RBAC AuthAssignment bizrule

What is the reason to have a bizrule in the AuthAssignment information when talking about RBAC (looking at the database table)?

I understand the usage of business rules when it comes to the authorization item itself (AuthItem) so don’t blend it with my question about authorization assigments.


One example would be a situation where you have two users A and B, and both can edit all entries of some class but you want to prevent B from editing A’s entries because A is more special. It’s pretty situational and can probably usually be solved in a more manageable way by adding another AuthItem or two.

there are some restrictions that they cant be checked via data base

and they must be checked in application level for example in our app if we wanted 'user’s to edit ‘posts’ then we would grant the user the a role that has the permission to do that but what if we wanted that every user can only edit his own posts? then this restriction must be written as a string into the bizrule and be evaluated when the checkAccess is being called

read carefully the section about Authentication and Authorization in yii docs

there, it is fully explained that bizrule is executed in the checkAccess function so the variable called $param that is used in the bizrule string, is an input array that is sent to checkAccess function