Complex Righty System: ACL, RBAC and more what?

Question

We are currently developing a project management software. And we are having trouble deciding on the correct approach to implement security. We have looked at both ACL and RBAC

Answer 1

Well, I use Yii framework with its nice RBAC layer. I'm not too familiar with ACLs, nor did I need to be, lately.

In Yii RBAC terms, your key to the solution is using 'business rules'. Bizrules are small snippets of code that are attached to a 'permission' or a 'role' (an 'auth item' in Yii's terms). This code is run dynamically when the need to determine access to a certain 'permission' (lets say, but it could also be attached to a 'role'), and it recieves the 'item in question' (task in your example) and determine actual access to the specific task or not. Here's a more detailed example:

• say you need to have the following permissions:
  • Edit task (which should be allowed to anyone with the role 'tasks administrator')
  • Edit own tasks (which should be allowed to the person who submitted this task).
• Now, in the 'task edit' code section, you would first check for 'edit task' permission. if ok - allow.
• if wasn't allowed, also check for 'edit own task' (using else-if construct). Now on the last mentioned permission there should be attached a bizrule (=php code) that accepts a 'task' object and compares its 'creator id' to the 'currently checked user id'. If equal, it returns true, meaning access should be granted.

That's in a nutshell. If you're interested in more, see this section of the official guide. There are also a bunch of other resources, should you need.