RBAM - Role Based Access Control Manager

Your use case is amusing…

And it demonstrates what I think - there is no such real world use case and its ridiculous to think that there’s any benefit NOT to update the relationship table on any change in the items table (as we’ve mentioned…). Even if was is such a remote use case - I don’t think the RBAM module, being an open source software developed on typically very limited resources, should address all of its clients needs. Heck, not even fully established for-profit companies address all their customer’s needs. They address most customers needs (…that would generate them the most profit).

But, again, the design of the tables on the first place is really awkward and I fail to get to the bottom of the designer’s mind, or perhaps simply its not a good design… . Also, the design demonstrates, I think, the reason for database normalization. With current design, there’s duplication of data between the tables - the ‘names’ of the auth items. As such, it requires a rename to be performed on all tables, as we’ve seen.

On to more practical words - time to test SRABC extension!

Well, SRBAC seems to cut it. Renaming a role renames it in both the ‘items’ table and on the ‘relationships’ table (didn’t check anything else at this stage). Gonna give it a try… .

Hi!

I’m wondering the same…is this extension still maintained?

These doc & demo links are broken (can’t display them here b/c this is my first post, I had to remove all the links and replace with “…”…what a pain! See reply #67 for the links).

doc:

…rbam_manual.pdf

demo:

…index.php

Would love to try this out but a doc and demo would be nice!

Peter

I would like to know too if the extension is already maintained or if anyone has the main zip of the extension and the docs.

I’ve been working with a previous version of the extension installed in a work project that was being developed from another developer, and I would like to use it with a new one.

Suggestions?

I found the rbam_manual.pdf mirrored here pdfio.com/k-2272549.html

and on my site for save keeping bitbucket.org/bytebrain/yii-rbam-extension-manual

I’m relatively new to Yii. I created some roles and added operations that were automatically generated. Now I am not sure if I need to go in and modify the accessRules() in all of my controllers and add the roles? I would think this would be automatic?

Do I actually have to go to every action and add code like this:

if(Yii::app()->user->checkAccess('createPost'))

{

    // create post

}

Did you ever figure this out? I’m pretty sure it is automatic, but I think I am missing the one piece of glue that gets the roles, tasks and operations I set up in RBAM to start engaging.

[color="#ff0000"]See next post. Think I found the glue, and by putting that one rule in my overall controller, everything works![/color]

I have a basic question about how to use RBAM effectively. I have something like the following set up in RBAM, in terms of parent/child relationships:

Role: Administrator

    Task:  ArticleReading

          Operation: Article:index

          Operation: Article:view

    Task: ArticleWriting

   		Operation: Article:create

   		Operation: Article:delete

   		Operation: Article:save


Role: Regular User

 	Task: ArticleReading

          Operation: Article:index

          Operation: Article:view

Given this, I thought the access checking would just be automatic. I guess I need to define some accessRules(), but I can’t imagine what they would look like. It would seem as if any rule I create would be redundant to what I’ve just defined in RBAM.

public function accessRules() {

  return [

      ['allow', 'actions' => ['index','view'], 'roles' => ['Administrator']], // this seems redundant, but if I have no rules access isn't checked

      ['deny', 'users' => ['*']]

  ];

}

[color="#ff0000"]I believe I found the answer, myself:[/color]

	public function accessRules() {

		return array(

			array('allow', 

				'expression' => 'Yii::app()->user->checkAccess(Yii::app()->controller->id.":".Yii::app()->controller->action->id)),

			array('deny', 'users' =>array('*'))

		);

I’m sure I’ve done something wrong, but quite what that might be, I don’t know.

After initialising the auth* data, I get “Fatal error: Call to a member function attachBehavior() on a non-object in […]\protected\modules\rbam\RbamModule.php on line 422” and in addition see the log message “Querying SQL: SELECT * FROM user t WHERE t.id=‘admin’ LIMIT 1”

I don’t really see how or why “id” would ever be the username, so as you can imagine I’m pretty confused.

Can anyone shed some light on it?

I know Yii can be set up so that the id field is the username field, and it might even be the default. I think you might need to set the “userIdAttribute” in the rbam config to point to your user table’s ID column. Here is my setup, in case it might help:

[size="2"]

 

'rbam' => array(

			'applicationLayout'          => 'application.views.layouts.main',

			'authAssignmentsManagerRole' => 'Auth Assignments Manager',

			'authenticatedRole'          => 'Authenticated',

			'authItemsManagerRole'   	=> 'Auth Items Manager',

			'baseScriptUrl'              => NULL,

			'baseUrl'                    => NULL,

			'cssFile'                    => NULL,

			'development'                => FALSE,

			'exclude'                    => 'rbam',

			'guestRole'                  => 'Guest',

			'initialise' 				=> FALSE,

			'layout' 					=> 'rbam.views.layouts.main',

			'juiCssFile' 				=> 'jquery-ui.css',

			'juiHide'                    => 'puff',

			'juiScriptFile'              => 'jquery-ui.min.js',

			'juiScriptUrl'   			=> NULL,

			'juiShow'                    => 'fade',

			'juiTheme'   				=> 'base',

			'juiThemeUrl'                => NULL,

			'pageSize'   				=> 25,

			'rbacManagerRole'            => 'RBAC Manager',

			'relationshipsPageSize'      => 5,

			'showConfirmation'   		=> 500,

			'showMenu'   				=> TRUE,

			'userClass'                  => 'User',

			'userCriteria'   			=> array(),

			'userIdAttribute'            => 'userId',

			'userNameAttribute'          => 'email',

        )[/size]

[size="2"]

[/size]

[size="2"](The "size=2" stuff is something this forum editor keeps throwing into my code block, so please ignore it.)[/size]

I have

        'rbam'=>array(

            'development'=>true,

            'initialise'=>true,


            'rbacManagerRole'=>'admin',

            'userClass'=>'User',

            'userIdAttribute'=>'id',

            'userNameAttribute'=>'username',

            ),

And the table is defined as follows:

[sql]CREATE TABLE IF NOT EXISTS user (

id int(10) unsigned NOT NULL AUTO_INCREMENT,

username varchar( NOT NULL,

pass varchar(65) NOT NULL,

role int(10) unsigned NOT NULL,

person_id int(10) unsigned NOT NULL,

address_id int(10) unsigned NOT NULL,

PRIMARY KEY (id),

UNIQUE KEY address_id (address_id),

KEY person-id (person_id),

KEY role (role)

) ENGINE=InnoDB DEFAULT CHARSET=utf8 AUTO_INCREMENT=7 ;[/sql]

That looks nearly the same as my setup. The only other thing I can think of that might be relevant is that I have this in UserIdentity.php:

  $this->_id = $user->userId;

when the user logs in successfully.

Ah. I’m guessing you got this from http://www.yiiframework.com/doc/guide/1.1/en/topics.auth#defining-identity-class ?

RBAM now gives me a 403 (“not authorized”) when trying to access it. I’m guessing I somewhere have to say which user(s) can use it. That

'rbacManagerRole'=>'admin'

line in my config? Can I somehow still link that to a username? Changing it to the value of the id of the admin user works (I can not only access RBAM, but the initialization works completely), but that id could change with time.

Sorry, it’s been too long since I set things up to remember where pieces came from. The UserIdentity is something I’ve used in Yii apps for a long time, because I have a complex login process that includes LDAP. I think it also may have come “standard” with the YiiBooster version of an app that I set up recently.

I’m not that familiar with the intricacies of RBAM, but the rbacManagerRole was populated for me when it initialized, to ‘RBAC Manager’ - it is a role created in the auth tables rather than a user.

Is this still de facto for RBAC solutions?

Just a small problem I noticed.

I have installed RBAM (CDbAuthManager) and reviewed the DB structures it created for me because I need to build on them a more customized logic. What I noticed is that there is a redudancy with itemnames.

Of course it can be refactored, when I have time I will contribute it, but until then you can make item name uneditable and remove it from the update as a field. Based on that you can make an intermediate table that can be a bridge between RBAM and your custom implementation. When the fix comes, you will only have to change names with ids in your table.

Hope this will help someone

Pretty sure that’s the Yii default database setup, oopholic, and not specific to the RBAM module. The itemname is a key in the other tables, so when it is changed in one place it changes in the others automatically.

I haven’t been able to find a better solution yet. I keep wanting to make a clean, new manager, but I never seem to have the time. I end up maintaining it by using DB INSERTS, UPDATES and DELETES because that’s easier, once the basics are set up.

There is a problem with the function "actions()" in Controllers.

    public function actions() {

        // isset in init

        return $this->actions;

        // DO NOT REMOVE - RBAM is using this

        return array(

            'adminModel'=>array('class'=>'...'),

            'create'=>array('class'=>'...'),

            'delete'=>array('class'=>'...'),

            'update'=>array('class'=>'...'),

            'view'=>array('class'=>'..'),

        );

    }

I’m loading different actions. And I have to hardcode that second return, just for RBAM.

How difficult would it be to migrate everything to use migrations instead of regular expressions ?

How do I implement automation of Role Assigning whenever a new user is created?