Can I define my own access groups?


I saw that there are three predefined groups - guests, logged users and both. But, can I define my own ones, for example - VIP users and so on…?

In that case, you need to use roles. Check the guide about RBAC.

Qiang, I looked at the documentation about RBAC, but I didn't find the examples so easy. For example, there are some methods like create role, etc, for which there is code, but it isn't mentioned where to put this code.

In fact, I want to simply specify 4 groups - guest, user, vip, admin. If it is possible to specify the user's group on login and to use the default rules() and just say which role type is able to use the utility(controller).

I didn't find information about a possible way to use Yii::app()->user->something to assign the role or something similar.


Hi penkomitev

I've been looking at the whole roles thing today. I'll write a quick example I've been working on locally. It's not specific to your 4 roles but you can adapt:

Say we have a News management system, and we have the following actions we need to manage our news:

Create News, Update News, Publish news, Un-Publish News, Delete News

Some of these actions will be only accessible by certain users, for example we may have the following groups:

News Writers

Can Create news

Can Update News (only stories they have written)

News Editors

Can Create News

Can Update News (all news)

Can Publish News

Can Un-Publish News

News Admin

Has access to all actions

What we will need to do is create those operations first. This code can be placed anywhere in your app, I  just run it from index.php as once its executed and created the roles you don't need it again.


$auth = Yii::app() -> authManager;

$auth -> createOperation('createNews','Creates news items');

$auth -> createOperation('updateNews','Updates news items');

$auth -> createOperation('publishNews','Publishes news items');

$auth -> createOperation('unpublishNews','Un-publishes news items');

$auth -> createOperation('deleteNews', 'Deletes news items');

Ok, so now we have those operations, now we need to create our roles, these roles are like user groups defining what group has access to what operation. We can do this like this:


// Create the roles for admin

$role = $auth -> createRole('NewsAdmin');

// Set what operations the role has access too

$role -> addChild('createNews');

$role -> addChild('updateNews');

$role -> addChild('publishNews');

$role -> addChild('unpublishNews');

$role -> addChild('deleteNews');

For Editors:


$role = $auth -> createRole('NewsEditor');

$role -> addChild('createNews');

$role -> addChild('updateNews');

$role -> addChild('publishNews');

$role -> addChild('unpublishNews');

The News Writer is going to be a little different, I said above that a writer should only be able to edit news they have written themselves, for this we will need to make a task, this sits in the middle between operations and roles and allows us to define some extra rules.


// First we want to set what rule we use, in this example, we only want the logged in user to have access to the update operation if the post we are editing has the same user id as the logged in user.

$rule = 'return Yii::app() -> user -> id == $params["post"]["authorId"];';

// Now we create the task, give it a name, a description and set the rule it will use.

$task = $auth -> createTask('updateOwnNews', 'Update news only written by this user', $rule);

// Now we add the operation returning true this task will allow access too

$task -> addChild('updateNews');

Now we need to assign users to these roles we just created:


$auth -> assign('NewsWriter', 4);

$auth -> assign('NewsEditor', 3);

$auth -> assign('NewsAdmin', 1);

Here the second argument is the user_id, this is what ever you use for uniquely identifying users, for me it is an id number, you may do it by email or even by name.

Finally we can set up our actions, lets take a look at the update action we will have in our controller. I keep my actions separate from the controller itself, I prefer to keep things separated as much as possible to keep things neat and tidy, it's the same method if your actions are contained in your controller.


// Update news action

class UpdateAction extends CAction {

	// run action

	public function run() {


		if(Yii::app() -> user -> checkAccess('updateNews')) {

			print("Can update news");


		else {

			$params = array('post' => array("authorId" => 4));

			if(Yii::app() -> user -> checkAccess('updateOwnNews', $params)) {

				print("Can update own news only");


			else {

				print("Cannot update news");





In the code above we first check if the user has access to by calling Yii::app() -> user -> checkAccess('updateNews'). Remember that only News editors and news admins have unconditional access to the update news operation. If the user is a news writer this will retrun false as they don't have unconditional access. Then we check if the user has access to update this post if it is their own post. If not then the use has no access to this operation.

Note that I'm not using a model here for the news as this is just an example, when using a model your rule will be slightly different and as will your action:



$rule = 'return Yii::app() -> user -> id == $params["post"] -> authorId;';




$model = new News;

$params = array('post' => $model);

if(Yii::app() -> user -> checkAccess('updateOwnNews', $params)) {


I have pretty much said what is in the documentation already but hopefully it has helped.

You may also want to take a look at the default roles in the documentation, this will allow to set roles for those users logged in and those that are not.


Hi, Chris

Thank you very much for such description. But there are no words about role inheritance.

  1. How can one keep the time and just inherit the admin role from NewsWriter, NewsEditor and NewsAdmin?

Or just copy-paste the rules?

  1. And, I added your code in entry script (index.php) and every time system throws exception about the duplicate entry in the table. Question - what the best practice to define RBAC init settings?


Thanks ok =)

I'm still learning this framework, and only been spending today on rules for the application I'm developing. I'll try and answer anyways, maybe the Yii guys will be able to answer better though.

  1. I’m not exactly sure what you mean ???

  2. If you are getting duplicate exceptions when you run the code then that means you already have that data stored in the database. I'm not sure what the best practices are, in the end I won't be running the code like I am above, I'll be creating some actions that will allow me to create new roles and operations and tasks a lot easier. I'll post my application on the forum when its done for people to have a poke around.

Probably hasn’t helped very much :)


Still learning too :)

  1. I meant that for example people don't need to define common operations many times for all roles. We know that "admins" can do their specific administer operations + all the operations that can do "moderators" and just "users". So we add something like this:



$adminRole -> addChild('userRole');

$adminRole -> addChild('moderatorRole');


Isn't that the ineritance? Just confused))

  1. Thought so… I think the best way is to store these ACLs in a separate file (like ZF can do, for example)…

Thanks guys, and particularly Chris about the comprehensive explanation. I don't like one thing - the way access is checked. I spotted a "role" attribute in accessControl in the documentation, so I suppose it is possible to use this approach. I want to try not to use the checkAccess. As what I said, if it is possible to assign the group of the current user on login and then in controllers and particularly accessControl, I'd just specify that the group of VIPs is able to do this and this and the group of users are able to do this and this. I'll summarize what I've read and what I understood from Chris's post and try to develop it the best way.

Will provide my feedback.


By the way, am I able to extend the users in roles?

eturn array(


'actions'=>array('create', 'edit'),



I know that there are three predefined groups. If only I was able to define a forth group and manage them…

I’d say that I find the checkAccess feature tough. Another approach is to develop the access level with sessions(states), but I also don’t know how will things work with rules, it could be as heavy as having checkAccess in every controller :).

I’ve posted the script i used to setup RBAC here: http://www.yiiframew…pic,678.0.html. Maybe its useful for you too. Pretty simple, so don’t expect too much from it ;) .

Didn't find any information about how to get user's role in view.

How to do this?