rbam

Role Based Access Control Management

I18N

Role Based Access Manager (RBAM) is a Yii module that provides complete management of Authorisation Data (Authorisation Items, Authorisation Hierarchy, and Authorisation Assignments) for Yii’s Role Based Access Control system via a browser interface; it is intended for use in development and end-user administration environments.

RBAM has an intuitive “Web 2.0” interface to easily manage Authorisation Items (Roles, Tasks, and Operations), their hierarchy, and Authorisation Assignments. It presents all of an Authorisation Item’s information in one place providing a comprehensive overview and complete management of the item.

RBAM’s “Drill-down” and “Drill-up” features quickly show an item’s position in the Authorisation Hierarchy, what permissions it inherits (Drill down) and which Roles inherit its permissions (Drill up).

RBAM is built on top of Yii’s CAuthManager component and supports both of Yii’s built-in Authorisation Managers, CDbAuthManager and CPhpAuthManager, and authorisation managers extended from them.

I18N ¶

RBAM supports I18N; it comes with German and Spanish translations (these are mine courtesy of Google - so poor at best).

Since V1.5 a Russian translation in included (thanks to Jangos)

If you have translation for RBAM and would like it included, please add to the RBAM thread in the forum; I'll add them in to the future releases.

Requirements ¶

JavaScript enabled browser
CDbAuthManager, CPhpAuthManager, or an authorisation manager component extended from them
A User model with an attribute that is the model’s primary-key and an attribute or attributes that provide the names of users; since V1.5, name attributes can also be in a related model.

Compatibility ¶

Status	Yii	Chrome	Firefox	MSIE	Opera	Safari	OS
Tested with	1.1.5	8.0	3.68	8.0	10.63	5.0	Windows 7
Should work with	1.x.x	All	2.0+	6.0+	9.0+	3.0+	All

Installation ¶

Extract the download archive onto the required folder. RBAM can be installed as a "top-level" module (in /protected/modules) or a nested module (in the modules directory of a parent module.
Edit your configuration file (if a "top-level" module)

‘modules’=>array(
  ‘rbam’=>array(
    // RBAM Configuration
  ),
),

(if a nested module)

‘parentModule’=>array(
  // Parent Module Configuration
  ‘modules’=>array(
    ‘rbam’=>array(
      // RBAM Configuration
    ),
  ),
),

Usage ¶

Access RBAM in your browser at _http://your.domain/index.php?r=[parent module/]*rbam

Download the Demo ¶

You can download the demo (it's just the Yii "testdrive" app with RBAM and a user model). This comes with some Authorisation Data in place. The demo uses CPhpAuthManager; you can change the config to use CDbAuthManager (the config has the Yii demo SQLite db component) and import the PHP Authorisation data.

Before running the demo you will need to edit index.php to point to your Yii installation.

Resources ¶

Try the demo

Read the manual (PDF)

Change Log ¶

1.6.1 ¶

Fixed an issue with RbamModule::getMenuItem()
Fixed inocrrect passing of parameters to Yii::t in RbamInitialiser::initialise()
Fixed undefined index issues in RbamInitialiser::defaultAuthData()

1.6 ¶

Corrected scope of RbamController::ActiveChars() method to public
Upgraded AlphaPager extension to 1.3.2
Added RbamModule::getMenuItem() and RbamModule::getMenuItems() methods to provide CMenu integration
Updated manual to add RbamModule::getMenuItem() and RbamModule::getMenuItems() methods. Property and method documentation now in Yii style.

1.5 ¶

RBAM now supports user names from models related to the model specified by userClass; e.g. array(',', profile.given_name, profile.family_name) will use the given_name and family_name attributes of the profile relationship in the userClass.
Russian translation (thanks to Jangos)
Fixed all reported bugs

1.4 ¶

Fixed issue with installing into DB without auth tables
Improved sorting of users

1.3 ¶

Improved I8n in JUI dialogs
Improved validation error support in JUI dialogs

1.2 ¶

Fixed issue with multiple assignments to a user (only seen on some servers)
Added validation to biz rule to ensure it is a valid PHP "return" statement
Changed initialisation to always add RBAM and default roles if not present. This allows RBAM to be easily added to existing RBAC authorisation data
Added count of users with permission for an item to Auth Item Overview and Auth Item relationship tabs

1.1 ¶

Fixed code to work with applications in sub-folders

1.0 ¶

Initial release

Total 20 comments

#8297

boaz at 2012/05/23 11:33am

Beware of the default bizrule for Guest role

Hi,

There's this issue I'm still looking into that is described here. In the meantime, please be advised that the bizrule attached to Guest role will lead to incorrect behavior (=bug) if Authenticated is to inherit from Guest, which is natural to assume. Solution? Remove the bizrule from the Guest role so anyone, from RBAC perspective could assumed to be of this role, including authenticated users. No, this is only an permissions granting perspective. If you think about it it bears no implication regarding application flow in general.

#7587

luckymancvp at 2012/04/01 11:12am

Bug for rbam 1.6.1

If User table have id column's type is not int ( example : varchar) . Fix these line:

\rbam\views\authAssignments\assign.php:

jQuery("#AuthAssignment_userId").val('.$user->{$module->userIdAttribute}.');

jQuery("#AuthAssignment_userId").val("'.$user->{$module->userIdAttribute}.'");

\rbam\components\behaviors\RbamDbAuthManagerBehavior.php

$condition = 'type='.CAuthItem::TYPE_ROLE." AND name NOT IN(SELECT itemName FROM {$owner->assignmentTable} WHERE userid=$uid)"; =>

$condition = 'type='.CAuthItem::TYPE_ROLE." AND name NOT IN(SELECT itemName FROM {$owner->assignmentTable} WHERE userid='$uid')";

#7161

hoplayann at 2012/02/29 04:07am

Demo link broken

I think your demo page is broken.

#6812

gsd at 2012/02/06 09:00pm

DataValidator

in DataValidator

if (!empty($model->bizrule) && strpos($model->bizrule,'$data')!==false && empty($this->data))
// may be
$model->data

#6704

marcovtwout at 2012/01/30 12:15pm

Put RBAM in protected/extensions/ instead of protected/modules

If you want to put this module (or any other module) in another folder, configure like this:

Put rbam folder in protected/extensions/:

(..)
// Modules
'modules' => array(
    'rbam'=>array(
        'class' => 'ext.rbam.RbamModule',
        (..)

#6667

Felix at 2012/01/27 07:05am

Bug in RbamDbAuthManagerBehavior.php

There's a bug that enables a person with the role 'authAssignmentsManagerRole' to assign somebody (even himself) the 'rbacManagerRole' role, and then scaling privileges. To avoid this, you've to modify the method 'getEUnassignedRoles' and put the following:

foreach ($owner->defaultRoles as $defaultRole)
            unset($unassignedRoles[$defaultRole]);
 
        // start of modification
        if(!Yii::app()->user->checkAccess($this->module->rbacManagerRole))
        {
            unset($unassignedRoles[$this->module->rbacManagerRole]);
            unset($unassignedRoles[$this->module->authItemsManagerRole]);
            unset($unassignedRoles[$this->module->authAssignmentsManagerRole]);
        }
        // end of modification
 
        $assignedRoles = array();

#6278

taufik at 2011/12/23 10:30pm

a little

I import the SQL schema (\yii\framework\web\auth\schema-mysql.sql). then this is the config:

'rbam'=>array(
            'development'=>TRUE,
            'initialise'=>array(
                'class'=>'CDbAuthManager',
                'connectionID'=>'db',
            ),
            'rbacManagerRole'=>'admin',
            'userClass'=>'User',
            'userIdAttribute'=>'id',
            'userNameAttribute'=>'username',
        ),

#6276

sidtj at 2011/12/23 01:08pm

Not Working

First, I could not go beyond the 'not initiliazed' screen. Second, I could, using this configs:

'rbam'=>array(
            'authAssignmentsManagerRole'=>'admin',
            'authenticatedRole'=>'Authenticated',
            'authItemsManagerRole'=>'admin',
            'development'=>true,
            'initialise'=>true,
            'rbacManagerRole'=>'admin',
            'userClass'=>'Usuario',
            'userIdAttribute'=>'id_usuario',
            'userNameAttribute'=>'usuario',
        )

After logout and login again, i am receiving a 403 error page. I cant access rbam any way else.

I tryed to change the initialise to false, I tryed to create an user RBAC Manager, to log using it, but the 403 persists.

Now I am leaving this extension. Thanks anyway.

#6162

r0naLd222 at 2011/12/16 03:21am

@.@ can't see the demo

as the title says, the demo has an error. can you fix it so i cloud check if this extension could help me :D thx

#5864

marcovtwout at 2011/11/21 06:16am

Re: initialize - Please provided complete example file, or better yet, just read current rbac tables!!

You don't have to initialize it when you set the proper roles (the initialize message is only shown when you don't have access to the RBAM interface). For instance, my application uses:

'rbam'=>array(
    'rbacManagerRole'=>'SuperAdmin',
    'authAssignmentsManagerRole'=>'SuperAdmin',
    'authItemsManagerRole'=>'SuperAdmin',
),

The message you saw implies that it needs to be initialized, and is misleading. Maybe the author can change it?

An option to disable (role based) authentication to the RBAM module would be handy though. For example, I only enable the module in my development environment where I wouldn't require access checks to RBAM.

#5853

blevy009 at 2011/11/20 06:28pm

initialize - Please provided complete example file, or better yet, just read current rbac tables!!

This is the second rbac extension I've tried to get working in my app, yii-rbac, and now your rbam.

RBAM comes up fine, but demands to be initialized. Why wouldn't it just use the data in the tables that is already available?? I've completed the Agile-yii book and have authmanager working, just not an easy way of viewing and managing roles, tasks and operations.

Please help out with a detailed data array that initialise can use, or let it just go into a mode where it can use what's there.

thanks,

#5348

Command at 2011/10/06 06:07am

demo is broken

The demo does not work or is it just for me?

#4420

rnysmile at 2011/07/07 02:30am

bug fix for 1.6.1

rbam\views\authAssignments\assign.php

replace two

$user->id

with

$user->{$module->userIdAttribute}

#4182

marcovtwout at 2011/06/14 07:46am

Missing styling

After integrating this extension in my application, it seems parts of the styling are missing. For example, the form on "rbam/authItems/create?type=2" has no styling applied to it. Any solutions?

#3704

oceatoon at 2011/04/29 07:48am

RBAM Not Initialised

Hi yeti just installed latest version of RBAM but I'm stuck on RBAM Not Initialised what should I do ?

#3693

got 2 doodle at 2011/04/28 10:49am

See my post in the RBAM forum thread

I have a working example again! RBAM forum thread

doodle

#3680

got 2 doodle at 2011/04/27 01:28pm

Edit to last comment

This should be

// task 'editOwnPage'
return Yii::app()->user==$params['Webpage']->createdby;

I caught that typo but it still didn't work as expected. doodle

#3678

got 2 doodle at 2011/04/27 01:25pm

Help with business rules

@Yeti thanks so much for your help, I agree with your approach and no I did not realize that roles where the same as authItems, that should definitely be in the guide!

So now I want only a super admin or the owner of the document to edit the document. I have done stuff like this in the past but I could never figure out the business rules.

According to the guide.

$bizRule='return Yii::app()->user->id==$params["post"]->authID;';
$task=$auth->createTask('updateOwnPost','update a post by author himself',$bizRule);
$task->addChild('updatePost');

My model is called 'Webpage' and the field 'createdby' contains the id of the user who created this page. So this is my business rule.

// task 'editOwnPage'
return Yii::app()->user==$param['Webpage']->createdby;

in my accessRules

// pageEditor is a role, editOwnpage is a task        
array('allow',
                'actions'=>array('update'),
                'roles'=>array('pageEditor','editOwnPage'),
            ),

My user 'demo' has one role 'member', member role has two tasks 'ViewPageContent' and 'editOwnPage' the first task doesn't really do anything but the second contains a business rule. Setup this way the user 'demo' cannot edit any pages.

If I change my accessRules to this

array('allow',
                'actions'=>array('update'),
                'roles'=>array('pageEditor','member'),
            ),

Then user 'demo' can edit any page.

Thanks in advance for your help, I really find the RBAC part of Yii confusing. doodle

#3659

Yeti at 2011/04/26 04:36pm

Re: OK I have a working example

@doodle As you say, there is usually more than one way to things in Yii, and what you have will work just fine. Another (IMHO better) way is to declare access control in the controller's accessRules() method; this is the logical place and describes what is going on, and means the actions don't need to worry about authorisation - if they get called the user is authorised and they can just get on with what they need to do.

Taking your example this would become:

public function filters() {
  return array(
    'accessControl',
    // other filters
  );
}
 
public function accessRules() {
  return array(
    array('allow',
      'actions'=>array('EditPageContent'),
      'roles'=>array('EditPageContent'),
    ),
    // other access rules
    array('deny',
      'users'=>array('*'),
    ),
  );
}

Note: the "roles" in accessRules refers to roles, tasks and operations (it's badly named in my opinion - should have been authItems to describe it better, but we have what we have)

The real benefit and beauty of RBAC comes by defining a hierarchy. Consider this: Have the roles "PageManager" and "PageEditor"; users are assigned appropriately Have the tasks "EditPage", "EditOwnPage" Have the operations "Create", "Delete" (The Create and Delete operations could equally well be tasks. I like have atomic actions as operations, others prefer direct inheritance by roles to be tasks; it's purely personal preference and makes no difference.)

The hierarchy is: PageManager inherits EditPage, Create, and Delete PageEditor inherits EditOwnPage and Create EditOwnPage has a business rule that checks that the page creator is the current user

(Defining the above roles, tasks, operations, hierarchy and assignments is what RBAM and other extensions - Rights and SRBAC - manage)

In the PagesController there are the "create", "update", and "delete" actions.

The access rules can now be: public function accessRules() { return array( array('allow', 'actions'=>array('create'), 'roles'=>array('Create'), // PageManagers and PageEditors will be allowed ), array('allow', 'actions'=>array('update'), 'roles'=>array('EditPage', 'EditOwnPage'), // PageManagers will be allowed to update all pages, PageEditors only their own ), array('allow', 'actions'=>array('delete'), 'roles'=>array('Delete'), // Only PageManagers will be authorised ), // other access rules array('deny', 'users'=>array('*'), ), ); }

#3657

got 2 doodle at 2011/04/26 01:53pm

OK I have a working example

Like all things Yii there are many ways to do things. I like the idea of creating a task and assigning it to a role.

I managed to protect an entire controller from being accessed by anyone not having a task within their role with the following code.

In this example the task is 'EditPageContent'

public function init()
        {
          if(Yii::app()->user->checkAccess('EditPageContent')) {
            // Do whatever the user is authorised to do
             return;
            } else {
                $this->redirect(Yii::app()->user->loginUrl);
            }
        }

thanks

Please login to leave your comment.