Can I use ACL and RBAC together? Ho to do it in the right way?

I am using zf3 mvc and apigility together. I am trying to make working apigility with oauth2 (also separately for admin panel which has it own router path “admin”). Can I put ACL and RBAC together also within apigility? oauth2 is using ACL, but UserIdentity extends RbacRole. First layer of authorization will be ACL and second will be RBAC, am I right?

Doesn’t make much sense to me: seems like a lot of added complexity due to two layers doing the same thing (and there will be painful differences in how they are configured)

RBAC has useful features, for example, editing own blog post. It seems, It can’t be done with ACL. Earlier I was working only with ACL (ZF1).

ACL can also do the same thing, but more fine-grained.

1 Like

I just figured out that module zfcampus/zf-mvc-auth uses acl and rbac together.

@testuser ACL can do things like editing own blog posts. See the ownership assertions section here for an example:

1 Like

Yes, I have already seen that. I was working only with zf1 acl that is why I thought that assertions is a feature only of rbac.