On the realization of project authority control?

Regarding the configuration of access control, I know that there are many access control methods for yii2, but I don’t know which one is better. For a project, should I put these access controls in config/main.php for global configuration, or should I implement parentController and then implement control in the Controller, and other controllers should be based on this controller.

by config:

'bootstrap' => [
            'class' => 'Forwzb\Yii2Api\api\ApiPresetBootstrap',
            'contentNegotiator' => [
                'formats' => [
                    'application/json' => Response::FORMAT_JSON,
//                    'application/xml' => Response::FORMAT_XML,
                    'text/html' => Response::FORMAT_HTML,
            'basicAuth' => [
                'header' => 'X-Api-Key',
                'optional' => [
            'initBootstrap' => function ($app) {
               //other behaviors code

I implemented a general permission encapsulation class myself, and then put it in bootstrap and configure permission control.

the other way is:

 public function behaviors()
        $parents = parent::behaviors();
        $parents['contentNegotiator'] = [
            'class' => ContentNegotiator::className(),
            'formats' => [
                'application/json' => Response::FORMAT_JSON,
//                'application/xml' => Response::FORMAT_XML,

        if ($this->corsFilter) {
            $parents[$this->corsFilter] = [
                'class' => \yii\filters\Cors::class,
        if ($this->authenticator) {
            $parents[$this->authenticator] = [
                'class' => \yii\filters\auth\HttpBearerAuth::class,
                'optional' => array_merge(['options'], $this->optional),
                'header' => 'api-authorization',
        return $parents;

I don’t know which is the general way. The first global control may not be suitable for fine-grained control, and the second control needs to modify the code of ParentController every time, which is not conducive to the concept of “configuration permission”.

Which one should I choose?

That depends very much on the application and if it’s a global auth or not.