Authorization Using Rbac

Hi All,

I am trying to understand authorization in rbac and getting confused a bit with a couple of things.

In the accessControl rules i am using roles as such:

return array(

			array('allow',  // allow all users to perform 'index' and 'view' actions

				'actions'=>array('index', 'view'),



			array('allow', // allow authenticated user to perform 'create' and 'update' actions




			array('allow', // allow admin user to perform 'admin' and 'delete' actions




			array('deny',  // deny all users




I am also using the following setup :

$auth = Yii::app()->authManager;

        $auth->createOperation('createPost', 'create a post');

        $auth->createOperation('readPost', 'Read a post');

        $auth->createOperation('updatePost', 'update a post');

        $auth->createOperation('deletePost', 'delete a post');        


        $role = $auth->createRole('user');



        $role = $auth->createRole('author');



        $role = $auth->createRole('admin');





        $auth->assign('user', 3);

        $auth->assign('author', 2);

        $auth->assign('admin', 1);



There are 4 different operations with names (createPost, deletePost , readPost, udpatePost). However in the controller the action names are different such as actionIndex, actionView, actionCreate, actionDelete, actionUpdate and actionAdmin.

How are operations being mapped to controller actions.

Should more operations be created such as IndexPost, ViewPost etc …?

While using rbac, should we still keep the accesscontrol filter and rules as I have done here?

Lots of confusion and lost. Please shed some light. Cheers.

They aren’t mapped automatically. In your case they are not used. What you specify in access rules (‘roles’=>array(‘author’)) must strictly match your roles/operations/tasks names.

if you want to use those fine grained roles/operations, you need to use them in access rules:

return array(