Introduction

This component provides Role-Based Access Control (RBAC) authorization abstraction for the mezzio-authorization library.

Roles, Identities, Permissions

RBAC is based on the idea of roles. In a web application, users have an identity (e.g. username, email, etc). Each identified user then has one or more roles (e.g. admin, editor, guest). Each role has a permission to perform one or more actions (e.g. access an URL, execute specific web API calls).

In a typical RBAC system:

• A role requests access to a permission.
• An identity has one or more roles.
• A permission is given to a role.

Thus, RBAC has the following model:

• Many-to-many relationship between identities and roles.
• Many-to-many relationship between roles and permissions.
• Roles can have a parent role.

The first requirement for an RBAC system is identities. In our scenario, the users are generated by an authentication system, provided by mezzio-authentication. That library provides a PSR-7 request attribute named Mezzio\Authentication\UserInterface when a user is authenticated. The RBAC system uses this instance to get information about the user's identity.

laminas-permissions-rbac

This library uses the laminas/laminas-permissions-rbac library to implement the RBAC system. If you want to know more about the usage of this library, read the blog post Manage permissions with laminas-permissions-rbac.