TenantAtlas/app/Providers/AuthServiceProvider.php

<?php

namespace App\Providers;

use App\Models\ProviderConnection;
use App\Models\Tenant;
use App\Models\User;
use App\Policies\ProviderConnectionPolicy;
use Illuminate\Foundation\Support\Providers\AuthServiceProvider as ServiceProvider;
use Illuminate\Support\Facades\Gate;

class AuthServiceProvider extends ServiceProvider
{
    protected $policies = [
        ProviderConnection::class => ProviderConnectionPolicy::class,
    ];

    public function boot(): void
    {
        $this->registerPolicies();

        Gate::define('provider.view', function (User $user, Tenant $tenant): bool {
            if (! $user->canAccessTenant($tenant)) {
                return false;
            }

            return $user->tenantRole($tenant)?->canViewProviders() ?? false;
        });

        Gate::define('provider.manage', function (User $user, Tenant $tenant): bool {
            if (! $user->canAccessTenant($tenant)) {
                return false;
            }

            return $user->tenantRole($tenant)?->canManageProviders() ?? false;
        });

        Gate::define('provider.run', function (User $user, Tenant $tenant): bool {
            if (! $user->canAccessTenant($tenant)) {
                return false;
            }

            return $user->tenantRole($tenant)?->canRunProviderOperations() ?? false;
        });
    }
}