In my application I need a user to be assigned multiple roles. Is this possible using RBAC? The reason for this is that an admin can allow some users to do more things than other, but there are many and different combination of options so making a role for each possible combination is not feasible. So what solution so far is, to have a base role of lets say ‘user’, and depending on the options set by admin, assign additional roles to that user when they login. For example the admin can set a profile page to be hidden unless you are logged in and are a ‘superuser’, so if the profile page is hidden, all ‘superusers’ now have an additional ability to ‘viewProfile’ otherwise the page remains hidden.
Yes, definitely, since in RBAC you have a very important option, you are looking for that is role inheritance. I.e. you are building your right and access system from very basic role, which has rights common for every or nearly every user, and you are adding next roles with higher level by inheriting their base rights from lower level roles and extending them.
Blog example: Everyone has minimal or nearly no rights - viewing only, regular reader inherits these rights from everyone and extends with right for posting comments, blog writer extends from reader furthermore by having all descendant right plus article writing right and finally admin inherits from all lower level roles all rights and extends them to have also article delete right.
There are many implementations of RBAC in Yii Extension Repository, having different options, possibilities and limits. Look deeply into there before coding new one, to not reinvent the wheel.
My private opinion: Please also take into consideration that complex RBAC might be on the other hand too big for you as most of them implements three level access rights configuration - i.e. role - operation - task. For example: admin role has post management operation among others and inside has post delete, post category change, publish draft as post and other tasks. For most small and semi complex projects this is to much and coding such complex structure is just a waste of time - two level configuration where admin role has post management task which allow to do anything with the task is far enough in my opinion.
Take a look at Rights extension, which seems to be one of most famous among RBAC-related Yii extensions.
