RBAC Integration using cdbAuth Manager
Role Based Access Control or RBAC is a strategy of restricting or permitting access to authorized users. RBAC is regarded to be a great strategy when it comes to catering data or information regarding specific group of employees especially when the employee strength in your company is enormous. Also being known as Role Based Security, RBAC can implement MAC (mandatory access control) or DAC (discretionary access control). RBAC is earning popularity with time and apparently more and more IT vendors are implementing it into their product lines. As a result, today, we can see RBAC being used in wide variety of niches ranging from health to defence.
Integrating RBAC technology into your business processes is always a good strategy, however there are certain things that you should consider for making it fruitful to the business. Prior to implementing access checking, it is essential for us to configure authorization manager. With Yii, you can use two types of authorization manager CDbAuthManager and CPhpAuthManager. We are going to discuss the integration of RBAC using CDbAuthManager here. While using CDbAuthManager, all the data will be stored in the database and it needs to be configured prior usage. In the protected => config => main.php
………………….
return array(
‘components’=>array(
‘db’=>array(
‘connectionString’ => ‘mysql:host=localhost;dbname=test_rbac’,
‘emulatePrepare’ => true,
‘username’ => ‘root’,
‘password’ => ”,
‘charset’ => ‘utf8′,
),
‘authManager’=>array(
‘class’=>’CDbAuthManager’,
‘connectionID’=>’db’,
),),);
………………….
The elements, CDbAuthManager and connectionID are our database connection and the configuration that we have used here is db.
The CDbAuthManager will be associated with a table of information which can be generally noted at framework => web => auth. You can also find sql files for major databases here.
Table AuthItem
The table given below is designated to store elements like role task as well as operation. The authorization item is set to be identified with names/values like cretePost and deletePost. The type field is set to save some values like 0, 1 and 2 where 0 corresponds to operations, 1 to tasks and 2 to roles. The AuthManage automatically assigns these values. The bizrule field is set to save the phpcode when applicable.
Table AuthItemChild
This table is sets to store hierarchical data, generally parent and child information which will be identified by the names.
Table authassignment
This table can be used to assign permissions to the user. Different roles can be assigned to a user and each of these roles are stored in the itemname field along with other values like tasks, operations etc. The AuthManager application component can be accessed via Yii::app()->authManager. We can create an Authorization Hierarchy via the following steps.
authorization items (like create the roles, tasks, operations)
configuring relationships between authorization items
assigning roles to application users
Given below are three methods to create authorization items depending on their type.
- CAuthManager::createRole
- CAuthManager::createTask
- CAuthManager::createOperation
Once authorization is created, the next step is to establish relationship between them. This can be done by following methods:
- CAuthManager::addItemChild
- CAuthManager::removeItemChild
- CAuthItem::addChild
- CAuthItem::removeChild
For assign role items to individual users we will use the following methods:
- CAuthManager::assign
- CAuthManager::revoke
The next step is to create the application. The authitem, created with respect to these efforts will look like this.
Here only name and type field are required. We can customization here by creating an array for the type:
$data[‘authtype’] = array(‘role’=>’Role’,’task’=>’Task’,’operation’=>’Operation’);
Pass it to the create view and Make a dropdown list for that. On the controller create action I have made the following changes:
$model->attributes=$_POST[‘Authitem’];
if(strcmp($model->type,’task’)==0)
{
$auth=Yii::app()->authManager;
$auth->createTask($model->name,$model->description,$model->bizrule,$model->data);
}
elseif(strcmp($model->type,’role’)==0)
{
$auth=Yii::app()->authManager;
$auth->createRole($model->name,$model->description,$model->bizrule,$model->data);
}
elseif(strcmp($model->type,’operation’)==0)
{
$auth=Yii::app()->authManager;
$auth->createOperation($model->name,$model->description,$model->bizrule,$model->data);
}
Based on the selected type we can create roles, tasks, operation. I create admin, author role and three tasks createPost, deletePost, updatePost. Our authitem table has following data now:
Now we need to establish relation, role task and operation relation for the authitemchild. An array for both the parent and the child field should also be created.
if(isset($_POST[‘Authitemchild’]))
{
$model->attributes=$_POST[‘Authitemchild’];
if($model->validate())
{
//$this->saveModel($model);
//$this->redirect(array(‘view’,’parent’=>$model->parent, ‘child’=>$model->child));
$auth = Yii::app()->authManager;
$auth->addItemChild($model->parent,$model->child);
}
}
The itemChild method is used her for defining parent and child. The first parameter is tagged to the parent name and the next to the child name. The next step is to assign authorization item to the user. This can be done via the following steps:
if(isset($_POST[‘Authassignment’]))
{
$model->attributes=$_POST[‘Authassignment’];
if($model->validate())
{
//$this->saveModel($model);
//$this->redirect(array(‘view’,’itemname’=>$model->itemname, ‘userid’=>$model->userid));
$auth = Yii::app()->authManager;
$auth->assign($model->itemname,$model->userid,$model->bizrule,$model->data);
}
}
Now we can check roles for access in the application. This will help us to show menu options with respect to roles and individuals with the admin role will have access to a system settings menu.
array(‘label’=>’System Settings’, ‘url’=>array(‘/system/settings),’visible’=>Yii::app()->user->checkAccess(‘admin’)),
…………..
In Access Rules if we want to give access on admin and delete for only admin role:
…………..
array(‘allow’, // allow admin user to perform ‘admin’ and ‘delete’ actions
‘actions’=>array(‘admin’,’delete’),
‘roles’=>array(‘admin’),
),
…………..
If we want to check access before any operation:
…………..
if(Yii::app()->user->checkAccess(‘deletePost’))
{
// Delete the post
}
…………..
We can always use default use when we want to assign some roles common to every user. Hope this tutorial clearly depicts the integration of RBAC using Yii: CDbAuthManger. I will be around and ill come up with a detailed post on the integration of RBAC using Yii:CPhpAuthManager soon.