Consider about make the "RBAC Role" and "Biz Role" work together?

Sorry the same topic of github.com/mdmsoft/yii2-admin/issues/215


The "RBAC Role" I mentioned refers to yii\rbac\Item::TYPE_ROLE.

The "Biz Role" refers to the role in the actual organization architecture, for example, a "Manager" of a department.

Generally there are some roles with same NAME in deferent departments in an big organization.

The finance and sales department has its “Manager”, it’s related to the particular department.

Usually we may design the E-R as follow.

xxx_dept (id, name, …)

1, finance

2, sales

xxx_role (id, dept_id, name, begin_date, end_date…)

1, 1, manager, 2015-01-01, 2016-01-01

2, 2, manager, 2015-01-01, 2016-01-01

So here comes the question…

In order to make the biz roles work with yii2 rbac mechanism, probably we may have two choices.

  1. create two auth items (role) , FinaceManager and SalesManager. Then maintenance a relationship betweens rbac role and the biz role.

  2. create two auth items (role) , FinaceManager and SalesManager. And drop the biz role entity (redundant).

In my opinion, the way 1 makes the world much more complicated, and the way 2, it means the extra properties of actual world role are not supported, for example the begin_date and end_date that mentioned above.

Is there a BEST PRACTICE? Any suggestion is appreciated. THANKS. :slight_smile:

I think you may consider using default roles.

http://www.yiiframework.com/doc-2.0/guide-security-authorization.html#using-default-roles

Thanks for your suggestion, softark! :slight_smile:

Do you mean as following?

1, put all biz roles (name) as a copy to config file. ‘defaultRoles’ => [‘all’, ‘biz’, ‘roles’, …]

2, create a (some) rules class "XXXRule extends Rule" to check whether an user is assigned to the role (assigned by biz side but not via rbac).

Yes, that is what I had in mind.

By doing so, you will not need to assign/revoke rbac roles to/from a particular user anymore. The changes in business roles will be reflected in rbac roles automatically.

But, well, I’m not really sure if it’s a good idea or not, particularly when you have to deal with a big, complicated business organization. Too many default roles can be a performance bottle neck? I don’t know.

Also, there might be a situation where biz role and rbac role don’t match exactly.

It would be safer to have 2 roles independently, and to provide some utility functionality for syncing them.