RBAC with additional level RBAC with additional level database database

RBAC with additional level


You could keep the "admin" roles and rules as you've already used them. And add a new role for each town 'moscow', 'london', etc.... In your controller, call a checkAccess in your action methods like in the following example.

public function actionEditArticle($town){ if(!Yii::app()->user->checkAccess($town)  Yii::app()->end(); // ... more code}

A more advanced method would be to extend CController in your component directory, and overrides the runAction($action) method.

public function runAction($action){    if (isset($_GET['town']) {        if(!Yii::app()->user->checkAccess($_GET['town']) Yii::app()->end();    }    parent::runAction($action);}


From what I understand of your question, there could be two ways to resolve your problems.

The first is by use of hierarchical roles (role inheritance). Although more complicated to implement and manage, this can provide a level of flexibility that is very interesting.

The second way is (if it may be of interest) is something that I've experimented with when attempting to "extend" RBAC for academic reasons.

What I have done is to allow the definition of two or more "named" levels to each Role. So given a Programmer role, my implementation allows for the addition of levels to a role, such as:

Programmer, level definition:

  1. "Senior" = level 500
  2. "Intermediate" = level 200
  3. "Junior" = level 0

So when someone would assign permissions on an instance of an object such as a specification document, it could be assigned in the following way:

"Some document" -> Programmer (level 300) -> can edit"Some document" -> Programmer (level 0) -> can read"Some document" -> Programmer (level 500) -> can delete

This indicates that all Programmers can read the document but Juniors and Intermediates are not allowed to edit such document for lack of "level" authority. And only the Senior Programmer may delete the document.

This allows for me to have 3 distinct levels of permissions by only creating a single role. In a traditional system, I would have had to create the three distinct roles (4 with inheritance), such as:

In a non-hierarchical implementation:

  1. Senior Programmer
  2. Intermediate Programmer
  3. Junior Programmer

In a hierarchical implementation:

  1. Programmer
  2. Senior Programmer (extends Programmer)
  3. Intermediate Programmer (extends Programmer)
  4. Junior Programmer (extends Programmer)

Obviously, levels need to be properly defined as sub-roles. Defining a level as "Analyst" would not be valid since these are two different roles and not a sub-type.


The best suitable for your requirement is to create a group and group hierarchy. Assign role to a group which will indirectly assign to all of its child groups. By that way you can assign common role to parent group and individual role to individual group. So, in your case London, Tokyo and Moscow are groups.

I implemented this solution via security access control tool Visual Guard, which has implemented and covered most of the application security concerns.

I have used Visual guard to access control for multi tenant and saas applications wherein I have used groups extensively.

Click here to read more.