authManager assign?

I'm making a website with multiple roles which users can have. These roles are 'guest','user' and 'admin'. With the possibility of adding more roles as the website grows, like 'moderator' and 'news poster'.

Now I understand how to make these roles and bind them with Operations etc, like explained in http://www.yiiframew…-access-control and using the accessControl filter inside the controllers in combination with these roles.

What I don't understand is how I can assign these roles to my current userTable in the database.

In the AuthAssignment table these roles are assigned, that bind them to a userID.

What I can do is, for each user that registers I do:

//standard action when registering

$auth->assign('user', $userid);

//manual operations: elevated rights for some users

$auth->assign('moderator', $userid);

$auth->assign('news poster', $userid);

But what I want is that, everyone who logged in, has the role 'user' by default. But also checked the authManager to see if the id has "elevated" rights, like 'moderator', 'news poster', 'admin' or a combination of those.

This way the authManager table isn't filled with thousands "userid = 'user'" and maybe 10 admins/moderators.

Can someone explain to me what I have to do to make this work? Or maybe punch me in the face and tell me that what I'm doing, could be done much easier…

Yes, currently you have to assign each registered user with a role.

I think we can add some special roles to simplify this. Could you please create a ticket for it? Thanks.


I have been working on almost the same thing.

Maybe you can use the accessRules for logged in users to assign everybody logged in the base rules and set another level of access rules for admins.

Like this:


    array('allow',  // allow all users to perform 'list' and 'show' actions









I think this will give everybody logged in the right to show and list but only moderators can delete. The moderators would still be able to perform show and list since they are logged in.

Is this what you were looking for?

PS: I have not tested this…


Made a ticket:…id=162&sort=-id

With a simple suggestion.


Thanks for the suggestion. I will look into this to see if it will fit my needs.


I was working on the same subject and I was thinking to introduce "user groups". I have no idea how it can be done (didn't thought about it yet) but the principle is simply to assign role(s) to groups of users, instead of single users. For example at a registration time a new user would be added to a default group, with already assigned roles. … Of course there's a lot more like, gettings roles for a user who belongs to more than one group, etc…

That's just an idea … what do you think ?


That's called group-based RBAC. However, I think you may treat group is just another kind of role. So it is not really necessary with our hierarchical RBAC.

The only missing part is the case RuudBurger described, i.e., we need some shortcut to represent roles that nearly every user is in. Otherwise, it is a big waste and maintenance headache to maintain these special roles.

Maybe another addition to the authManager could be caching.

When a user is logged in, i could imagine checking for the same 'rights', dozens of times during the usage of the website.

The outcome of "Yii::app()->user->checkAccess('createPost')" could be cached inside the users session.

With some extra options in the config, like duration.





	'cache' => true,

	'duration' => 3600


Yes, we may implement that. Could you please create a ticket for this? Thanks.