Yii 1.1: rbam

Role Based Access Control Management

Role Based Access Manager (RBAM) is a Yii module that provides complete management of Authorisation Data (Authorisation Items, Authorisation Hierarchy, and Authorisation Assignments) for Yii’s Role Based Access Control system via a browser interface; it is intended for use in development and end-user administration environments.

RBAM has an intuitive “Web 2.0” interface to easily manage Authorisation Items (Roles, Tasks, and Operations), their hierarchy, and Authorisation Assignments. It presents all of an Authorisation Item’s information in one place providing a comprehensive overview and complete management of the item.

RBAM’s “Drill-down” and “Drill-up” features quickly show an item’s position in the Authorisation Hierarchy, what permissions it inherits (Drill down) and which Roles inherit its permissions (Drill up).

RBAM is built on top of Yii’s CAuthManager component and supports both of Yii’s built-in Authorisation Managers, CDbAuthManager and CPhpAuthManager, and authorisation managers extended from them.


RBAM supports I18N; it comes with German and Spanish translations (these are mine courtesy of Google - so poor at best).

Since V1.5 a Russian translation in included (thanks to Jangos)

If you have translation for RBAM and would like it included, please add to the RBAM thread in the forum; I'll add them in to the future releases.


  • JavaScript enabled browser
  • CDbAuthManager, CPhpAuthManager, or an authorisation manager component extended from them
  • A User model with an attribute that is the model’s primary-key and an attribute or attributes that provide the names of users; since V1.5, name attributes can also be in a related model.


Status   Yii     Chrome     Firefox     MSIE     Opera     Safari     OS  
Tested with 1.1.5 8.0 3.68 8.0 10.63 5.0 Windows 7
Should work with   1.x.x All 2.0+ 6.0+ 9.0+ 3.0+ All


  • Extract the download archive onto the required folder. RBAM can be installed as a "top-level" module (in /protected/modules) or a nested module (in the modules directory of a parent module.

  • Edit your configuration file (if a "top-level" module)

    // RBAM Configuration

(if a nested module)

  // Parent Module Configurationmodules’=>array(rbam’=>array(
      // RBAM Configuration


Access RBAM in your browser at _http://your.domain/index.php?r=[parent module/]*rbam

Download the Demo

You can download the demo (it's just the Yii "testdrive" app with RBAM and a user model). This comes with some Authorisation Data in place. The demo uses CPhpAuthManager; you can change the config to use CDbAuthManager (the config has the Yii demo SQLite db component) and import the PHP Authorisation data.

Before running the demo you will need to edit index.php to point to your Yii installation.


Try the demo

Read the manual (PDF)

Change Log


  • Fixed an issue with RbamModule::getMenuItem()
  • Fixed inocrrect passing of parameters to Yii::t in RbamInitialiser::initialise()
  • Fixed undefined index issues in RbamInitialiser::defaultAuthData()


  • Corrected scope of RbamController::ActiveChars() method to public
  • Upgraded AlphaPager extension to 1.3.2
  • Added RbamModule::getMenuItem() and RbamModule::getMenuItems() methods to provide CMenu integration
  • Updated manual to add RbamModule::getMenuItem() and RbamModule::getMenuItems() methods. Property and method documentation now in Yii style.


  • RBAM now supports user names from models related to the model specified by userClass; e.g. array(',', profile.given_name, profile.family_name) will use the given_name and family_name attributes of the profile relationship in the userClass.
  • Russian translation (thanks to Jangos)
  • Fixed all reported bugs


  • Fixed issue with installing into DB without auth tables
  • Improved sorting of users


  • Improved I8n in JUI dialogs
  • Improved validation error support in JUI dialogs


  • Fixed issue with multiple assignments to a user (only seen on some servers)
  • Added validation to biz rule to ensure it is a valid PHP "return" statement
  • Changed initialisation to always add RBAM and default roles if not present. This allows RBAM to be easily added to existing RBAC authorisation data
  • Added count of users with permission for an item to Auth Item Overview and Auth Item relationship tabs


  • Fixed code to work with applications in sub-folders


  • Initial release

Total 20 comments

#19696 report it
anmol at 2015/12/18 07:53am
error : include(User.php): failed to open stream: No such file or directory

After setup , 1. i use url :http://localhost:8080/yii/adminapp/index.php?r=rbam 2. it ask for initialise RBAC , i click yes 3. it ask for RBAM to generate Authorisation Data based , i click yes 4. it given Error 500 include(User.php): failed to open stream: No such file or directory

#16243 report it
CoderK at 2014/02/03 02:38am

@jbaltero In Your User Model:

public function beforeSave() {
    if ($this->isNewRecord)
        // create Role and assign user to role
    return parent::beforeSave();
#16242 report it
JbalTero at 2014/02/02 08:41pm
(HOW) to automate Role Assigning?

How do I implement automation of Role Assigning whenever a their is a new user? Any suggestions? thanks

#15013 report it
Boaz at 2013/09/29 07:21am
@Ron Lavie

For each controller action method, you need to specify the role/permission needed in order to access the method. This can be done either specifically in each action method, or using a filter (IIRC filters can be used with RBAC). An example for specific method usage:

if (!Yii::app()->user->checkAccess('do something')) {
  throw new CHttpException(404);
#15012 report it
Sharon Lavie at 2013/09/29 06:14am
can't make the rbam module work for me

i'm trying to implement the RBAM extension on my project and everything is ok, but "only" that it doesn't really prevent a user that is not allowed for X action to perform that action (operation).

here's what i have done: 1. created my project using yiic (on windows). 2. created my model, controller and crud for every table in my db using "Gii". 3. created a users table and have the model, controller and crud for it. 4. created the tables needed for the CDbAuthManager: authassignment, authitem, authitemchild.

added the following to the config/main.php:

'components' => array(

do i need to add anything to my controllers access rules?


#14302 report it
CoderK at 2013/08/03 09:07am

If you have set 'caseSensitive' => false in config/main.php this module will not work. Remove the entire line or set it to true to make it work.

You will otherwise get a 404-page.

#12185 report it
Daantje at 2013/03/04 06:16pm

I found the rbam_manual.pdf mirrored here http://pdfio.com/k-2272549.html and on my site for save keeping http://bitbucket.org/bytebrain/yii-rbam-extension-manual It should be within the downloadable zip.

#11399 report it
realtebo at 2013/01/11 05:07am
manual link is broken

i'm trying to download PDF for the manual from


but it's broken

The entire 3rd-level domain is unreachable

#11071 report it
firefly at 2012/12/14 03:40am
fix for PosgreSQL

Last tested was RBAM version 1_6_1.

I'v noticed that RBAM dose not work well with PostgreSQL. Anyway there is a fix:


so the authorization table names must be changed. Why? Because in PostgreSQL,


is the same as

SELECT * FROM authitem

But PostgreSQL is case sensitive on tables name, so an error is trigger.

The correct syntax is by quoting the table name:

SELECT * FROM "AuthItem"

But in order to make no changes in the RBAM module, it is best to just rename the tables and make them lowercase...

Anyway one error still remains in: \rbam\components\behaviors\RbamDbAuthManagerBehavior.php(162)

$condition = 'type='.CAuthItem::TYPE_ROLE." AND name NOT IN(SELECT itemName FROM {$owner->assignmentTable} WHERE userid=$uid)";

$uid should be quoted, like:

$condition = 'type='.CAuthItem::TYPE_ROLE." AND name NOT IN(SELECT itemName FROM {$owner->assignmentTable} WHERE userid='$uid')";

and now RBAM works with PostgreSQL! :)

#10298 report it
Boaz at 2012/10/18 04:04am
IMPORTANT: renaming does not propagate through tables!

Beware: I just noticed that renaming an auth item does not propagate the new name to the 'relationships' and 'assignments' table! SRBAC does this (but, sadly, its GUI doesn't include any relationships manipulation).

#9928 report it
VinodC at 2012/09/23 12:28pm
demo not working

Demo not working .Could you please correct it? thanks

#9904 report it
le_top at 2012/09/20 11:34am
v1.6.1 - small fixes regarding $user->id

Hi The RbamInitialiser and the 'assign' view of authAssignments still have some '$user->id' entries that should be something like:


(in assign) and


Further, another modification was needed regarding the menu generation. When the current controller is not the RBAM, the menu is missing the controller's path prefix. Hence, the corresponding menu generation code had to be updated like this (last line of the snippet):

return array_merge(array(
                'label'=>Yii::t('RbamModule.rbam','Auth Assignments'),

To support ambigious columns, I changed this in AuthAssignmentController:

$asc = join(',',array_map(function($a){return (strpos($a,'.')===false)?'t.'.$a:$a;},$userNameAttribute));

This supposes that the alias for the user table is 't'.

#9601 report it
ChessSpider at 2012/08/28 04:53am
Is it me or are the default roles not working at all?

Right, so I added a few permissions to the Guest and Authenticated role, but I kept on getting the access denied. So I did a

<?php print_r(Yii::app()->authManager->defaultRoles);?>

And hooray, empty array. The RBAM-module has the following in the beforeControllerAction:

    public function beforeControllerAction($controller, $action) {
        $authManager = Yii::app()->getAuthManager();
        $authManager->defaultRoles = array_merge($authManager->defaultRoles, array(
            $this->authenticatedRole, $this->guestRole
        if ($authManager instanceof CAuthManager)
            $authManager->attachBehavior('authManager', array(
                'class'=>($authManager instanceof CDbAuthManager?
            throw new CException(Yii::t('RbamModule.rbam','AuthManager component is not an instance of CAuthManager'));
        $controller->authManager = $authManager;
      return true;
    } ?>

and guess what, authManager::defaultRoles is not an empty array when I access the RBAM-module, and works perfectly.

Seems to me something is misplaced? And what am I missing here that defaultRoles are not set in other modules?

#8297 report it
Boaz at 2012/05/23 11:33am
Beware of the default bizrule for Guest role


There's this issue I'm still looking into that is described here. In the meantime, please be advised that the bizrule attached to Guest role will lead to incorrect behavior (=bug) if Authenticated is to inherit from Guest, which is natural to assume. Solution? Remove the bizrule from the Guest role so anyone, from RBAC perspective could assumed to be of this role, including authenticated users. No, this is only an permissions granting perspective. If you think about it it bears no implication regarding application flow in general.

#7587 report it
luckymancvp at 2012/04/01 11:12am
Bug for rbam 1.6.1

If User table have id column's type is not int ( example : varchar) . Fix these line:






$condition = 'type='.CAuthItem::TYPE_ROLE." AND name NOT IN(SELECT itemName FROM {$owner->assignmentTable} WHERE userid=$uid)"; =>

$condition = 'type='.CAuthItem::TYPE_ROLE." AND name NOT IN(SELECT itemName FROM {$owner->assignmentTable} WHERE userid='$uid')";

#7161 report it
hoplayann at 2012/02/29 04:07am
Demo link broken

I think your demo page is broken.

#6812 report it
gsd at 2012/02/06 09:00pm

in DataValidator

if (!empty($model->bizrule) && strpos($model->bizrule,'$data')!==false && empty($this->data))
// may be
#6704 report it
marcovtwout at 2012/01/30 12:15pm
Put RBAM in protected/extensions/ instead of protected/modules

If you want to put this module (or any other module) in another folder, configure like this:

Put rbam folder in protected/extensions/:

// Modules
'modules' => array(
        'class' => 'ext.rbam.RbamModule',
#6667 report it
Felix at 2012/01/27 07:05am
Bug in RbamDbAuthManagerBehavior.php

There's a bug that enables a person with the role 'authAssignmentsManagerRole' to assign somebody (even himself) the 'rbacManagerRole' role, and then scaling privileges. To avoid this, you've to modify the method 'getEUnassignedRoles' and put the following:

foreach ($owner->defaultRoles as $defaultRole)
        // start of modification
        // end of modification
        $assignedRoles = array();
#6278 report it
Taufik at 2011/12/23 10:30pm
a little

I import the SQL schema (\yii\framework\web\auth\schema-mysql.sql). then this is the config:


Leave a comment

Please to leave your comment.

Create extension