RBAC help needed

Hi I’m creating a simple CMS, that some day will be more complex I hope, and I am struggling to understand RBAC on Yii2.

I read the documentation and the guide but I need some more examples of the implementation of RBAC(with database) so that I can understand how it works. do you guys know any good tutorial or code examples so that I can try to follow?

and one more thing using the code on the examples,

        // add "createPost" permission

        $createPost = $auth->createPermission('createPost');

        $createPost->description = 'Create a post';


can the name of the permission be anything or it must be the action name?

Note that I am using the basic template, I hope that is not a bad idea, also I’m Fairly new to Yii2 and to frameworks in general,

thanks in advance :)

The name of an RBAC permission can be anything.

Once you have created the permissions and assigned them to Roles and assigned one or more Roles to Users, you can use the names of those Roles in the behaviors function that returns the [‘access’]['rules][‘roles’] array. (see yii\filters\AccessControl)

or you can call this boolean method to check if the user has a permission:

    \Yii::$app->user->can('name of a permission');

How far have you gotten in the process? Is the authmanager prepared? Do you have roles assigned? Are the rules assigned but not working? Please elaborate.

Me also have the problem.If any detailed example will help us :)

Best Regards

I have the auth manager prepared, the database has the 4 tables required, I didn’t create roles because I don’t know where do I do it…

I need to see the file structure to understand where to add what…

I mean, here we can see that there is a new class that extends rules but do we store it?

one more thing these are not static right I can change the roles of the users in the database right?

As I said if there was a simple example for me to follow that would be great, sometimes that is all that I need :P

name of permission can be anything. But to be simple many use variation of URL

some like app.moduleid.controllerid.actionid and others /moduleid/controllerid/actionid and some createPost, deletePost et al

Its all you choice but make it useful and easy to understand!

Ok, if everything is set up (including the config) you just have to create the roles and assign them. When you create roles and assign them the information is stored in the database tables you set up for role management so you only need to do it once.

Create a role:

        $rolename = "myrole";

        $auth = Yii::$app->authManager;

        $role = $auth->createRole($rolename);

        if ($auth->add($role))

            echo "Role \"{$role->name}\" created\n";


            echo "ROLE CREATION FAILED\n";

Assign the role to a user:

        $role = "myrole";

        $user = User::find(['email' => $email]); //or however you get your users

        $auth = Yii::$app->authManager;

        $role = $auth->getRole($role);

        $auth->assign($role, $user->id);

There are tons of other things you can do in this manner, revoke roles, get roles for a specific user, etc.etc. see here: http://www.yiiframework.com/doc-2.0/yii-rbac-managerinterface.html

I put together a console app to do this so I just use it anytime I need to manage the roles in my app. Hope this helps.

So this is put in the console app that you run just once right?

because that is my main dough WHERE do I declare the roles and where to assign the users…

I will also learn how to run the console apps :)

EDIT: the console thing seems simple, now back to rbac :P

Well, now that you are getting console apps, you see that you would have different actions in it like a controller, so according to our example two actions you might have are:

    public function actionCreaterole($rolename)


        $auth = Yii::$app->authManager;

        $role = $auth->createRole($rolename);

        if ($auth->add($role))

            echo "Role \"{$role->name}\" created\n";


            echo "ROLE CREATION FAILED\n";



    public function actionAssignrole($username, $role)


        $user = $this->getUser($username);

        $auth = Yii::$app->authManager;

        $role = $auth->getRole($role);

        $auth->assign($role, $user->id);


Ok I made the script and it is creating every thing as it should… didn’t test the rules yet…

One quick thing:

the default roles are for what(in the config files) is it to assign automatically to the visitors of the page or I have to declare all roles there?

I will have some trouble with the rules, but I probably will try to figure it out my self… If I need any more help related with RBAC I’ll come here again…

So, for now, THANK YOU very much :D

EDITED - added the ‘One quick thing’ thing

About default roles, it sounds like perhaps you should not worry about default roles since you are just starting out. In it’s simplest form, default roles are just roles that are automatically assigned to all users. You would do this instead of having to go in and assign a role to each user after they create their account. You would only have to do this if users typically need a very basic role to do anything on your site. For more info: http://www.yiiframework.com/doc-2.0/guide-security-authorization.html#using-default-roles

so I can delete that line?

I’m sorry, I don’t follow, what are you asking?

        'authManager' => [

                           'class' => 'yii\rbac\DbManager',

                [this line]'defaultRoles' => ['guest'],


I copied from a tutorial from somewhere on the web… (probably stackoverflow)

I also have seen in the documentation, in the doc examples there is no defaultRoles, so I guess that it is safe to delete it :)

Yes, you don’t need that if you’re not using default roles at this time.

I said that I would have trubble with the rules, since they are classes, where do I store them?

in /rootfolder/vendor/yiisoft/yii2/rbac/ ? or in the controllers? or in other place? :P

or I just need to add them in the controllers?

You make the roles to control access to controller actions so they would go in your controllers.

Let’s say you have a controller where you only want users with the admin role to be able to delete:

 public function behaviors()


        return [

            'access' => [

                'class' => AccessControl::className(),

                'only' => ['view', 'edit', 'delete'],

                'rules' => [


                        'allow' => true,

                        'actions' => ['view'],

                        'roles' => ['?'], // anonymous can access view action



                        'allow' => true,

                        'actions' => ['edit'],

                        'roles' => ['@'], // logged in user can access edit action



                        'allow' => true,

                        'actions' => ['delete'],

                        'roles' => ['admin'], // admin can access delete action






To understand this completely, I think the Access Control section of the guide is a MUST READ: http://www.yiiframework.com/doc-2.0/guide-security-authorization.html#access-control-filter

It’s totally spelled out there.

I had just arrived to this conclusion… :)

came here to ask if with this, I can define that a user can, for example, edit an article if he is the owner of that article.

a simple if else will do the trick in this case?

In this case I would assume that the user id would be stored with the article record, and you would compare the user’s id with the user id stored with the article record to determine ownership. You would not need any roles for that.

you are right on that :)

again, thank you for everything :)