RBAC Role names/id's

In fact, a very short question…

Is this possible?

$role = $auth->createRole('a name with spaces');

Thank you!

I am sure that the test of this would be even shorter than your question. <_<


Maybe my question was to short. I want to add some information.

I’m currently working on a very large application. Many, many users will register on this website. I want a efficient working RBAC solution.

One that supports multilingual role, task and operation names and descriptions. My concern is about the ‘PRIMARY KEY’ inside the auth items table. It’s going to be a mess after adding 50+ different type of roles. Running out of unique ‘names’. And as i might hear you think about using a naming convention like this:










[/font] … and so on…

Now, imagine that i have an application that has a module… within a module… within a module. This will result in insane long identity names…

[font="Lucida Sans Unicode"]MODULE_FORUMS_BBCODE_CUSTOM_OPERATION_CREATE_CODE[/font] (this just an example… )

Honestly… something in my mind tells me that this is wrong…

Why do i see RBAC models on the web that have proper database schemes. with…

  • Integer primary keys

  • A domain table -> objects

  • A permission table -> actions

But okay,

What is the best way to implement RBac into an large application that contains, forums, blogs, news, articles, dynamic pages, and more user generated content.

I dont want my end-users stick up with insane long ‘task’ or ‘role’ names.

I want to overrule ‘some’ authorization options directly over the ‘group’.

User->permission has a higher priority.

If i turn this user’s privilege [font=“Lucida Console”]false[/font]… while the group has [font=“Lucida Console”]true[/font], the privilege will be set to [font=“Lucida Console”]false[/font].

Group->permission has a lower priority

If i set this group privilege on [font="Lucida Console"]false[/font], wile the user has this privilege directly on [font="Lucida Console"]true[/font], the privilege will still be [font="Lucida Console"]true[/font] because the user privilege has a higher priority.

Is there an example for this? I’ve read the manual a thousand times but i still don’t understand how to implement this efficiently into my application.

And then, another thing… for instance, when i create a forum, every section needs the option to set its own permissions. I want to be able to add restrictions on forum ID access.

To answer your first question - the answer is yes. You can have any text as the name of the role or the other types of auth items.

The model you posted is from


I think the RBAC provided by Yii is much more powerful. It is hierarchical and at each level provides for a run-time check to determine if authorization applies in that situation. This is done through ‘bizrules’ which is PHP code saved in the database. Personally I don’t like the idea of PHP code in the database but it does allow the power to tackle almost any situation.

Yii does have a couple of cons in the present implementation:

  1. An access control check may require multiple database reads. Usually 1 read for each level in the rbac hierarchy. Yes, Yii provides an hierarchical rbac.

  2. Automatic roles (‘default roles’ in Yii docs)such as ‘Anonymous User’ or ‘Authenticated User’ is dependent of using bizrules I mentioned above.

Yii doesn’t have domains, objects and actions as defined by the model you referred to, but instead it has operations which from what I understand is an action on a particular domain or object.

Anyway, I’m working on the rbac to make it more efficient in its db use and to reduce it’s reliance on bizrule php codes. And, yes, it will use integer ids.