RBAC & Data Permissions

Is there a suggested way to protect data using RBAC?

For example, I want Managers and Customers to have the same permission, let’s call it “ViewOrder”. Now I want a group of customers to view that order but not other orders.

How do I setup a rule to handle that case?

What if I want to add more people to that group of customers?

What if I want some users to view ALL orders?

Do I need to create my own tables to handle this or can RBAC help somehow?

Is there a suggested way to do this?

In the issue I was wrong about concrete order permissions and group. It could be done like the following:

  1. Define hierarchy:

Everyone -- role

  ViewOrder -- permission

    CheckOrder -- rule

Manager extends Everyone -- role    

Customer extends Everyone -- role

Admin -- role

   ViewAllOrders -- permissions

  1. Create CheckOrder rule class:

class CheckOrder extends Rule


    $name = 'checkOrder';

    public function execute($user, $item, $params)


       $roles = Yii::$app->getRolesByUser($user->id);

       $roleNames = [];

       foreach ($roles as $role) {

           $roleNames[] = $role->name;


       return OrderPermission::find()->where(['order_id' => $params['orderId'], 'role' => $roleNames])->exists();



  1. Create OrderPermission AR model and a table order_permission that contains order_id and role columns and holds permissions for a certain role to edit order specified.

  2. In order to assign more users to a certain group use RBAC API.

  3. If you want someone to be able to work with all orders, assign him an admin role.

That was very helpful, thank you so much! :)