Role Based Access Control (RBAC)
Role-Based Access Control (RBAC) provides a simple yet powerful centralized access control. Please refer to the Wikipedia for details about comparing RBAC with other more traditional access control schemes.
Yii implements a General Hierarchical RBAC, following the NIST RBAC model. It provides the RBAC functionality through the authManager application component.
Using RBAC involves two parts of work. The first part is to build up the RBAC authorization data, and the second part is to use the authorization data to perform access check in places where it is needed.
To facilitate our description next, we will first introduce some basic RBAC concepts.
A role represents a collection of permissions (e.g. creating posts, updating posts). A role may be assigned to one or multiple users. To check if a user has a specified permission, we may check if the user is assigned with a role that contains that permission.
Associated with each role or permission, there may be a rule. A rule represents a piece of code that will be executed during access check to determine if the corresponding role or permission applies to the current user. For example, the “update post” permission may have a rule that checks if the current user is the post creator. During access checking, if the user is NOT the post creator, he/she will be considered not having the “update post” permission.
Both roles and permissions can be organized in a hierarchy. In particular, a role may consist of other roles or permissions; and a permission may consist of other permissions. Yii implements a partial order hierarchy which includes the more special tree hierarchy. While a role can contain a permission, it is not true vice versa.
Before we set off to define authorization data and perform access checking, we need to configure the authManager application component. Yii provides two types of authorization managers: yii\rbac\PhpManager and yii\rbac\DbManager. The former uses a PHP script file to store authorization data, while the latter stores authorization data in a database. You may consider using the former if your application does not require very dynamic role and permission management.
Most Of RBAC cofiguration use yii\rbac\DbManager
Step – 1
Setting app/config/web.php and app/config/console.php
Note: If you are using yii2-advanced-app template, authManager should be declared only once in common/config/main.php.
Open your root application, running command(cmd/terminal):
yii migrate –migrationPath=@yii/rbac/migrations
Check the RBAC tables exist there. (auth_assignment, auth_item, auth_item_child, auth_rule and user)
Step – 2
Generate models(using Gii), more better in common modules:
Step – 3
For this testing, create simple post. Include standard action (index, create, view, update, delete). Index Route: “auth/post/index”
Create simple Rbac Controller: permission from route, role, user assigment rule.
Step – 4
Create permission in controller
Step – 5
Create Role in controller
Step – 6
User Assignment Controller
Step – 7
Update behaviors for RBAC Access Control
Step – 8
Check each action (index, create, view, update, delete) for all access in simple post we created before.
Permission for Admin: All author roles and update, delete
Permission for User: Only index, create and view post. Access denied for update and delete actions.
I hope you now have a better understanding of how YII2 RBAC works. Even if you end up doing the majority of your development using a MVC framework, its very important to have a core understanding of the fundamentals in MVC Architecture. If you have any specific questions about this tutorial please comment below.