YII2 Role Based Access Control

Role Based Access Control (RBAC)

Role-Based Access Control (RBAC) provides a simple yet powerful centralized access control. Please refer to the Wikipedia for details about comparing RBAC with other more traditional access control schemes.

Yii implements a General Hierarchical RBAC, following the NIST RBAC model. It provides the RBAC functionality through the authManager application component.

Using RBAC involves two parts of work. The first part is to build up the RBAC authorization data, and the second part is to use the authorization data to perform access check in places where it is needed.

To facilitate our description next, we will first introduce some basic RBAC concepts.

Basic Concepts

A role represents a collection of permissions (e.g. creating posts, updating posts). A role may be assigned to one or multiple users. To check if a user has a specified permission, we may check if the user is assigned with a role that contains that permission.

Associated with each role or permission, there may be a rule. A rule represents a piece of code that will be executed during access check to determine if the corresponding role or permission applies to the current user. For example, the “update post” permission may have a rule that checks if the current user is the post creator. During access checking, if the user is NOT the post creator, he/she will be considered not having the “update post” permission.

Both roles and permissions can be organized in a hierarchy. In particular, a role may consist of other roles or permissions; and a permission may consist of other permissions. Yii implements a partial order hierarchy which includes the more special tree hierarchy. While a role can contain a permission, it is not true vice versa.

Configuring RBAC                  

Before we set off to define authorization data and perform access checking, we need to configure the authManager application component. Yii provides two types of authorization managers: yii\rbac\PhpManager and yii\rbac\DbManager. The former uses a PHP script file to store authorization data, while the latter stores authorization data in a database. You may consider using the former if your application does not require very dynamic role and permission management.

Most Of RBAC  cofiguration use yii\rbac\DbManager

Using PhpManager

Step – 1

Setting app/config/web.php and app/config/console.php

Note: If you are using yii2-advanced-app template, authManager should be declared only once in common/config/main.php.

Open your root application, running command(cmd/terminal):

yii migrate –migrationPath=@yii/rbac/migrations

Check the RBAC tables exist there. (auth_assignment, auth_item, auth_item_child, auth_rule and user)


Step – 2

Generate models(using Gii), more better in common modules:







Step – 3

For this testing, create simple post. Include standard action (index, create, view, update, delete). Index Route: “auth/post/index”

Create simple Rbac Controller: permission from route, role, user assigment rule.


Step – 4

Create permission  in controller




Step – 5

Create Role in controller


Step – 6

User Assignment Controller


Step – 7

Update behaviors for RBAC Access Control



Step – 8

Check each action (index, create, view, update, delete) for all access in simple post we created before.

Permission for Admin: All author roles and update, delete

Permission for User: Only index, create and view post. Access denied for update and delete actions.

I hope you now have a better understanding of how YII2 RBAC works. Even if you end up doing the majority of your development using a MVC framework, its very important to have a core understanding of the fundamentals in MVC Architecture. If you have any specific questions about this tutorial please comment below.


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s