RBAC

Role based access control.


Summary

Create permission codes for fine grained resource access control. Assign permission codes with roles to coordinate their usage at a higher level. Assign roles to users and the AppSpice environment will include the users computed permission codes for your access control logic.

Learn more about RBAC here .

RBAC (The access control aspect)

The AppSpice environment array includes the users current permission codes (granted by their assigned roles). These methods provide a mechanism to enforce permission based logic.

Method Description
rbacUserHasPermission(
mixed $permissionCodes, $requireAll = false)

The $permissionCodes value can be a string or an array of permission codes to check against the current user values.

By default, the method returns true if the user has any of the permission codes provided. If $requireAll is true, the user will be required to have all of the permission codes provided.

The method always returns true if the current account was created by the current user. (Unless roles have been assigned to that user.)

Use the error method errorEmailDeveloper to gracefully die upon unintentional RBAC logic errors.

$appSpice->rbacUserHasPermission(...) ?:
    $appspice->errorEmailDeveloper();
rbacUsersList(array $permissionCodes)

Returns a list of network users that have any of the $permissionCodes provided.

The method always returns the current account creator unless roles have been assigned to that user.

Permissions

Permissions are managed while the API is initialized in app mode. Your access control logic will always check for permission codes. (Checking for roles would be an anti-pattern.)

Method Description
permissionsCreate($post, $network = false)
permissionsRead($id)
permissionsUpdate($id, $post)
permissionsDelete($id)
permissionsList($network = false)

Roles

Roles are managed while the API is initialized in app mode. Users are assigned roles under user management.

Roles are merely containers of permissions. They're a simple way to manage a one-to-many relationship between a single user and multiple permissions. Role are related to real world job functions like "Human Resource Manager". A user can have multiple roles, and therefore, many permissions.

Method Description
rolesCreate(array $post, $network = false)

Creates a new role.

$post values are;

  • code* - String (max length 25).
  • title* - String (max length 100).
  • permissions - Array of permission IDs for initial assignment to the new role.

By default, the new role is for app mode users. Set the $network argument true to create the new role for network mode users.

rolesRead($id)
rolesUpdate($id, $post)
rolesDelete($id)
rolesList($network = false)