Avoid backend login for users with a specified role

Hi there everybody, :)

I am building an advanced Yii2 project (with frontend and backend) where the backend part has the url www.example.com/admin, so far so good. I have created, using RBAC, two roles, (admin and users) and I would like to avoid that users can access to the backend part. I was thinking about creating a rule to attach to the user role that basically check the url and return a 403 Forbidden if the url contains the admin substring. I am not sure whether this could be the best way to achieve my goal or there might be better solutions.

Thanks in advance!

You can require a certain role for the back-end:


Many thanks for your suggestion, :D I have implemented a rule on the behaviors() method of the backend site controller and it works like a charm:

public function behaviors() {

         return [

             'access' => [

                 'class' => AccessControl::className(),

                 'only' => ['login', 'index', 'logout', 'signup'],

                 'rules' => [


                         'actions' => ['login', 'index'],

                         'allow' => false,

                         'roles' => ['User_role_name_that_should_not_login_on_backend'],

                         'denyCallback' => function($rule, $action) {//do something like redirect to frontend}



            //other rules ...


However I have other controllers on my backend and I would like to avoid the possibility that users could invoke their actions, I should add rules on their behavior() methods for each backend controller am I right? I was looking for a less boilerplate option…

I would invert your logic.

You are checking whether a user does have a certain role and then you deny them access.

Instead, give your back-end users a certain role that regular users don’t have and require that for access.

How? can you explain me please I have the same situation and I don´t know how to…?

Check out the guide:


This tutorial could be useful

Sorry for late reply…

As a quick and dirty workaround, at the end of the day, I have attached an anonymous function that is executed on the beforeAction of each backend controller action: I have declared it in the backend/config/main.php in this way:

return [    


'controllerNamespace' => 'backend\controllers',

'on beforeAction' => function($event) {                         

     $user = \Yii::$app->user;                             

     if ($user->isGuest || $user->identity->isSomeRole()) {




'modules' => [...],


In the User Model class (that implements the IdentityInterface) I have created some methods that basically tells you which role the current user belongs (like isSomeRole() method in the code snipped example). That’s it! :D