Difference between #7 and #9 of
Getting to Understand Hierarchical RBAC Scheme

Revision #9 has been created by rAWTAZ on Sep 10, 2013, 11:17:34 PM with the memo:

Updated the hierarchy image with a new and clearer copy (made it myself :D)
« previous (#7) next (#10) »

Changes

Title unchanged

Getting to Understand Hierarchical RBAC Scheme

Category unchanged

Tutorials

Yii version unchanged

Tags unchanged

hierarchy, RBAC, security, understanding

Content changed

[...]
```

First of all I'd like to convert this to a more human-readable form:

<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="http://i44.tinypic.com/34pdkr7.pngbin.co/uagVlRTW0xR" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" src="http://i55.tinypic.com/2yk0wzk.pngbin.co/uagVlRTW0xR" /></a></td></tr> <tr><td class="tr-caption" style="text-align: center;">Sample blog system authorization hierarchy</td></tr> </tbody></table> The <span style="background-color: #9fc5e86ccffe;">turquoise</span> boxes represent roles, the <span style="background-color: #ffd966efc6e;">yellow</span> box is a task, and the most fine-grained level of the authorization hierarchy - operations - are <span style="background-color: #f9cb9cfd06f;">tan</span>. Collectively roles, tasks and operations are called <b>authorization items</b>. You should keep in mind that functionally all auth item types are equal. It's completely up to you to make some auth item a role or a task - still it would do the same thing. Different types of auth items are introduced solely for the purpose of naming convenience. You are not limited to the three authorization levels: there can be multiple levels of roles, tasks and operations. (Getting back to our diagram, you can see this point illustrated by multiple levels of roles.) Also you may skip any of these levels (the role <b>author</b> has immediate child operation <b>create</b>). The only restriction is that in the auth hierarchy roles should stay higher than tasks and tasks should stay higher than operations.

Now let's take a quick look at what was on blog system creator's mind. Everything seems to be quite logical. The weakest role is <b>reader</b>: the only thing he is allowed to do is to <b>read</b>. An <b>author</b> has a bit more power: he also can <b>create</b> posts and <b>update his own</b> posts. <b>Editors</b> can read posts and <b>update</b> (edit) <i>all</i> posts, not own ones (in fact, according to the hierarchy, editors can't create posts and that's why editors haven't got any <i>own posts</i> at all). And of course, the most powerful role is <b>admin</b> which can do anything.

If you are familiar with the principles of object-oriented hierarchy, your former knowledge may lead you to a confusion. In every subsequent level of an object tree, objects obtain (inherit) all (or part) of the features of their parent (base) objects. This results in that bottommost objects are most "loaded" with features, while the root objects have only basic features. The opposite happens with RBAC hierarchy in Yii. The bottommost items in the authorization hierarchy represent basic operations, while the topmost authorization items (usually roles) are the most powerful and compound ones in the whole authorization system.
[...]
47 0
56 followers
Viewed: 125 619 times
Version: 1.1
Category: Tutorials
Tags: hierarchy, rbac, security, understanding
Written by: daemons
Last updated by: rAWTAZ
Created on: Jan 27, 2011
Last updated: 9 years ago
Update Article
Revert to #7 | Revert to #9

Revisions

View all history