Rbac: Check Autorizations On Groups Instead Of Users


I have a question about the rbac system. I think I’ve pretty well understood it but I need more informations about a special case.

I would like to do the autorisations on groups instead of users. I mean for instance the group "HR" has permission to create a person. Then any person who join this group would have it as well.

Let me give you more informations.

A part of my database:

And this a part of what my group hierarchy could be:

So what I’m looking for, this would be a must, is a system where each group has some autorizations. People get the autorizations of their group and of their parents group (for instance people in “Forsys” has the autorizations of “Forsys”, “R&D” and “Administration”).

The solution I see at the moment is using bizrule. But I’m not sure write php code in database is a good idea and then if I update the group hierarchy (R&D inherits of RH instead of Administration) I would have to modify bizrule in database. I tried it and it works well but as you can see it requires a lot of code.

$user = User::model()->with("people","people.groups")->findByPk(Yii::app()->user->id);

foreach($user->people[0]->groups as $group)

  if($group->id == 2)

     return true;

return false;

It’s just for see if a user is in a group (without checking parent groups and hierarchy)

Another possibility could be create a new table "group_auth" where we would say for instance:

- Group_2 has role "managePerson"

- Group_3 has operation "deleteUser"

And then everytime a user is added in or removed of a group we would update his autorizations in the auth_assigment table.

I’d like to hear other opinions on this subject. All comments will be appreciated :)

Thank you for reading and sorry for my English if you had difficulties to understand me.

Michaël S.

i would also be interested if there are other approach than one suggested above.