"In computer systems security, role-based access control (RBAC) is an approach to restricting system access to authorized users. It is used by the majority of enterprises with more than 500 employees, and can implement mandatory access control (MAC) or discretionary access control (DAC). RBAC is sometimes referred to as role-based security."
The primary goals for this RFC are:
- Implement role-based access control as an alternative to access control lists (Zend\Permission\Acl).
- Utilize PHP 5.3 SPL datastructures (RecursiveIterator and RecursiveIteratorIterator).
The requirements are as follows:
- Many to many relationship between identities and roles.
- Many to many relationship between roles and permissions.
- A role can have a parent (inheritance must be supported).
- Dynamic assertions must be supported.
Given the requirements, RBAC is a perfect fit for a composite pattern (http://en.wikipedia.org/wiki/Composite_pattern) combined with SPL RecursiveIterator.
Dynamic assertions can be provided via an AssertionInterface (Zend\Permission\Rbac\AssertionInterface) or by simply passing a closure. For example,
The SpiffySecurity module currently implements the Rbac code and can be found at https://github.com/SpiffyJr/SpiffySecurity/tree/master/src/SpiffySecurity/Rbac.