What API development services do you offer?

We offer REST API development, GraphQL APIs, third-party API integration, Laravel API development, and API security implementation. We also provide DevOps services including AWS infrastructure and CI/CD pipelines.

Where are you based and do you work with clients across the UK?

We're based in Leeds, West Yorkshire, but we work with clients across the entire United Kingdom including London, Manchester, Birmingham, and beyond. We work remotely with businesses throughout Britain.

What technologies do you specialise in?

We specialise in Laravel and PHP for backend development, along with RESTful APIs, GraphQL, Node.js, AWS, Docker, Kubernetes, and CloudFlare. We also work with MySQL and PostgreSQL databases.

Do you provide ongoing support after project completion?

Yes, we offer ongoing support and maintenance packages to ensure your APIs and applications continue running smoothly. This includes monitoring, updates, security patches, and performance optimisation.

What Is RBAC, and Why Every Business Needs It

Most web applications start with a simple access model: there are administrators, and there are regular users. Administrators can do everything; users can do most things. It is quick to build, easy to understand, and entirely adequate for an early-stage product with a handful of internal users. As soon as the business grows - more staff, more clients, more sensitive data, more regulatory obligations - that model starts to create real problems. Role-based access control, or RBAC, is the solution most organisations eventually need. This post explains what it is, why it matters beyond the technical team, and how to implement it properly.

What RBAC is

Role-based access control is a method of restricting access to systems and data based on the roles assigned to users rather than on individual user-level permissions. Instead of configuring what each specific user can see and do, you define roles - collections of permissions - and assign those roles to users. A user's access is determined entirely by the roles they hold.

The three core concepts are straightforward:

Permissions - individual actions that can be performed, such as view invoices, edit products, or delete users.
Roles - named groups of permissions, such as Accountant, Warehouse Manager, or Support Agent.
Users - individuals assigned one or more roles, inheriting the permissions of those roles.

A typical e-commerce business might define roles like Store Manager (view and edit orders, products, and customers), Inventory Staff (view and edit products only), and Finance (view invoices and financial reports only). Each employee gets the role that matches their job function. If their responsibilities change, you update their role assignment - not a bespoke list of individual permissions.

Why a simple admin/user split is not enough

The binary admin/user model fails in predictable ways as a business scales.

The most common problem is over-permissioning. When the only alternative to full admin access is standard user access, teams grant admin access liberally to anyone who occasionally needs an elevated action. The result is a system where a significant proportion of users have far more access than their day-to-day work requires. Every one of those accounts is a potential attack surface. If an admin account is compromised - through a phishing attack, a weak password, or credential reuse - the attacker has access to everything.

The second problem is under-permissioning. Users who genuinely need elevated access to specific areas find themselves locked out of what they need, creating pressure to either grant full admin rights or build ad-hoc workarounds that bypass the access model entirely. Neither outcome is acceptable.

The third problem is auditability. When something goes wrong - data is deleted, a record is changed incorrectly, a sensitive report is accessed unexpectedly - a flat access model makes it very difficult to determine who had access to what and when. Demonstrating compliance to an auditor or regulator becomes equally difficult.

The principle of least privilege

RBAC is the practical implementation of a security principle that regulators and security standards consistently require: least privilege. Every user should have access to the minimum set of resources and actions required to perform their job function, and nothing more.

Under UK GDPR, organisations are required to implement appropriate technical measures to ensure data security, which includes restricting access to personal data to those who genuinely need it. A customer service agent who handles order queries does not need access to financial reports containing revenue data. A warehouse operative does not need access to customer contact information. When personal data is accessed by people who have no business reason to access it, that is a compliance failure - whether or not any harm results.

RBAC is one of the primary technical mechanisms for demonstrating that your organisation takes least privilege seriously. Without it, access decisions are made informally, documented inconsistently, and very difficult to audit.

RBAC and employee offboarding

One of the most overlooked benefits of RBAC is how it simplifies employee offboarding. When a member of staff leaves the organisation, disabling their account revokes all access immediately - every permission, every resource, every system that relied on their role assignments. There are no individually configured permissions to audit and remove, no ad-hoc access grants to track down, no risk of missing an obscure elevated permission that was added three years ago and never documented.

This matters particularly for businesses that handle client data or sensitive financial information. A former employee retaining access to production systems - even temporarily, even unintentionally - is a data breach risk that is entirely preventable with a well-implemented access control model.

Implementing RBAC in Laravel

For Laravel applications, the most widely used RBAC implementation is Spatie's laravel-permission package. It provides a clean, well-documented API for defining roles and permissions, assigning them to users, and checking them in controllers, middleware, and Blade templates.

Installation and setup:

composer require spatie/laravel-permission
php artisan vendor:publish --provider="SpatiePermissionPermissionServiceProvider"
php artisan migrate

Add the HasRoles trait to your User model:

use SpatiePermissionTraitsHasRoles;
class User extends Authenticatable { use HasRoles; }

Creating roles and permissions and assigning them to users:

$role = Role::create(['name' => 'store-manager']);
$permission = Permission::create(['name' => 'edit products']);
$role->givePermissionTo('edit products');
$user->assignRole('store-manager');

Checking permissions in controllers:

$this->authorize('edit products');
// or
if ($request->user()->can('edit products')) { ... }

Protecting routes with middleware:

Route::middleware(['auth', 'role:store-manager'])->group(function () {
Route::get('/products/edit', [ProductController::class, 'edit']);
});

The package handles caching of roles and permissions automatically, so the additional database queries per request are minimised in production.

Beyond the technical implementation

RBAC is not purely a technical decision - it is a business process. The most common implementation failure is not technical; it is organisational. Roles are defined at project inception, never reviewed, and gradually become detached from the actual structure of the business. New staff members are assigned whichever role seems closest to their function rather than the role that accurately represents their access needs. Permissions accumulate in roles over time without any formal review process.

A well-implemented RBAC system requires periodic review. At a minimum, roles and their associated permissions should be reviewed annually, or whenever there is a significant change to the team structure, the application's functionality, or the regulatory environment. The review should ask: are the roles still aligned with the actual job functions in the business? Does any role contain permissions that its holders do not genuinely need? Are there users assigned to roles that no longer match their responsibilities?

This is not a significant operational burden - for most small and medium businesses, a role review is a short meeting and a handful of configuration changes. But without it, the access model drifts, least privilege erodes, and the compliance and security benefits of having implemented RBAC in the first place are quietly lost.

A foundation, not a feature

Role-based access control tends to be treated as a feature to be added when the business asks for it, or when a security audit flags its absence. It is better understood as a foundation - something built in from the start, maintained consistently, and reviewed regularly. The cost of implementing it correctly at the outset is low. The cost of retrofitting it into a mature application, after years of informal access grants and ad-hoc permission decisions, is considerably higher.

If your application handles personal data, financial information, or any data that is sensitive to your clients, RBAC is not optional. It is the minimum standard that good data stewardship requires, and increasingly the minimum standard that regulators will expect to see evidence of.