php – Role Based Access Control-ThrowExceptions

Exception or error:

Are there any open source, PHP based, role based access control system that can be used for CodeIgniter?

How to solve:

Brandon Savage gave a presentation on his PHP package “ApplicationACL” that may or may not accomplish role-based access. PHPGACL might work as well, but I can’t tell you for sure.

What I can tell you, however, is the Zend_ACL component of the Zend Framework will do role-based setups (however you’ll have to subclass to check multiple roles at once). Granted the pain of this is you’ll have to pull out Zend_ACL, I do not believe it has any external dependencies, from the monolithic download (or SVN checkout).

The nice thing about Zend_ACL is though its storage agnostic. You can either rebuild it every time or it’s designed to be serialized (I use a combination of both, serialize for the cache and rebuild from the DB).


Maybe I’m misunderstanding the question, but isn’t the whole point of Role-Based Access Control (RBAC) to avoid Access Control Lists (ACLs)?

RBAC differs from access control lists (ACLs) (…) in that it assigns permissions to specific operations with meaning in the organization, rather than to low level data objects. For example, an access control list could be used to grant or deny write access to a particular system file, but it would not say in what ways that file could be changed. In an RBAC-based system an operation might be to create a ‘credit account’ transaction in a financial application (…). The assignment of permission to perform a particular operation is meaningful, because the operations are fine grained and themselves have meaning within the application.
(Quote: Wikipedia)

I don’t know the specifics on Zend_ACL or the other implementations mentioned, but if they are ACL-based, I would not recommend using them for role-based authorization.


I created an Open Source project called PHP-Bouncer which may be of interest to you. It’s still fairly young, but works well and is easy to configure. I ended up developing it because none of the existing solutions seemed to meet my needs. I hope this helps!


phpgacl is a generic acl based access control framework

while I don’t know about any CI specific implementation, i know that you only need the main class file to make phpgacl work. So i belive that integration with CI won’t be any problem. (I’ve work passingly with CI)


Here are two RBAC libraries for PHP I found:

I actually used the first one in PolyAuth:

It’s a full featured auth library that includes NIST level 1 RBAC. And yes, RBAC is not the same as an ACL. I use Codeigniter as well, all you have to do is use the PDO driver and pass in the connection id. See this tutorial for how to do that:


Found out about Khaos ACL which is a CI library… I’m also checking out phpgacl and how to use it for CI… Have’nt checked Zend ACL yet. But maybe it can be “ported” to CI


Try DX_Auth plugin for CodeIgniter. I am working on a similar (rather, superset) of the functions that DX_Auth have. My set of CI addon’s include display of menus (that can be controlled via CSS), Role-bases access controll before controller is invoked and other features. I hope to publish it soon. Will give project URL when I do so


RBAC != ACL – Roland has the only correct answer for this question.

BTW of course it is an essential part of a framework to implement any kind of permission system – at least there is no point in using a framework, if it does not give you a well engeneered RBAC system – it might be better using a simple template system with any ORM layer then.

It is a common antipattern in the php world, that frameworks like Ruby or Django are “cloned” only as a subset of what these modern frameworks deliver – as a typical syndrome yuo see a lack of good ACL or RBAC integration into these frameworks – what essentially is a joke.
There is currently only the Yii PHP Framework that comes with a decent RBAC implementation.


I know the trail is cold, but a new project has popped up :

PHP-RBAC is a PHP Hierarchical NIST Level 2 Standard Role Based Access Control and is pretty mature. It is also an OWASP project.

I hope you enjoy it at

Answer: (deadlink)

jFramework has a standard NIST level 2 RBAC with enhancements which is said to be the fastest available (includes benchmarks) it can operate on a single SQLite database file and is tested thoroughly, works like a glove.

Has a dependency on jFramework DBAL but you can simple replace DBAL SQL Queries in the code with your desired DBAL and of course you can use jFramework in a SOP manner.


Ion Auth Library uses users and groups –
but there are no working RBAC system to use them and manage. But you can white your functions.

Leave a Reply

Your email address will not be published. Required fields are marked *