compared with
Current by Kyle Spraggs
on Sep 04, 2012 19:32.

Key
This line was removed.
This word was removed. This word was added.
This line was added.

Changes (49)

View Page History
h2. What is RBAC?
<h2>What is RBAC?</h2>

From Wikipedia:
<p>From Wikipedia:</p>

"In <p>&quot;In computer systems security, role-based access control (RBAC) is an approach to restricting system access to authorized users. It is used by the majority of enterprises with more than 500 employees,[3] employees,<ac:link><ri:page ri:content-title="3" /></ac:link> and can implement mandatory access control (MAC) or discretionary access control (DAC). RBAC is sometimes referred to as role-based security." security.&quot;</p>

h2. Proposal
<h2>Proposal</h2>

The primary goals for this RFC are:
<p>The primary goals for this RFC are:</p>

* Implement role-based access control as an *alternative* to access control lists (Zend\Permission\Acl).
* Utilize PHP 5.3 SPL datastructures (RecursiveIterator and RecursiveIteratorIterator).
<ul>
<li>Implement role-based access control as an <strong>alternative</strong> to access control lists (Zend\Permission\Acl).</li>
<li>Utilize PHP 5.3 SPL datastructures (RecursiveIterator and RecursiveIteratorIterator).</li>
</ul>

h3. Architecture

The requirements are as follows:
<h3>Architecture</h3>

* Many to many relationship between identities and roles.
* Many to many relationship between roles and permissions.
* A role can have a parent (inheritance must be supported).
* Dynamic assertions *must* be supported.
<p>The requirements are as follows:</p>

Given the requirements, RBAC is a perfect fit for a composite pattern ([http://en.wikipedia.org/wiki/Composite_pattern]) combined with SPL RecursiveIterator.
<ul>
<li>Many to many relationship between identities and roles.</li>
<li>Many to many relationship between roles and permissions.</li>
<li>A role can have a parent (inheritance must be supported).</li>
<li>Dynamic assertions <strong>must</strong> be supported.</li>
</ul>

h3. Class skeletons

{code:php|title=ZendPermissionRbacAbstractIterator.php|borderStyle=solid}
<p>Given the requirements, RBAC is a perfect fit for a composite pattern (<a href="http://en.wikipedia.org/wiki/Composite_pattern">http://en.wikipedia.org/wiki/Composite_pattern</a>) combined with SPL RecursiveIterator.</p>

<h3>Class skeletons</h3>

<ac:macro ac:name="code"><ac:parameter ac:name="title">Zend\Permission\Rbac\AbstractIterator.php</ac:parameter><ac:parameter ac:name="borderStyle">solid</ac:parameter><ac:default-parameter>php</ac:default-parameter><ac:plain-text-body><![CDATA[
namespace Zend\Permission\Rbac;

public function getChildren();
}
{code}
]]></ac:plain-text-body></ac:macro>

{code:php|title=ZendPermissionRbacAbstractRole.php|borderStyle=solid}
<ac:macro ac:name="code"><ac:parameter ac:name="title">Zend\Permission\Rbac\AbstractRole.php</ac:parameter><ac:parameter ac:name="borderStyle">solid</ac:parameter><ac:default-parameter>php</ac:default-parameter><ac:plain-text-body><![CDATA[
namespace Zend\Permission\Rbac;

public function addChild($child);
}
{code}
]]></ac:plain-text-body></ac:macro>

{code:php|title=ZendPermissionRbacRbac.php|borderStyle=solid}
<ac:macro ac:name="code"><ac:parameter ac:name="title">Zend\Permission\Rbac\Rbac.php</ac:parameter><ac:parameter ac:name="borderStyle">solid</ac:parameter><ac:default-parameter>php</ac:default-parameter><ac:plain-text-body><![CDATA[
namespace Zend\Permission\Rbac;

public function isGranted($permission);
}
{code}
]]></ac:plain-text-body></ac:macro>

{code:php|title=ZendPermissionRbacRole.php|borderStyle=solid}
<ac:macro ac:name="code"><ac:parameter ac:name="title">Zend\Permission\Rbac\Role.php</ac:parameter><ac:parameter ac:name="borderStyle">solid</ac:parameter><ac:default-parameter>php</ac:default-parameter><ac:plain-text-body><![CDATA[
namespace Zend\Permission\Rbac;

{
}
{code}
]]></ac:plain-text-body></ac:macro>

h3. Setting up roles and permissions
{code:php|title=Roles|borderStyle=solid}
<h3>Setting up roles and permissions</h3>
<ac:macro ac:name="code"><ac:parameter ac:name="title">Roles</ac:parameter><ac:parameter ac:name="borderStyle">solid</ac:parameter><ac:default-parameter>php</ac:default-parameter><ac:plain-text-body><![CDATA[

// Creating roles manually
// Using Rbac container
$rbac->getRole('foo')->addPermission('barperm');
{code}
]]></ac:plain-text-body></ac:macro>

h3. Dynamic assertions
<h3>Dynamic assertions</h3>

<p>Dynamic assertions can be provided via an AssertionInterface (Zend\Permission\Rbac\AssertionInterface) or by simply passing a closure. For example,</p>

{code:php|title=Zend\\Permission\\Rbac\\AssertionInterface|borderStyle=solid}
<ac:macro ac:name="code"><ac:parameter ac:name="title">Zend\Permission\Rbac\AssertionInterface</ac:parameter><ac:parameter ac:name="borderStyle">solid</ac:parameter><ac:default-parameter>php</ac:default-parameter><ac:plain-text-body><![CDATA[
$event = new \My\Event;
$event->setUserId(1);
return $user->getId() === $event->getUserId();
});
{code}
]]></ac:plain-text-body></ac:macro>

h3. Working example
<h3>Working example</h3>

<p>The SpiffySecurity module currently implements the Rbac code and can be found at https://github.com/SpiffyJr/SpiffySecurity/tree/master/src/SpiffySecurity/Rbac. <a class="external-link" href="https://github.com/SpiffyJr/SpiffySecurity/tree/master/src/SpiffySecurity/Rbac">https://github.com/SpiffyJr/SpiffySecurity/tree/master/src/SpiffySecurity/Rbac</a>.</p>