Skip to end of metadata
Go to start of metadata
You are viewing an old version of this page. View the current version. Compare with Current  |   View Page History

What is RBAC?

From Wikipedia:

"In computer systems security, role-based access control (RBAC) is an approach to restricting system access to authorized users. It is used by the majority of enterprises with more than 500 employees,[3] and can implement mandatory access control (MAC) or discretionary access control (DAC). RBAC is sometimes referred to as role-based security."

Proposal

The primary goals for this RFC are:

  • Implement role-based access control as an alternative to access control lists (Zend\Permission\Acl).
  • Utilize PHP 5.3 SPL datastructures (RecursiveIterator and RecursiveIteratorIterator).

Architecture

The requirements are as follows:

  • Many to many relationship between identities and roles.
  • Many to many relationship between roles and permissions.
  • A role can have a parent (inheritance must be supported).
  • Dynamic assertions must be supported.

Given the requirements, RBAC is a perfect fit for a composite pattern (http://en.wikipedia.org/wiki/Composite_pattern) combined with SPL RecursiveIterator.

Class skeletons

ZendPermissionRbacAbstractIterator.php
ZendPermissionRbacAbstractRole.php
ZendPermissionRbacRbac.php
ZendPermissionRbacRole.php

Setting up roles and permissions

Roles

Dynamic assertions

Dynamic assertions can be provided via an AssertionInterface (Zend\Permission\Rbac\AssertionInterface) or by simply passing a closure. For example,

Zend\Permission\Rbac\AssertionInterface

Working example

The SpiffySecurity module currently implements the Rbac code and can be found at https://github.com/SpiffyJr/SpiffySecurity/tree/master/src/SpiffySecurity/Rbac.

Labels:
None
Enter labels to add to this page:
Please wait 
Looking for a label? Just start typing.