Authorization - Role Groups

I have been experimenting with the RBAC Authorization in Yii, and have come across a few questions that I can not find an answer to!

So here goes…

  1. Is it possible to make groups of roles so that a user can only have one role in a group?

    • To clarify lets say we have two "sets" of roles (document_roles: reader, editor) and (project_roles: administrator, normal_user)

    • Any user can have at most 1 role from document_roles and 1 from project_roles

    • So a user could be administrator and reader.

    • No user should be allowed to be both reader and editor nor administrator and normal_user

  2. Can I assign the same role multiple times but with dependencies to a context, and how?

    • Again to clarify, lets say we have many projects and a given user could be given a role with regards to any of these.

    • Eg. user A could be assigned as Admin for Project1 and as User for Project2

Any help will be appreciated!

/Jeppe S. Sørensen

have look at this in depth wiki article explaining rbac

Thanks that clarified a lot of things. :D

I experimented some more and as I understand it,

Yii doesn’t support assigning roles based on context. :blink:

However as I understood I can achieve the same by means of bizrules,

by assigning all roles to all users (as default roles in the config).

So each role has a bizrule that verifies if the role is valid for the user.

Not exactly beautiful but I can live with it. <_<

Or did I miss something??? :unsure:

Also to verify an action on a controller I can now add the role in the accessRules and supply the parameters as needed to verify that the user has that role. :)

But I still have to add a list of actions which are valid for the user … :huh:

This seems like double bookkeeping to me as I already defined which operations a role should grant access to.

And apparently those “operations” are only good for doing checks via user->checkAccess(). >:(

Or is there some other way??

To me it would make more sense if I could make a mapping of actions eg:

public function accessRules()


	return array(


		'rbacactions'	=> array(

			'view'	=> array( 'viewDocument' => array('document') ),

			'edit'	=> array( 'editDocument' => array('document') )




public function getContextParam($param)


	if($param == "document")

		return Document::model()->findByPk(0 /* some context param*/ );

	return NULL;


If the action is ‘view’ the access control should do the following:

Yii::App()->user->checkAccess(‘viewDocument’, array(‘document’ => this->getContextParam(‘document’));

  1. This way parameters should only be look up if needed (eg. first matching operation,role) stops any subsequent requests.

  2. Parameters can be cached and reused for subsequent accessRule blocks/calls.

  3. Actions could reuse cached models if the controller had a method that made them available.

Is there any way to do something like this?

If not, I might go ahead and implement this scheme myself…