I’m new to Yii and therefore I would appreciate any comments/remarks on this extension. Espesially: Is this “Yii-style”?
Contents (excerpt from the Readme):
-
Preliminaries: What does this extension do?
-
How does ACL work?
-
Features of this extension
-
Limitations of this extension
-
How does ACL differ from RBAC?
-
-
What does this extension do?
This extension provides a full-fledged implementation of ACL-based access
control. It’s ideas are heavily leaned on the way cakePHP implements ACL, but extended
both in convenience and power.
How does ACL work?
---------------------
In the following I'll only elucidate the really important concepts inherent in ACL - and I'll
try to be as brief as possible. For detailed description of how ACL works, delve into specialized
texts.
Every ACL-system consists of at least two types: the ACOs (Access Control Objects) and AROs (Access
Request Objects).
ACOs are all the objects which are accessed (=> passive behavior), in particular on which specific
actions are performed. Their counterpart are the AROs. Those objects take the active part, they try
to perform specific actions on the ACOs.
Each single ARO-node can be linked to several ACOs. All connections between AROs and ACOs also
indicate what actions may be performed by the involved ARO-node on the involved ACO-node. In
addition to that, both ACOs and AROs may be located in a hierarchy. Thereupon they can have parents,
inheriting the permissions of the parent node.
If an action is to be performed, a connection between the ACO and ARO is sought, which has to grant
the specified action. If no such connection is found, or if the connection does not grant the desired
action, the access is denied.
Features:
----------------------
- multiple groups for each node (both ACO and ARO)
- Unlimited depth in hierarchy
- non-recursive permission lookup
(complexity: ~ a * n * log(n) where a >= 4 and n is the number of nodes)
- convenient, integrated interface
- transactions as well as exceptions upon crucial errors
- integrated caching for an improved performance
Limitations:
----------------------
- this extension supports solely positive rights-management
=> the access check only checks if you are explicitely allowed to do something, it doesn't check
if you are explicitely _denied_ access
- Due to it's strategy (see "Internals") this extension can perform lookups very fast. On the other
hand, changes of the permissions (granting, denying, grouping) are very expensive operations.
If you are changing permissions very often in compared to lookups, this is not what you want.
How does ACL differ from RBAC?
-------------------------------
As the name already states, Role-based Access Control grants or denies permissions through roles.
Access Control Lists uses a more general approach using generalized objects and their relations. In
general, ACL is more suited if the access control has to be fine-grained at the
object-/document-level. That is, if specific permissions to specific ACOs attached to AROs take
precedence over specific permissions to types of ACOs attached to specific users.
The gist is that the builtin Yii RBAC-system only allows so-called business-rules to check if a given
object "belongs" to the given user (or one of his groups).
This has several drawbacks:
1) In order to check the business-rules Yii has to load every single rule out of the database and
execute it (it's plain PHP-code)
2) Those rules are fixed (PHP-expressions). Therefore one is not able to alter the permissions
dynamically without rewriting all the rules.
3) Those rules tend to be broader and thus there is no really convient "fine-grained" control
possible. Of course it's possible to achieve the same things possible with ACL using RBAC. Even
with a Smart you can reach 100 km/h.
Regards,
zeroByte