RBAC versus ACL

Hi all,

I am in the process of building my own MVC framework and recently hit a snag with authorizing users, although I would like to implement RBAC.

What is the difference between RBAC and ACL? RBAC has “roles”, but aren’t these just like user groups in ACL?

What types of “permssions” are to be stored? I was thinking to store permissions to functions in my modules.

Any suggestions appreciated

Cheer :slight_smile:

RBAC differs from access control lists (ACLs) used in traditional discretionary access control systems in that it assigns permissions to specific operations with meaning in the organization, rather than to low level data objects. For example, an access control list could be used to grant or deny write access to a particular system file, but it would not say in what ways that file could be changed. In an RBAC-based system an operation might be to create a ‘credit account’ transaction in a financial application or to populate a ‘blood sugar level test’ record in a medical application. The assignment of permission to perform a particular operation is meaningful, because the operations are fine grained and themselves have meaning within the application.

From my interpretation, the two are not replacements of one another. So I would implement both.

Thank you, logic_earth.

I have seen that article on wikipedia, but I am at lost as to how i can implement an operation such as ‘credit account’ transation in it. Would that just be refering to a method in my modules?

Would appreciate it if anyone can post any sample code :slight_smile:

Cheers :slight_smile:


<?php
class user
{
    private $_roles;
    private $_username;

    public function __construct($username)
    {
        $this->setRoles(array());
        $this->setUsername($username);
    }

    public function getRoles()
    {
        return $this->_roles;
    }

    public function setRoles($roles)
    {
        $this->_roles = $roles;
    }

    public function setUsername($username);
    {
       $this->_username = $username;
    }

    public function getUsername()
    {
        return $this->_username;
    }

}

class acl
{
    // a 2-D array of roles and the permissions assigned to them
    private $_roles_permissions;

    public function __construct($roles_permissions)
    {
        $this->_roles_permissions = $roles_permissions;
    }

    public function allows($user, $action)
    {
        // for each role the user is assigned, check and see if the specified
        // action is part of that role
        foreach ($user->getRoles() as $role)
        {
            if (in_array($this->roles[$role]), $action)
                return TRUE;
        }

        return FALSE;
    }
}

// you'd pull this from a db or config file.
$roles = array(
    'administrator' => array(
        'CreateArticle',
        'EditArticle',
        'ViewArticle',
        'DeleteArticle'
    ),
    'moderator' => array(
        'ViewArticle',
        'EditArticle'
    )
);

// it'd be good to stick this acl object in APC or memcached so you don't have
// to hit the db or open the config file on each request.
$acl = new acl($roles);

// check to see if the user is allowed to perform a certain action
if ($acl->allows($user, 'CreateArticle'))
{
    // do stuff with a new article
}

This is pretty rudimentary and would obviously have to be fleshed out a bit, but the jist of it is to assign a list of roles to your user, then store the full list of all roles and the permissions each role has in a seperate ACL object.

How you persist the roles and permissions is up to you (db, xml, ini, raw php), but the point here is just to illustrate one basic way of checking whether or not a user is allowed to perform a certain action, based on the rules that user has been assigned.