this->roles()->where('id', 1)->exists();
}

// That is new method
public function getIsTeamAdminAttribute()
{
    return $this->is_admin || $this->team_admin;
}

After doing that, we will be able to check it from anywhere, like $user->is_team_admin or auth()->user()->is_team_admin. And we will do exactly that, in the next step.


Step 3. Menu: show Users for Team Admin

By default, only System Administrator sees Users Management menu item in the left sidebar. Let’s change it.
We will use the new is_team_admin attribute, see below.

@can('user_management_access')
    @if(auth()->user()->is_team_admin)
        <li class="nav-item nav-dropdown">
            <a class="nav-link  nav-dropdown-toggle" href="#">
                <i class="fa-fw fas fa-users nav-icon">

                </i>
                {{ trans('cruds.userManagement.title') }}
            </a>
            {{-- ... other sub-menu items --}}
        </li>
    @endif
@endcan

Also, we need to allow user_management_access to all users then. So we need to edit database/seeds/PermissionRoleTableSeeder.php:

Old:

$user_permissions = $admin_permissions->filter(function ($permission) {
    return substr($permission->title, 0, 5) != 'user_' 
        && substr($permission->title, 0, 5) != 'role_' 
        && substr($permission->title, 0, 11) != 'permission_';
});

Now:

// Simple can't manage roles/permissions/teams, but can manage users now
$user_permissions = $admin_permissions->filter(function ($permission) {
    return substr($permission->title, 0, 5) != 'role_' 
        && substr($permission->title, 0, 11) != 'permission_' 
        && substr($permission->title, 0, 5) != 'team_';
});

Step 4. Additional Security in Controller

Of course, it’s not enough to show/hide menu items. We need to make sure that non-team-admins wouldn’t access user management.

app/Http/Controllers/Admin/UsersController.php:

public function index()
{
    // Old version:
    // abort_if(Gate::denies('user_access'), Response::HTTP_FORBIDDEN, '403 Forbidden');
    
    // New version:
    abort_if(Gate::denies('user_access') || !auth()->user()->is_team_admin, Response::HTTP_FORBIDDEN, '403 Forbidden');

And you need to repeat that change in all of UsersController methods.


Step 5. User model is Multi-Tenant now

By default, users don’t have multi-tenancy but now they should. So we make these changes in app/User.php – see in bold:

use App\Traits\MultiTenantModelTrait;

class User extends Authenticatable
{
    use SoftDeletes, Notifiable, HasApiTokens, MultiTenantModelTrait;

    // ... other model's code

Step 6. User Create/Edit Form: Change Visible Fields

Finally, we need to change which role sees what fields in user form.

– Administrator can choose a role, team admin can’t (role is hardcoded as Simple User then);
– Administrator can choose a team, team admin operates only within their own team.

For that, we make changes in resources/views/admin/create.blade.php and same folder edit.blade.php. These are too big files to add here inline, so here’s a link to the repository commit.

See here – team administrator doesn’t see the role and the team choices.


And that’s it. By then, your Team Admin users will be able to add/edit other users of the same team.

Full code with repository changes: LaravelDaily/QuickAdminPanel-Team-Admin-Demo