how much RBAC is enough?

hi there

we want to use RBAC in our project from this link: http://www.yiiframework.com/doc-2.0/guide-security-authorization.html

my question is how much RBAC is enough, does things in that link are enough or they are only a basic of RBAC to use?

thanks in advanced

That is a really strange question :)

If you don’t know, are you sure that you need RBAC?

If your permissions are basic and not role-based, then you can just use basic auth, otherwise use RBAC to define a set of roles with corresponding permissions and rules.

yes we need, we have some group of users

actually my question is: is there something stronger that RBAC? if there is, please gimme some links etc to check, or notice me

thank you

All RBAC is, is access control, based on roles.

It is not really security per se, but it provides a convenient interface to determine what users are allowed to do once they’re at your site.

You still need user management and identification, etc. and that’s a different topic.

Login/logout/session cookies, …

If you want something a bit stronger than normal, look into stronger password hashes, two-factor log-in, oauth2, generated tokens, etc.

Combine that with csrf, https, x-auth, and other good practices.

I am not a security expert, though :)

As @jacmoe has suggested, you may say "strong" or "weak" for authentication. But when you talk about authorization, you should say "simple" or "complicated" instead.

So, what do you want your application to have for its authorization feature? Is it simple and fixed, or complicated and dynamic? Do you need it to be configurable via a web UI?

If your application doesn’t need a complex and dynamic authorization, then you should stick to Access Control Filter, because it will save you a lot of time than RBAC. There’s nothing wrong in using a simple approach.

Maybe something like this:

It’s more complex than ‘vanilla’ access control, but simpler than full on RBAC.

It just depends…

If you have a lot of different roles and rules, then you will reach a point where RBAC actually ends up being simpler. :)

there are some roles related with rules, and i want to change user role in a web UI.

i think simple RBAC is enough

thanks both

@jacmoe: Thanks for the link to my blog :) That was the exact though process when I needed RBAC in an application. Not vanilla and not full blown RBAC. Fortunately Yii favors those who learn it ;)

@desatir7316: It is very very easy to complicate the Access Control layer of an application. The best is always to keep it as simple as needed. Yii’s implementation of RBAC hits the sweet spot between “too little” and “too much” and allows you, the developer, to create your own workflows for access control and extend the provided classes to your needs.