RBAC not expected behavior

I have created a simple tree hierarchy as you can see in the attached image for the Role Based Access Control.

2186

Screenshot at 2011-10-28 17:30:17.png

So let’s try an example:

There is a user who has the role of "administrator"

So if we check access for operations: "excel" and "administration" we get TRUE

Also we notice this user has a child role named "super_user".

So if we check access for operation: "calc_stats" then we also get TRUE

All good so far

Now since super_user has a child role named manager we would like to

get TRUE if we check access for operation: "read_island" or "update_island", etc.

BUT when we check access for "read_island" or "update_island", etc. we get an exception!

The BIZRULE of "island_manager" role is executed !!

Why?

Because inside protected method checkAccessRecursive the implementation goes from bottom to top

an SQL query select parent from AuthItemChild

WHERE child = ‘…’; is executed

So this implementation starting from read_island operation goes to "manager" role who has as its parent

and then the recursive execution continues to both parents, "super_user" AND!! "island_manager"

Is this what we really want?!

I think maybe an implementation starting from the role "administrator" and going downwards to find the "read_island" operation would be more suitable. Although I am a rookie in RBAC. Please tell me if I am missing something. Thank you!

You’re not missing anything. That’s how RBAC works. Since typically there are more operations than roles it’s much more optimal to start with operation and go to the role.

Thank you samdark

So I changed the bizrule from the snippet "return <some code>;"

to “return isset($params[‘index’]) && <some code>;”

It’s not the way I wanted it, because know it returns false even if I have forgotten to add the params!

Although the code remains dry and it works…