Hi Leon,
A good place to start learning about RBAC in yii is the Agile 1.1 book It has a great step by step tutorial for setting up RBAC permissions. imho it is well worth the investment to get up to speed quickly on this and other Yii features. with that said, Yii’s RBAC implementation uses 3 tables authItem, authItemChild and authAssignment along with these tables, Yii provides an api for making sure that your authorization items are logically consistent, You can use these function calls in a shell script where you can set up a heirarchy of roles, tasks and operations in the database which you can then check in your controller actions using.
Yii::app()->user->checkAccess(authItem);
From what i get, from reading and testing stuff out, you dont want to pollute RBAC with having to track which users are related to which models. That is a job for a relation table in your db and will be reflected in the relations() method in your controller.
so if you have users and projects and there are many users and many projects you would have 3 tables called tbl_user_project, tbl_user, tbl_project. then you would write some helper functions in your model such as:
public function isUserInProject() and assocateUserToProject()
which you can then call from your app.
once you have your 3 tables set up you can easily assign relationships in code like this:
in the ProjectController.actionCreate()
...
$model->associateUserToProject(Yii::app()->user);
I think it may be helpful just to share some of the relevant bits with from the shell script from the book and hopefully you will get the picture of how it all comes together once you have your 3 tables set up.
this stuff is part of a shell script to set up the initial RBAC database for a project.
...
//create lowest level operations for all users
$this->_authManager->createOperation("createUser","create new user");
$this->_authManager->createOperation("readUser","read user profile");
$this->_authManager->createOperation("updateUser","update existing user info");
$this->_authManager->createOperation("deleteUser","remove user from case");
//create lowest level operations for all projects
$this->_authManager->createOperation("createProject","create new project");
$this->_authManager->createOperation("readProject","view project profile");
$this->_authManager->createOperation("updateProject","update existing project info");
$this->_authManager->createOperation("deleteProject","delete project");
...
//create reader role add appropriate permissions as children.
$role=$this->_authManager->createRole("reader");
$role->addChild("readUser");
//create member role add appropriate permissions and reader as children.
$role=$this->_authManager->createRole("member");
$role->addChild("reader");
//create owner role add children
$role=$this->_authManager->createRole("owner");
$role->addChild("reader");
$role->addChild("member");
$role->addChild("createUser");
$role->addChild("updateUser");
$role->addChild("deleteUser");
...
As you can tell from the code above, the role info is already being stored for you and so you may not want to duplicate that in your user table.
The key thing to remember is that you use RBAC only for authenticating the roles, operations, and tasks you have set up (e.g roles and actions) … grouping of users should be left to the relations between the models which as previously mentioned occurs in a helper table in the database.
So as you can see there is a bit of pre-requisite planning and set-up before you can just jump into RBAC authentication, but the payoff is there at the end of the rainbow so to speak. HTH.
One last thing, you may also want to check out some of the Yii extensions, like usergroups and rights which wrap much of this functionality if you are more interested in instantaneous results than deep understanding at this stage in the game.