Yii 2.0: yii2-rbac-plus

Database role base access control manager for yii2


Latest Stable Version License Total Downloads

Database role base access control manager for yii2


  • CRUD operations for roles, permissions and rules
  • Allows to assign multiple roles to user
  • Nice views to intergrate right away
  • Integrated with Yii2-user-plus (flexible user management module)

Yii2 RBAC manager


The preferred way to install this extension is through composer.

Either run

php composer.phar require --prefer-dist johnitvn/yii2-rbac-plus "*"

or add

"johnitvn/yii2-rbac-plus": "*"

to the require section of your composer.json file.


  1. Let 's add into modules config in your main config file
'components' => [
    'authManager' => [
        'class' => 'yii\rbac\DbManager',
'modules' => [
    'rbac' =>  [
        'class' => 'johnitvn\rbacplus\Module'

Next, update the database schema

$ php yii migrate/up --migrationPath=@yii/rbac/migrations

Ok. That's done. Avaiable route now:

  • /rbac/rule
  • /rbac/permission
  • /rbac/role
  • /rbac/assignment
  1. The module configuration avaible:
'modules' => [
    'rbac' =>  [
        'class' => 'johnitvn\rbacplus\Module',
  • userModelClassName: The user model class.
    If you not set or set null, RBAC Plus will be get from Yii::$app->getUser()->identityClass
  • userModelIdField: The user model id field.
    Default id field is 'id', you must set this config if primary key of user table in database is not 'id'
  • userModelLoginField The user model login field.
    Default login field is 'username'. Maybe you use email field or something other for login. So you must change this config
  • userModelLoginFieldLabel The user model login field label.
    If you set null the label will get from $userModelClass->attributeLabels()[$userModelLoginField]
  • userModelExtraDataColumls The extra data columns you want to show in user assign views.
    The default in assignment data gridview just display id and login column data. if you want to add created_at column you can add
            return date('m/d/Y', $model->created_at);
  • beforeCreateController The callable before create all controller of Rbac Plus module. The default it is null. You need config this when you want to restrict access to Rbac Plus module.
    *@var string $route The route consisting of module, controller and action IDs.
  • beforeActionThe callable before action of all controller in Rbac Plus module.
    The default it is null. You need config this when you want to restrict access to any action in some controller of Rbac Plus module
    *@var yii\base\Action $action the action to be executed.

Total 5 comments

#20142 report it
Néstor Acevedo at 2017/11/07 06:46pm

This project has been abandoned by its owner so I encourage don't use it anymore.

#19903 report it
PaulD at 2016/07/04 01:37pm

I don't see any method in this for role restricting or allowing access to specific routes

This is a key part of any rbac usage.

Is this possible or will have to extend or write a separate module for this.

#19890 report it
Rajith R at 2016/06/22 08:01am
Provide Examples

Please provide examples, how to use? Can I get any step by step tutorial ?

#19799 report it
Frank Segelke at 2016/03/11 05:32am
Bug in ModalRemote.js ?

Hi John, Many thanks for this Extension. I integrated it in my application and i was wondering about the non-functionality by deleting roles and permissions. It shows a jquery-error in the console of the browser-developer-tools "uncaught exception: cant get selector for pjax container!" I fixed it by editing the "ModalRemote.js" in line ~ 214

function successRemoteResponse(response)
        // Reload datatable if response contain forceReload field
        if (response.forceReload !== undefined && response.forceReload) {
            if (response.forceReload == 'true') {
                // Backwards compatible reload of fixed crud-datatable-pjax
                $.pjax.reload({container: '#crud-datatable-pjax'});
            } else {
//               $.pjax.reload({container: response.forceReload}); //comment out
                $.pjax.reload({container: '#crud-datatable-pjax'}); // new line

The condition for response.forceReload is now obsolete. Perhaps you can fix it in your code.

Greetings Frank

#19775 report it
alexmetola at 2016/02/12 09:54am
examples exist?

Hi John, great job. are there some example for try?

Edit: I copy controller && views from rbac-plus/src/ to my controllers and this run very good.

Leave a comment

Please to leave your comment.

Create extension
No downloadable files yet