You are viewing an old version of this page. View the current version.
Compare with Current |
View Page History
What is RBAC?
From Wikipedia:
"In computer systems security, role-based access control (RBAC) is an approach to restricting system access to authorized users. It is used by the majority of enterprises with more than 500 employees,[3] and can implement mandatory access control (MAC) or discretionary access control (DAC). RBAC is sometimes referred to as role-based security."
Proposal
The primary goals for this RFC are:
- Implement role-based access control as an alternative to access control lists (Zend\Permission\Acl).
- Utilize PHP 5.3 SPL datastructures (RecursiveIterator and RecursiveIteratorIterator).
Architecture
The requirements are as follows:
- Many to many relationship between identities and roles.
- Many to many relationship between roles and permissions.
- A role can have a parent (inheritance must be supported).
- Dynamic assertions must be supported.
Given the requirements, RBAC is a perfect fit for a composite pattern (http://en.wikipedia.org/wiki/Composite_pattern) combined with SPL RecursiveIterator.
Class skeletons
Setting up roles and permissions
Dynamic assertions
Dynamic assertions can be provided via an AssertionInterface (Zend\Permission\Rbac\AssertionInterface) or by simply passing a closure. For example,
Working example
The SpiffySecurity module currently implements the Rbac code and can be found at https://github.com/SpiffyJr/SpiffySecurity/tree/master/src/SpiffySecurity/Rbac.