Zf3 (mvc) - Rbac - Fine grained authorizations



Good morning,

So, we have the RBAC implementation that make us able to assign roles to users, and permissions to these roles. So far so good. However for our application, we need fine grained authorizations, that is, one role (here a client) can have permissions on specific resource but with further permission specifications (limits), on a per user basis.

For instance a client role can have permissions on domain feature but an user with that role can be limited to max 10 domains. My question here is how to build that on top of the RBAC implementation? How store and retrieve those permission specifications (constraints) on a per user basis? Should we first create a client role with minimum permissions, then a specific role (hierarchical roles) for the user with a subset of permissions to which we would add subset of constraints? I’m a bit lost…

Thank you for your help.


I have done something similar before. What I did was in the database I would assign specific things to the user directly. Then when building my list of roles I would create one virtual role (I named it UserRole) and apply all the user-specific stuff to that. Then the user would get assigned to the virtual role.


Thank for your answer. After a bit search, I think that I need to go with ABAC, not RBAC.