In this article, we will look into Role-based Access Control (RBAC) and see how we can use it fine-tune the access of REST API. This articles builds on the previous series of articles, in which the latest one is available here.

Role-based Access Control is a mechanism which allows a “role” to be assigned to a “user” and then control the access of “authenticaiton-items” to these roles

In REST API, different operations can be performed on a resource. These operations are identified by HTTP Request method. These are normally GET, POST, PUT and DELETE. A resource is identified by database model. So an authentication-item is a combination of these two. Thus for a “series” resource, there are four authentication-items, “get-series”, “post-series”, “put-series”, “delete-series”.

The “user” in our case will be identified by the “apikey” query parameter.

Yii comes with its own RBAC system which is available via CAuthManager class. We will use its sub-class that stores the RBAC information in a DB tables.

Its good to review the Yii approach to RBAC, in this article

Steps

Add a migration to create RBAC tables. Code available here
Run migrations ( ./app/protected/yiic migrate up)
Add API Authentication Manager component in config/main.php. Code available here
Add a function in Controller.php to use the component to check API access. This function generates the authentication-item using the request-method and resource name. Code here
Add callback handlers of RestfullYii in SeriesController.php to check for access. Code here
We will use the following RBAC hierarchy and understand how our API behaves with different combination of these authentication-items.