Handle authorization in Filament: Policies, Roles & Guards

If you're building an admin panel with FilamentPHP and wondering:

“How can I control what each user can access or modify?”

You're asking the right question, and you're about to get a clear, updated answer.

In this guide, we’ll explore how authorization works in Filament, how it integrates with Laravel policy system, and how you can control user access with clarity.

🧱 What is authorization in Filament?

Filament builds on top of Laravel's native authorization layer, mainly using:

The FilamentUser interface to control access to the admin panel
Laravel Policies to control permissions on resources
Optional integration with Spatie Permissions or Filament Shield for roles

Let’s dive into each layer.

Step 1: Granting access to the Admin Panel

To prevent unauthorized users from accessing your admin interface, Filament requires your User model to implement the FilamentUser interface.

use Filament\Models\Contracts\FilamentUser;

class User extends Authenticatable implements FilamentUser
{
    public function canAccessPanel(Panel $panel): bool
    {
        return $this->is_admin; // Or check for roles/permissions here
    }
}

You can check any logic you want — roles, teams, email domains, etc.

If you forgot to implement FilamentUser and to define canAccessPanel() method, your panel may be exposed to all authenticated users.

Step 2: Using Policies in Laravel

Since Laravel 11+, policies are auto-discovered — you don't need to register them manually.

Create a policy:

php artisan make:policy PostPolicy --model=Post

Then define your authorization logic:

public function update(User $user, Post $post): bool
{
    return $user->id === $post->author_id;
}

Filament will automatically apply these methods in the UI (buttons, actions, forms) — no extra setup needed.

Supported policy methods in Filament

Filament checks for a wide set of policy methods, depending on the action and the state of your model:

Basic Actions:

viewAny(User $user)
view(User $user, Post $post)
create(User $user)
update(User $user, Post $post)
delete(User $user, Post $post)
deleteAny(User $user)

Soft Delete support:

restore(User $user, Post $post)
restoreAny(User $user)
forceDelete(User $user, Post $post)
forceDeleteAny(User $user)

Filament doesn't call these soft delete policies unless the corresponding actions are explicitly enabled in the resource.

If no policy is registered for a model, Laravel allows the action. But if a policy exists and the required method is missing, Laravel will deny access.

Step 3: Overriding permissions directly in a Filament Resource

For quick use cases, you can override permission methods directly in your Resource class instead of defining a full policy:

public static function canCreate(): bool
{
    return auth()->user()->is_admin;
}

public function canEdit(Model $record): bool
{
    return $record->author_id === auth()->id();
}

But be careful:

This is great for simple logic.
For consistency, prefer policies in production apps with more than one resource.

Step 4: Add roles & permissions management

If you need a full role/permission system, you can integrate:

What Laravel Spatie Permission gives you?

Spatie Laravel Permission is a powerful package that adds role and permission management directly to your Laravel app. It doesn’t depend on Filament but integrates nicely.

Create and assign roles (e.g. admin, editor, user)
Define granular permissions (e.g. edit post, delete user)
Attach permissions to users or roles
Use Laravel’s native can() and @can directives
Built-in artisan commands for role/permission management
Supports multiple guards (e.g. web, admin)

Example usage:

$user->assignRole('editor');
$user->hasPermissionTo('edit articles');

In Filament, you can check these with:

return auth()->user()->can('edit articles');

Spatie Laravel Permission is a solid foundation if you want to control access but don’t need a full UI like Filament Shield.

What Filament Shield give you?

Filament Shield Plugin is based on Spatie Laravel Permission and adds a full UI and auto-permission system for Filament with:

Role/permission UI inside your Filament panel
Auto-generated permissions for each resource/action
Seamless integration with Laravel policies

Once installed, you can assign permissions like view_user, create_post, delete_order, etc., per role or user.

About auth guards in Filament

Filament uses the guard defined in your panel configuration under auth.guard. This might be web, or any other name you choose.

If you're using Spatie Laravel Permission (or any other permission system based on guards), you must specify the correct guard when checking for permissions.

Example with `hasPermissionTo()` of Spatie and Filament's guard:

public function delete(User $user, Team $team): bool
{
    return $user->hasPermissionTo('delete team', filament()->getAuthGuard());
}

Without specifying the guard, hasPermissionTo() may look at the default guard. Make sure your permissions and roles are created for the same guard you're using in your checks.

If you're unsure how guards work or how to configure them, check out our dedicated article:

👉 How Auth Guards Work in Filament

Final thoughts

Filament makes authorization much easier by staying close to Laravel’s standards — but with a few important extras.

✅ Use FilamentUser to control access to the admin panel
✅ Use Laravel policies for clean, scalable access control
✅ For role-based systems, consider Filament Shield Plugin or Spatie Laravel Permission (my favorites)
✅ Mind the guards, soft deletes, and policy naming

Get your authorization right early — it’s a foundation your app’s integrity will depend on.

🙏 If this article helped you, share it with your team, give it a like, and consider registering to Filament Mastery — your go-to resource for mastering Laravel Filament.

Don’t start from scratch!
My new Filament Backend Template is the fastest way to start your next Laravel + Filament admin panel.
Pre-configured roles, permissions, Horizon, and more.
Start building faster