Introduction to Zend\Permissions\Rbac

The Zend\Permissions\Rbac component provides a lightweight role-based access control implementation based around PHP 5.3’s SPL RecursiveIterator and RecursiveIteratorIterator. RBAC differs from access control lists (ACL) by putting the emphasis on roles and their permissions rather than objects (resources).

For the purposes of this documentation:

  • an identity has one or more roles.
  • a role requests access to a permission.
  • a permission is given to a role.

Thus, RBAC has the following model:

  • many to many relationship between identities and roles.
  • many to many relationship between roles and permissions.
  • roles can have a parent role.


The easiest way to create a role is by extending the abstract class Zend\Permission\Rbac\AbstractRole or simply using the default class provided in Zend\Permission\Rbac\Role. You can instantiate a role and add it to the RBAC container or add a role directly using the RBAC container addRole() method.


Each role can have zero or more permissions and can be set directly to the role or by first retrieving the role from the RBAC container. Any parent role will inherit the permissions of their children.

Dynamic Assertions

In certain situations simply checking a permission key for access may not be enough. For example, assume two users, Foo and Bar, both have article.edit permission. What’s to stop Bar from editing Foo’s articles? The answer is dynamic assertions which allow you to specify extra runtime credentials that must pass for access to be granted.

Table Of Contents

Previous topic

Advanced Usage

Next topic


This Page

Note: You need to stay logged into your GitHub account to contribute to the documentation.

Edit this document

Edit this document

The source code of this file is hosted on GitHub. Everyone can update and fix errors in this document with few clicks - no downloads needed.

  1. Login with your GitHub account.
  2. Go to Introduction to Zend\Permissions\Rbac on GitHub.
  3. Edit file contents using GitHub's text editor in your web browser
  4. Fill in the Commit message text box at the end of the page telling why you did the changes. Press Propose file change button next to it when done.
  5. On Send a pull request page you don't need to fill in text anymore. Just press Send pull request button.
  6. Your changes are now queued for review under project's Pull requests tab on GitHub.