Authorization: Role based access control made easy

Hello there,

Looking for a simple yet extensive database driven access control?

If so, this module might just be for you.

I’ve written an authorization management module that utilizes Yii’s built-in database authorization management system (CDbAuthManager) to provide a web interface for hierarchical role-based access control.

I noticed that there were already some similar extensions available, but I felt that I’d be better off by writing my own.

The largest difference between other modules alike (from what I’ve seen) is that my module doesn’t do a single query. Instead it uses the build-in functions of CDbAuthManager and CAuthItem. I think it’s a bit overkill to alert the database structure as the operations are often runtime cached.

I’ve implemented automatic controller access control by providing an own filter.

Here’s a rough list of the current features:

  • Roles organized in a hierarchy

  • Manage roles

  • Create/Update/Delete roles

  • Promote/Demote roles

  • Assign/Revoke roles to/from users

  • Manage permissions

  • Inherited permission

  • Create/Update/Delete operations and tasks

  • Assign/Revoke operations and tasks to/from roles

  • Manage Operations

  • Manage Tasks

  • Support for Business rules (and Data)

  • Automatic controller access control

  • Cross-browser and cross-database compatibility

The project can be found on Google Code and in the Yii extension library:

http://yii-auth.googlecode.com

http://www.yiiframework.com/extension/authorization/

It shouldn’t take more than a few minutes to set up the module so give it a try if you need a solid interface for your application’s access control.

And here’s some fresh screenshots of the current interface:

No downloads are available at this time but it’s possible to do a checkout from Google Code:

http://code.google.com/p/yii-auth/source/checkout

Download will be available with the version 1.0 is release.

I’ve done basic testing but I haven’t had time to do extensive testing yet so use the module at your own risk. If you find bugs or have good ideas on how to improve this module please leave a comment.

It would be nice if people that are interested in authorization management would take a look and tell what they like and dislike or what could be done better.

Thank you for reading.

Looks good (other than the colors :) ) . I would encourage you to post it. However, I have some suggestions for the documentation.

a) List differences from srbac which is another module that provides a GUI front-end to the native rbac.

B) Do you provide all the features provided by CDbAuthManager and the related classes?

I’m also working on something similar but I’m modifying the core behavior to reduce the number of db queries and to reduce the reliance on ‘bizrules’.

I will post it as an extension when I have time to do a full review of my code and package it.

Regarding the differences with srbac I’d say that it the UI doesn’t relay on JavaScript and it’s very minimalistic. To identify further differences I need to try out srbac myself. I’ll report my findings after I’ve tried it.

I’m also considering not to use the AuthChild for defining role to role relations. Instead I would like to place all roles in a separate table (possibly RoleHierarchy) with an order column to make it easier to promote and demote roles.

Concerning the BizRules, I haven’t removed the support but I’m not really a fan of using them. This is because I haven’t modified any of the CDbAuthManager database tables (yet). :)

Could you elaborate on this.

If and when you do change the db structure, do keep performance in mind during the access check phase.

Currently if you want to move a role up or down in the hierarchy (AuthChild) you need to remove and add three children. This is done because we need to reorganize the relations between parent- and child roles. I would like to avoid this and simply swap order numbers between the two affected roles.

As you already mentioned the real challenge here is performance because then we would need to look in an additional table when calling checkAccess().

My authorization-module is now available for review and testing.

Details can be found on my first post under this thread.

There’s an error in your documentation:

The last statement should be:




$assignedRole = Yii::app()->getModule('authorization')->auth->getAssignedRole($model->id);



Otherwise PHP complains about unknown variable $auth.

I’ll report any other problems I find. Thank you.

Actually the code isn’t even needed because it’s directly called when assigning the role.

I’ve removed this line from the readme.txt.

Thank you for reporting this. All feedback, negative or positive are more than welcome.

I realize it doesn’t make much of a difference but in auth.css:




.authTable th

{

	background:#6885A4 url('../images/bg_tableheader.gif') repeat-x top left !important;

	color:white;

}




the .gif image is not included in the distribution. Just so you know…

Thanks.

I noticed this a while ago and removed background-style because it shouldn’t be either. Please update and you’ll have an up to date style sheet. There has also been other improvements to the module, you can read about them on the project page.

Version 0.8 released

Newest features:

  • Automatic controller access control

  • Always allowed controller actions

  • General code quality improvements

  • Optional support for business rules and data (set in module config)

Tasks to be done before version 1.0 release:

  • Minor improvements

  • Extensive testing

Everything about the module can be found on the project on Google Code:

http://yii-auth.googlecode.com