What's the best way to check for two RBAC roles/permissions in AccessRule?

I have a role called "project_access" that grants access to a project (using a rule). I also have a role called "admin" that allows deleting of items in the project.

What is the best way to specify this permission in the controller? Doing something like this will not work because it will grant permission on “admin”, which doesn’t check the project access.


	'allow' => true,

	'actions' => ['delete'],

	'roles' => ['project_access', 'admin'],

	'roleParams' => function()


		return [

			'project' => $this->project,




Any suggestions on how to structure this? I’d rather not create my own AccessRule that needs to match both roles. Another option is to use “matchCallback” for one of the roles.

Is there something obvious I’m missing here?

Create another permission such as "manage_projects", add both "admin" and "project_access" to it, assign it to users.