Roll-Based Access System

Hi all,

Till now I have understood is

to connect to database and retrieve roles,operations and tasks from database we need

setting in protected/config/main.php





after that i have to create 3 tables according to framework/web/auth/schema.sql

But what I didn’t get is ,the purpose of following coloumns. Can anyone please explain in some more detail? Why they are required. And some sample data in it. Like how to write bizrule?

Columns are :




What kind of data goes in those fields. I tried putting “return Yii::app()->user->id===$params[‘post’]->authId;”

inside bizrule but it doesn’t work.

Also, in authitemchild table can we make parent->child relationship between role->operation ?? like author->updateOwnPost


extension srbac is suitable for you


Yes, that might work for me.

But I wanted to know how Yii RBAC works.

I tried, srbac

but still my original question remains…

how to write bizrule???

what is data field?

why both authassignment and authitem tables have both ‘bizrule’ and ‘data’ fileds?

what is the difference?

Hi rohit,

You used it the right way as in the guide with like returnYii::app()->user->id===$params[‘post’]->authId;. Where the parameters array must be named ‘$params’!

But did you remind the need to supply the parameters for the bizRule when you call the checkAccess function?


Inside the data field you can just store some additional informations for this item or assignment. The data values are also supplied for thebizRule when executed. But afaik they are just for your application and not used inside rbac.

When using CDBAuthManager the values for the data fields are serialized.


Thanks. Kind of it worked for me.

But is it also possible to put ‘roles’=>array(‘author’), in accessRules() method?

So that I don’t have to call checkAccess() method manually?

There how can i pass my model?

And also, is it possible to assign roles to multiple users? Rather all user ids in my table in one entry?

Yes, it’s possible. Exactly the way you suggested. Take a look at CAccessControlFilter

I think i don’t really understand your last question… Of course it’s possible to assign a role to multiple users.

You just need to add a record with the role-item-name (like ‘author’ or which roles you are using) and the UserID to the AuthAssignment-table.


ok, here is what I have done till now.

authitem table entry

[name] [type] [bizrule]

updateOwnPost 0 return Yii::app()->user->id==$params[‘post’]->authID;

author 1

authitemchild table entry

[parent] [child]

author updateOwnPost

authassignment table entry

[itemname] [userid]

author 1

Now in this last table, I need user ids to assign to role. I want to assign 1 to 10 (i.e. all 10 ids) to be asigned to auther , is it possible at one go?

and second question is , instead of using if() statement like you said above, is it directly possible using accessRules() method like following

public function accessRules()


    return array(

        array('allow', // allow authenticated user to perform 'create' and 'update' actions







and in actionUpdate() method

normal code like following

public function actionUpdate()








So, instead of using


in actionUpdate() method, is it possible to assign role to action (update) in accessRules() method and pass a $post model object to be available in bizrule in place of $params[‘post’]

Does bizrule pass from parent to child or child to parent??

I don’t see such behavior though. But please clarify my doubts.

Thanks in advance.


one by one:

Looks fine. No, afaik you can’t do this at one go. But it’s only one loop in your code…

There are some nice implementations here you may wish to search for, so you don’t have to do this by hand.

Yes its is. Exactly the way you did. What’s wrong with it? Not working?

No, if you use the roles in accessRules() you can’t pass the $params parameter to it.

The only information that is always available in the bizRule is $data (the data field of the authitem).

Neither to first nor the latter. The bizRule belongs to the one item where you define it.

Hopefully this helped a little bit.


Thank you. Problem solved.

I read a lot of internal code and figured the same.

I will have to use accessRoles and define ‘role’ in it

also, used if statement to check in action and to pass the model.

It worked fine. :)

A little suggestion, I am not sure, why we can’t pass parameters in accessRoles() method itself.

What I figured out, if I’m not wrong, is

both the times, it checks for access of particular action according to ‘action’ defined in accessRules() as well as actionUpdate() method [where i’m calling if statement and pass params to checkAccess() method]

in accessRoles it calls checkAccess() without params while using if statement we can call with params.

Why not pass params directly in accessRoles() ?

Is there any reason for not doing so? I mean, just put one param as property in CAccessRule class.

and call checkAccess method with params. Won’t it work?