What is RBAC?

RBAC (Role-Based Access Control) is a system that restricts access based on a user's assigned role.

In RBAC, permissions are assigned to roles, and users are assigned to roles.

Key Concepts:

1. Installation laminas-authentication

Install Laminas Authentication and DB adapter, and understand the authentication flow first — only then you'll be able to understand the permission (RBAC) link.

2. Installation laminas-permissions-rbac

Zend provides an official component:

composer require laminas/laminas-permissions-rbac

3. User Table Example

Your users table should have a role column like:

4. Create RBAC Service Class (module/Application/src/Service/RbacService.php)

namespace Application\Service;

use Laminas\Permissions\Rbac\Rbac;
use Laminas\Permissions\Rbac\Role;

class RbacService
{
  protected $rbac;

  public function __construct()
  {
    $this->rbac = new Rbac();

    // Define roles
    $this->rbac->addRole('guest');
    $this->rbac->addRole('user', 'guest');  // inherits guest
    $this->rbac->addRole('admin', 'user');  // inherits user

    // Define permissions
    $this->rbac->getRole('guest')->addPermission('view_home');
    $this->rbac->getRole('user')->addPermission('view_dashboard');
    $this->rbac->getRole('admin')->addPermission('edit_user');
    $this->rbac->getRole('admin')->addPermission('delete_user');
  }

  public function isGranted(string $role, string $permission): bool
  {
    return $this->rbac->isGranted($role, $permission);
  }
}

5. Register Service in (module\Application\config\module.config.php)

'service_manager' => [
  'factories' => [
    Application\Service\RbacService::class => Laminas\ServiceManager\Factory\InvokableFactory::class,
  ],
],

6. Using RBAC in Controller (module\Application\src\Controller\DashboardController.php)

namespace Application\Controller;

use Laminas\Mvc\Controller\AbstractActionController;
use Laminas\View\Model\ViewModel;
use Application\Service\RbacService;
use Laminas\Authentication\AuthenticationService;

class DashboardController extends AbstractActionController
{
  protected $rbacService;
  protected $auth;

  public function __construct(RbacService $rbacService, AuthenticationService $auth)
  {
    $this->rbacService = $rbacService;
    $this->auth = $auth;
  }

  public function indexAction()
  {
    $role = $this->getUserRole();

    if (!$this->rbacService->isGranted($role, 'view_dashboard')) {
      return $this->redirect()->toRoute('login');
    }

    return new ViewModel(['role' => $role]);
  }

  protected function getUserRole()
  {
    if (!$this->auth->hasIdentity()) {
      return 'guest';
    }

    $user = $this->auth->getIdentity();
    return $user->role ?? 'user';
  }
}

7. Register Controller Factory (module\Application\config\module.config.php)

use Application\Controller\DashboardController;
use Application\Service\RbacService;
use Laminas\Authentication\AuthenticationService;

'controllers' => [
    'factories' => [
        DashboardController::class => function($container) {
            return new DashboardController(
                $container->get(RbacService::class),
                $container->get(AuthenticationService::class)
            );
        },
    ],
],

8. Define Routes

use Application\Controller\DashboardController;

'router' => [
  'routes' => [
    'dashboard' => [
      'type' => 'Literal',
      'options' => [
        'route' => '/dashboard',
        'defaults' => [
          'controller' => DashboardController::class,
          'action' => 'index',
        ],
      ],
    ],
  ],
],

9. View (dashboard.phtml)

<h2>Dashboard</h2>
<p>Welcome! You are logged in as <?= $this->role ?></p>

Users, Roles, and Permissions