Notice that everything is blacklisted by default now, so if you want to allow access to some actions, list them inside ‘actions’ array.
You can also use ‘except’ key to exclude some actions. For example:
'access' => [
'class' => 'yii\web\AccessControl',
'except' => ['index', 'view'], // this is for all
'rules' => [
'allow' => true,
'roles' => array['@'], // all the rest is for auth users only
It will allow users to trigger actions through something like GET (again an example - this is used by the GridView for filtering records - so it will allow such actions).
The following code will disable all actions for GUESTS.