Demos · Guide · Class Reference · Wiki · Extensions · Forum · Live Chat · Login
search

rbam

Role Based Access Control Management
report it
56 followers
I18N
Requirements
Compatibility
Installation
Usage
Download the Demo
Resources
Change Log
1.6.1
1.6
1.5
1.4
1.3
1.2
1.1
1.0

Role Based Access Manager (RBAM) is a Yii module that provides complete management of Authorisation Data (Authorisation Items, Authorisation Hierarchy, and Authorisation Assignments) for Yii’s Role Based Access Control system via a browser interface; it is intended for use in development and end-user administration environments.

RBAM has an intuitive “Web 2.0” interface to easily manage Authorisation Items (Roles, Tasks, and Operations), their hierarchy, and Authorisation Assignments. It presents all of an Authorisation Item’s information in one place providing a comprehensive overview and complete management of the item.

RBAM’s “Drill-down” and “Drill-up” features quickly show an item’s position in the Authorisation Hierarchy, what permissions it inherits (Drill down) and which Roles inherit its permissions (Drill up).

RBAM is built on top of Yii’s CAuthManager component and supports both of Yii’s built-in Authorisation Managers, CDbAuthManager and CPhpAuthManager, and authorisation managers extended from them.

I18N

RBAM supports I18N; it comes with German and Spanish translations (these are mine courtesy of Google - so poor at best).

Since V1.5 a Russian translation in included (thanks to Jangos)

If you have translation for RBAM and would like it included, please add to the RBAM thread in the forum; I'll add them in to the future releases.

Requirements

  • JavaScript enabled browser
  • CDbAuthManager, CPhpAuthManager, or an authorisation manager component extended from them
  • A User model with an attribute that is the model’s primary-key and an attribute or attributes that provide the names of users; since V1.5, name attributes can also be in a related model.

Compatibility

Status   Yii     Chrome     Firefox     MSIE     Opera     Safari     OS  
Tested with 1.1.5 8.0 3.68 8.0 10.63 5.0 Windows 7
Should work with   1.x.x All 2.0+ 6.0+ 9.0+ 3.0+ All

Installation

  • Extract the download archive onto the required folder. RBAM can be installed as a "top-level" module (in /protected/modules) or a nested module (in the modules directory of a parent module.

  • Edit your configuration file (if a "top-level" module)

modules’=>array(rbam’=>array(
    // RBAM Configuration
  ),
),

(if a nested module)

parentModule’=>array(
  // Parent Module Configurationmodules’=>array(rbam’=>array(
      // RBAM Configuration
    ),
  ),
),

Usage

Access RBAM in your browser at _http://your.domain/index.php?r=[parent module/]*rbam

Download the Demo

You can download the demo (it's just the Yii "testdrive" app with RBAM and a user model). This comes with some Authorisation Data in place. The demo uses CPhpAuthManager; you can change the config to use CDbAuthManager (the config has the Yii demo SQLite db component) and import the PHP Authorisation data.

Before running the demo you will need to edit index.php to point to your Yii installation.

Resources

Try the demo

Read the manual (PDF)

Change Log

1.6.1

  • Fixed an issue with RbamModule::getMenuItem()
  • Fixed inocrrect passing of parameters to Yii::t in RbamInitialiser::initialise()
  • Fixed undefined index issues in RbamInitialiser::defaultAuthData()

1.6

  • Corrected scope of RbamController::ActiveChars() method to public
  • Upgraded AlphaPager extension to 1.3.2
  • Added RbamModule::getMenuItem() and RbamModule::getMenuItems() methods to provide CMenu integration
  • Updated manual to add RbamModule::getMenuItem() and RbamModule::getMenuItems() methods. Property and method documentation now in Yii style.

1.5

  • RBAM now supports user names from models related to the model specified by userClass; e.g. array(',', profile.given_name, profile.family_name) will use the given_name and family_name attributes of the profile relationship in the userClass.
  • Russian translation (thanks to Jangos)
  • Fixed all reported bugs

1.4

  • Fixed issue with installing into DB without auth tables
  • Improved sorting of users

1.3

  • Improved I8n in JUI dialogs
  • Improved validation error support in JUI dialogs

1.2

  • Fixed issue with multiple assignments to a user (only seen on some servers)
  • Added validation to biz rule to ensure it is a valid PHP "return" statement
  • Changed initialisation to always add RBAM and default roles if not present. This allows RBAM to be easily added to existing RBAC authorisation data
  • Added count of users with permission for an item to Auth Item Overview and Auth Item relationship tabs

1.1

  • Fixed code to work with applications in sub-folders

1.0

  • Initial release

Total 20 comments

#12185 report it
Daantje at 2013/03/04 06:16pm
rbam_manual.pdf

I found the rbam_manual.pdf mirrored here http://pdfio.com/k-2272549.html and on my site for save keeping http://bitbucket.org/bytebrain/yii-rbam-extension-manual It should be within the downloadable zip.

#11399 report it
realtebo at 2013/01/11 05:07am
manual link is broken

i'm trying to download PDF for the manual from

http://rbam.pbm-webdev.co.uk/documents/rbam_manual.pdf

but it's broken

The entire 3rd-level domain is unreachable

#11071 report it
firefly at 2012/12/14 03:40am
fix for PosgreSQL

Last tested was RBAM version 1_6_1.

I'v noticed that RBAM dose not work well with PostgreSQL. Anyway there is a fix:

'authManager'=>array(
            'class'=>'CDbAuthManager',
            'connectionID'=>'db',
            'itemTable'=>'auth_item',
            'itemChildTable'=>'auth_item_child',
            'assignmentTable'=>'auth_assignment',
        ),

so the authorization table names must be changed. Why? Because in PostgreSQL,

SELECT * FROM AuthItem

is the same as

SELECT * FROM authitem

But PostgreSQL is case sensitive on tables name, so an error is trigger.

The correct syntax is by quoting the table name:

SELECT * FROM "AuthItem"

But in order to make no changes in the RBAM module, it is best to just rename the tables and make them lowercase...

Anyway one error still remains in: \rbam\components\behaviors\RbamDbAuthManagerBehavior.php(162)

$condition = 'type='.CAuthItem::TYPE_ROLE." AND name NOT IN(SELECT itemName FROM {$owner->assignmentTable} WHERE userid=$uid)";

$uid should be quoted, like:

$condition = 'type='.CAuthItem::TYPE_ROLE." AND name NOT IN(SELECT itemName FROM {$owner->assignmentTable} WHERE userid='$uid')";

and now RBAM works with PostgreSQL! :)

#10298 report it
Boaz at 2012/10/18 04:04am
IMPORTANT: renaming does not propagate through tables!

Beware: I just noticed that renaming an auth item does not propagate the new name to the 'relationships' and 'assignments' table! SRBAC does this (but, sadly, its GUI doesn't include any relationships manipulation).

#9928 report it
VinodC at 2012/09/23 12:28pm
demo not working

Demo not working .Could you please correct it? thanks

#9904 report it
le_top at 2012/09/20 11:34am
v1.6.1 - small fixes regarding $user->id

Hi The RbamInitialiser and the 'assign' view of authAssignments still have some '$user->id' entries that should be something like:

$user->{$module->userIdAttribute}

(in assign) and

$user->{Yii::app()->getModule('rbam')->userIdAttribute}

Further, another modification was needed regarding the menu generation. When the current controller is not the RBAM, the menu is missing the controller's path prefix. Hence, the corresponding menu generation code had to be updated like this (last line of the snippet):

return array_merge(array(
            array(
                'label'=>Yii::t('RbamModule.rbam','Auth Assignments'),
                'url'=>array($this->baseUrl.'/authAssignments/index'),

To support ambigious columns, I changed this in AuthAssignmentController:

$asc = join(',',array_map(function($a){return (strpos($a,'.')===false)?'t.'.$a:$a;},$userNameAttribute));

This supposes that the alias for the user table is 't'.

#9601 report it
ChessSpider at 2012/08/28 04:53am
Is it me or are the default roles not working at all?

Right, so I added a few permissions to the Guest and Authenticated role, but I kept on getting the access denied. So I did a

<?php print_r(Yii::app()->authManager->defaultRoles);?>

And hooray, empty array. The RBAM-module has the following in the beforeControllerAction:

<?php 
    public function beforeControllerAction($controller, $action) {
        $authManager = Yii::app()->getAuthManager();
        $authManager->defaultRoles = array_merge($authManager->defaultRoles, array(
            $this->authenticatedRole, $this->guestRole
        ));
        if ($authManager instanceof CAuthManager)
            $authManager->attachBehavior('authManager', array(
                'class'=>($authManager instanceof CDbAuthManager?
                    'RbamDbAuthManagerBehavior':'RbamPhpAuthManagerBehavior'
                ),
                'module'=>$this
            ));
        else
            throw new CException(Yii::t('RbamModule.rbam','AuthManager component is not an instance of CAuthManager'));
        $controller->authManager = $authManager;
      return true;
    } ?>

and guess what, authManager::defaultRoles is not an empty array when I access the RBAM-module, and works perfectly.

Seems to me something is misplaced? And what am I missing here that defaultRoles are not set in other modules?

#8297 report it
Boaz at 2012/05/23 11:33am
Beware of the default bizrule for Guest role

Hi,

There's this issue I'm still looking into that is described here. In the meantime, please be advised that the bizrule attached to Guest role will lead to incorrect behavior (=bug) if Authenticated is to inherit from Guest, which is natural to assume. Solution? Remove the bizrule from the Guest role so anyone, from RBAC perspective could assumed to be of this role, including authenticated users. No, this is only an permissions granting perspective. If you think about it it bears no implication regarding application flow in general.

#7587 report it
luckymancvp at 2012/04/01 11:12am
Bug for rbam 1.6.1

If User table have id column's type is not int ( example : varchar) . Fix these line:

\rbam\views\authAssignments\assign.php:

jQuery("#AuthAssignment_userId").val('.$user->{$module->userIdAttribute}.');

=>

jQuery("#AuthAssignment_userId").val("'.$user->{$module->userIdAttribute}.'");

\rbam\components\behaviors\RbamDbAuthManagerBehavior.php

$condition = 'type='.CAuthItem::TYPE_ROLE." AND name NOT IN(SELECT itemName FROM {$owner->assignmentTable} WHERE userid=$uid)"; =>

$condition = 'type='.CAuthItem::TYPE_ROLE." AND name NOT IN(SELECT itemName FROM {$owner->assignmentTable} WHERE userid='$uid')";

#7161 report it
hoplayann at 2012/02/29 04:07am
Demo link broken

I think your demo page is broken.

#6812 report it
gsd at 2012/02/06 09:00pm
DataValidator

in DataValidator

if (!empty($model->bizrule) && strpos($model->bizrule,'$data')!==false && empty($this->data))
// may be
$model->data
#6704 report it
marcovtwout at 2012/01/30 12:15pm
Put RBAM in protected/extensions/ instead of protected/modules

If you want to put this module (or any other module) in another folder, configure like this:

Put rbam folder in protected/extensions/:

(..)
// Modules
'modules' => array(
    'rbam'=>array(
        'class' => 'ext.rbam.RbamModule',
        (..)
#6667 report it
Felix at 2012/01/27 07:05am
Bug in RbamDbAuthManagerBehavior.php

There's a bug that enables a person with the role 'authAssignmentsManagerRole' to assign somebody (even himself) the 'rbacManagerRole' role, and then scaling privileges. To avoid this, you've to modify the method 'getEUnassignedRoles' and put the following:

foreach ($owner->defaultRoles as $defaultRole)
            unset($unassignedRoles[$defaultRole]);
 
        // start of modification
        if(!Yii::app()->user->checkAccess($this->module->rbacManagerRole))
        {
            unset($unassignedRoles[$this->module->rbacManagerRole]);
            unset($unassignedRoles[$this->module->authItemsManagerRole]);
            unset($unassignedRoles[$this->module->authAssignmentsManagerRole]);
        }
        // end of modification
 
        $assignedRoles = array();
#6278 report it
Taufik at 2011/12/23 10:30pm
a little

I import the SQL schema (\yii\framework\web\auth\schema-mysql.sql). then this is the config:

'rbam'=>array(
            'development'=>TRUE,
            'initialise'=>array(
                'class'=>'CDbAuthManager',
                'connectionID'=>'db',
            ),
            'rbacManagerRole'=>'admin',
            'userClass'=>'User',
            'userIdAttribute'=>'id',
            'userNameAttribute'=>'username',
        ),
#6276 report it
sidtj at 2011/12/23 01:08pm
Not Working

First, I could not go beyond the 'not initiliazed' screen. Second, I could, using this configs:

'rbam'=>array(
            'authAssignmentsManagerRole'=>'admin',
            'authenticatedRole'=>'Authenticated',
            'authItemsManagerRole'=>'admin',
            'development'=>true,
            'initialise'=>true,
            'rbacManagerRole'=>'admin',
            'userClass'=>'Usuario',
            'userIdAttribute'=>'id_usuario',
            'userNameAttribute'=>'usuario',
        )

After logout and login again, i am receiving a 403 error page. I cant access rbam any way else.

I tryed to change the initialise to false, I tryed to create an user RBAC Manager, to log using it, but the 403 persists.

Now I am leaving this extension. Thanks anyway.

,

#6162 report it
I.am.andrew at 2011/12/16 03:21am
@.@ can't see the demo

as the title says, the demo has an error. can you fix it so i cloud check if this extension could help me :D thx

#5864 report it
marcovtwout at 2011/11/21 06:16am
Re: initialize - Please provided complete example file, or better yet, just read current rbac tables!!

You don't have to initialize it when you set the proper roles (the initialize message is only shown when you don't have access to the RBAM interface). For instance, my application uses:

'rbam'=>array(
    'rbacManagerRole'=>'SuperAdmin',
    'authAssignmentsManagerRole'=>'SuperAdmin',
    'authItemsManagerRole'=>'SuperAdmin',
),

The message you saw implies that it needs to be initialized, and is misleading. Maybe the author can change it?

An option to disable (role based) authentication to the RBAM module would be handy though. For example, I only enable the module in my development environment where I wouldn't require access checks to RBAM.

#5853 report it
blevy009 at 2011/11/20 06:28pm
initialize - Please provided complete example file, or better yet, just read current rbac tables!!

This is the second rbac extension I've tried to get working in my app, yii-rbac, and now your rbam.

RBAM comes up fine, but demands to be initialized. Why wouldn't it just use the data in the tables that is already available?? I've completed the Agile-yii book and have authmanager working, just not an easy way of viewing and managing roles, tasks and operations.

Please help out with a detailed data array that initialise can use, or let it just go into a mode where it can use what's there.

thanks,

#5348 report it
Command at 2011/10/06 06:07am
demo is broken

The demo does not work or is it just for me?

#4420 report it
rnysmile at 2011/07/07 02:30am
bug fix for 1.6.1

rbam\views\authAssignments\assign.php

replace two

$user->id

with

>

$user->{$module->userIdAttribute}

Leave a comment

Please to leave your comment.

Create extension
Search Extensions
Downloads
See all »
Related Extensions
 

Yii Supporters

  • The Ext4Yii Framework is a professional PHP Yii extension which provides server-side ExtJS functionality.
Terms of Service | License | Contact Us
Copyright © 2013 by Yii Software LLC. All Rights Reserved.