RBAC 1 role with different permissions

Hi need help guys!

Lets say i have a admin and author role. Now in author role i want that they have different permissions.

To simplify it if author role by default have 10 permission and the admin want that this certain “user1” with author role wants to have only 5 permission and “user2” with author role have 6 permissions. what approach should should i do? :D :D

You know the checkbox thing to select multiple permission for each user with the same role that’s what I’m imagining to do to my app.

I would analyze the business needs of the app and restructure the RBAC hierarchy. I mean, I would have several kinds of "admin" roles like "admin", "xxx-manager", "yyy-manager", … etc.

Yii’s RBAC is so flexible that you could assign permissions directly to an user, bypassing roles. But in general it’s not a good idea to do that.

Note that it’s OK to assign multiple roles to a certain user.

Create more roles.

Yes we can create many roles as we want I get your point guys! But what I mean is dynamically updating the permissions of a certain roles without creating multiple roles or much lesser roles. That is, in certain roles he/she can select what permissions he can access within the range of that role only. Also I think its much more work load to admin if creating lots of roles and then assign to that unique users.

Let me know if this is a good idea?

author role will have permissions:

  • a_permission

  • b_permission

  • c_permission

  • d_permission

  • XXXX_permissions

the permission that lists above will be rename and like:

  • aut_a_permission

  • auth_b_permssion

  • auth_c_permission

  • auth_d_permission

and the permission that is rename and become roles above will be

the child of the author role is it ok that kind of concept?

I mean for the sake that I can make dynamically assign the permissions(technically the rename permission and become roles) to unique users.

I saying here guys is the unique users though they have the same roles but they have different numbers of permissions dynamically. I mean the admin can limit the permissions of users anytime and Im saying lots lots of permissions guys.

I’d not do it since it will be a mess. Since you can assign multiple roles to a user, I’d group alike permissions to separate roles and add/remove roles as needed.

I agree with @samdark.

You’d better distinguish 2 things: 1) We have to develop a solid and statically stable hierarchical structure of RBAC for our application. We’d better not change it “dynamically” in the production running phase. 2) We have to have a nice and easy UI to manage user’s role assignment.