How to use RBAC to control API access

In this article, we will look into Role-based Access Control (RBAC) and see how we can use it fine-tune the access of REST API. This articles builds on the previous series of articles, in which the latest one is available here.

Role-based Access Control is a mechanism which allows a “role” to be assigned to a “user” and then control the access of “authentication-items” to these roles

In REST API, different operations can be performed on a resource. These operations are identified by HTTP Request method. These are normally GET, POST, PUT and DELETE. A resource is identified by database model. So an authentication-item is a combination of these two. Thus for a “series” resource, there are four authentication-items, “get-series”, “post-series”, “put-series”, “delete-series”.

The “user” in our case will be identified by the “apikey” query parameter.

Yii comes with its own RBAC system which is available via CAuthManager class. We will use its sub-class that stores the RBAC information in a DB tables.

Its good to review the Yii approach to RBAC, in this article


  • Add a migration to create RBAC tables. Code available here
  • Run migrations ( )
  • Add API Authentication Manager component in . Code available here
  • Add a function in to use the component to check API access. This function generates the authentication-item using the request-method and resource name. Code here
  • Add callback handlers of RestfullYii in to check for access. Code here

We will use the following RBAC hierarchy and understand how our API behaves with different combination of these authentication-items.

One clap, two clap, three clap, forty?

By clapping more or less, you can signal to us which stories really stand out.