I have a question about the rbac system. I think I’ve pretty well understood it but I need more informations about a special case.
I would like to do the autorisations on groups instead of users. I mean for instance the group "HR" has permission to create a person. Then any person who join this group would have it as well.
Let me give you more informations.
A part of my database:
And this a part of what my group hierarchy could be:
So what I’m looking for, this would be a must, is a system where each group has some autorizations. People get the autorizations of their group and of their parents group (for instance people in “Forsys” has the autorizations of “Forsys”, “R&D” and “Administration”).
The solution I see at the moment is using bizrule. But I’m not sure write php code in database is a good idea and then if I update the group hierarchy (R&D inherits of RH instead of Administration) I would have to modify bizrule in database. I tried it and it works well but as you can see it requires a lot of code.
$user = User::model()->with("people","people.groups")->findByPk(Yii::app()->user->id); foreach($user->people->groups as $group) if($group->id == 2) return true; return false;
It’s just for see if a user is in a group (without checking parent groups and hierarchy)
Another possibility could be create a new table "group_auth" where we would say for instance:
- Group_2 has role "managePerson"
- Group_3 has operation "deleteUser"
And then everytime a user is added in or removed of a group we would update his autorizations in the auth_assigment table.
I’d like to hear other opinions on this subject. All comments will be appreciated
Thank you for reading and sorry for my English if you had difficulties to understand me.