Access Control Knowledge Base
Quick reference for access control models, authorization patterns, and PHP implementations.
Access Control Models Comparison
| Model |
Full Name |
Basis |
Granularity |
Scalability |
Complexity |
| ACL |
Access Control List |
Per-resource permissions |
Fine |
Poor at scale |
Low |
| RBAC |
Role-Based Access Control |
Roles assigned to users |
Medium |
Good |
Medium |
| ABAC |
Attribute-Based Access Control |
Policies over attributes |
Very fine |
Excellent |
High |
| ReBAC |
Relationship-Based Access Control |
Object relationships |
Very fine |
Excellent |
High |
Decision Matrix: When to Use Which Model
| Scenario |
Recommended |
Why |
| Simple app, few resources |
ACL |
Direct, easy to implement |
| Enterprise, department-based access |
RBAC |
Maps to organizational roles |
| Complex policies, dynamic rules |
ABAC |
Flexible attribute evaluation |
| Social graphs, shared resources |
ReBAC |
Natural relationship modeling |
| Multi-tenant SaaS |
RBAC + tenant scope |
Roles per tenant |
| Healthcare, finance (compliance) |
ABAC |
Fine-grained audit trail |
| Document sharing (Google Docs style) |
ReBAC |
Owner/editor/viewer relations |
| Microservices with JWT |
RBAC (claims) |
Stateless, token-based |
RBAC: Role-Based Access Control
Role Hierarchy
┌─────────────────────────────────────────────────────────────────────────────┐
│ RBAC ROLE HIERARCHY │
├─────────────────────────────────────────────────────────────────────────────┤
│ │
│ ┌──────────────┐ │
│ │ SUPER_ADMIN │ │
│ │ (all perms) │ │
│ └──────┬───────┘ │
│ │ inherits │
│ ┌──────▼───────┐ │
│ │ ADMIN │ │
│ │ (manage) │ │
│ └──────┬───────┘ │
│ ┌──────────┼──────────┐ │
│ │ inherits │ │ inherits │
│ ┌──────▼───────┐ │ ┌───────▼──────┐ │
│ │ MANAGER │ │ │ EDITOR │ │
│ │ (approve) │ │ │ (create/edit)│ │
│ └──────┬───────┘ │ └───────┬──────┘ │
│ │ │ │ │
│ └──────────┼──────────┘ │
│ ┌──────▼───────┐ │
│ │ USER │ │
│ │ (read) │ │
│ └──────┬───────┘ │
│ ┌──────▼───────┐ │
│ │ GUEST │ │
│ │ (limited) │ │
│ └──────────────┘ │
│ │
└─────────────────────────────────────────────────────────────────────────────┘
Permission Inheritance
| Role |
Own Permissions |
Inherited From |
Total Permissions |
| GUEST |
view_public |
- |
1 |
| USER |
view, create |
GUEST |
3 |
| EDITOR |
edit, publish |
USER |
5 |
| MANAGER |
approve, assign |
USER |
5 |
| ADMIN |
manage_users, configure |
MANAGER, EDITOR |
10 |
| SUPER_ADMIN |
all |
ADMIN |
all |
RBAC PHP Implementation
<?php
declare(strict_types=1);
namespace Domain\Authorization;
final readonly class Role
{
/**
* @param list<Permission> $permissions
* @param list<self> $parents
*/
public function __construct(
private string $name,
private array $permissions = [],
private array $parents = [],
) {}
public function hasPermission(Permission $permission): bool
{
if (in_array($permission, $this->permissions, true)) {
return true;
}
foreach ($this->parents as $parent) {
if ($parent->hasPermission($permission)) {
return true;
}
}
return false;
}
public function getName(): string
{
return $this->name;
}
/** @return list<Permission> */
public function getAllPermissions(): array
{
$permissions = $this->permissions;
foreach ($this->parents as $parent) {
$permissions = array_merge($permissions, $parent->getAllPermissions());
}
return array_values(array_unique($permissions));
}
}
ABAC: Attribute-Based Access Control
Core Concepts
| Concept |
Description |
Example |
| Subject |
Who is requesting access |
User with attributes (role, department, clearance) |
| Resource |
What is being accessed |
Document with attributes (classification, owner) |
| Action |
Operation being performed |
read, write, delete, approve |
| Environment |
Contextual conditions |
Time of day, IP range, MFA status |
Policy Evaluation
┌─────────────────────────────────────────────────────────────────────────────┐
│ ABAC POLICY EVALUATION │
├─────────────────────────────────────────────────────────────────────────────┤
│ │
│ Request(subject, resource, action, environment) │
│ │ │
│ ▼ │
│ ┌──────────────────────┐ │
│ │ Policy Decision │ │
│ │ Point (PDP) │ ◀── Policy Store (rules) │
│ └──────────┬───────────┘ │
│ │ │
│ ┌──────┼──────┐ │
│ ▼ ▼ ▼ │
│ Policy1 Policy2 PolicyN │
│ ALLOW DENY ALLOW │
│ │ │ │ │
│ └──────┼──────┘ │
│ ▼ │
│ ┌──────────────────┐ │
│ │ Combining Algo │ │
│ │ (deny-overrides) │ │
│ └────────┬─────────┘ │
│ ▼ │
│ DENY │
│ │
└─────────────────────────────────────────────────────────────────────────────┘
ABAC Policy Implementation
<?php
declare(strict_types=1);
namespace Domain\Authorization;
final readonly class AbacPolicy
{
public function __construct(
private string $name,
private string $description,
/** @var list<callable(AuthorizationContext): ?bool> */
private array $rules,
) {}
public function evaluate(AuthorizationContext $context): ?bool
{
foreach ($this->rules as $rule) {
$result = $rule($context);
if ($result === false) {
return false;
}
}
return true;
}
public function getName(): string
{
return $this->name;
}
}
final readonly class AuthorizationContext
{
public function __construct(
private array $subjectAttributes,
private array $resourceAttributes,
private string $action,
private array $environmentAttributes = [],
) {}
public function getSubjectAttribute(string $key): mixed
{
return $this->subjectAttributes[$key] ?? null;
}
public function getResourceAttribute(string $key): mixed
{
return $this->resourceAttributes[$key] ?? null;
}
public function getAction(): string
{
return $this->action;
}
public function getEnvironmentAttribute(string $key): mixed
{
return $this->environmentAttributes[$key] ?? null;
}
}
ReBAC: Relationship-Based Access Control
Google Zanzibar Model
Relationships are stored as tuples: user:relation:object
| Tuple |
Meaning |
user:123#viewer@document:456 |
User 123 is a viewer of document 456 |
group:eng#member@user:123 |
User 123 is a member of group eng |
document:456#parent@folder:789 |
Document 456 is in folder 789 |
folder:789#viewer@group:eng#member |
Members of eng group are viewers of folder 789 |
Relationship Graph
┌─────────────────────────────────────────────────────────────────────────────┐
│ ReBAC RELATIONSHIP GRAPH │
├─────────────────────────────────────────────────────────────────────────────┤
│ │
│ user:alice ──owner──▶ document:report │
│ │ │ │
│ │ member │ parent │
│ ▼ ▼ │
│ group:engineering folder:shared │
│ │ │ │
│ │ viewer │ viewer │
│ ▼ ▼ │
│ folder:eng-docs org:acme (all members can view) │
│ │
│ Check: Can alice view document:report? │
│ Path: alice ──owner──▶ document:report ✓ (owner implies viewer) │
│ │
│ Check: Can bob view folder:shared? │
│ Path: bob ──member──▶ org:acme ──viewer──▶ folder:shared ✓ │
│ │
└─────────────────────────────────────────────────────────────────────────────┘
Multi-Tenancy Authorization
| Pattern |
Description |
Isolation Level |
| Tenant-scoped roles |
User has different roles per tenant |
Strong |
| Shared roles, tenant filter |
Global roles, data filtered by tenant |
Medium |
| Tenant in JWT claims |
Tenant ID in authentication token |
Medium |
| Row-level security |
Database enforces tenant isolation |
Strong |
| Separate schemas |
Each tenant has own DB schema |
Strongest |
Tenant-Scoped Authorization
<?php
declare(strict_types=1);
namespace Domain\Authorization;
final readonly class TenantPermissionChecker
{
public function __construct(
private TenantRoleRepositoryInterface $roleRepository,
) {}
public function hasPermission(string $userId, string $tenantId, Permission $permission): bool
{
$roles = $this->roleRepository->findRolesForUserInTenant($userId, $tenantId);
foreach ($roles as $role) {
if ($role->hasPermission($permission)) {
return true;
}
}
return false;
}
public function assertPermission(string $userId, string $tenantId, Permission $permission): void
{
if (!$this->hasPermission($userId, $tenantId, $permission)) {
throw new AccessDeniedException(
sprintf('User %s lacks %s in tenant %s', $userId, $permission->value, $tenantId),
);
}
}
}
Symfony Voter Implementation
<?php
declare(strict_types=1);
namespace Infrastructure\Security\Voter;
use Symfony\Component\Security\Core\Authentication\Token\TokenInterface;
use Symfony\Component\Security\Core\Authorization\Voter\Voter;
final class DocumentVoter extends Voter
{
public const string VIEW = 'DOCUMENT_VIEW';
public const string EDIT = 'DOCUMENT_EDIT';
public const string DELETE = 'DOCUMENT_DELETE';
protected function supports(string $attribute, mixed $subject): bool
{
return in_array($attribute, [self::VIEW, self::EDIT, self::DELETE], true)
&& $subject instanceof Document;
}
protected function voteOnAttribute(string $attribute, mixed $subject, TokenInterface $token): bool
{
$user = $token->getUser();
if (!$user instanceof User) {
return false;
}
/** @var Document $document */
$document = $subject;
return match ($attribute) {
self::VIEW => $this->canView($document, $user),
self::EDIT => $this->canEdit($document, $user),
self::DELETE => $this->canDelete($document, $user),
default => false,
};
}
private function canView(Document $document, User $user): bool
{
if ($document->isPublic()) {
return true;
}
return $document->getOwnerId() === $user->getId()
|| $user->hasRole('ROLE_ADMIN');
}
private function canEdit(Document $document, User $user): bool
{
return $document->getOwnerId() === $user->getId()
|| $user->hasRole('ROLE_EDITOR');
}
private function canDelete(Document $document, User $user): bool
{
return $document->getOwnerId() === $user->getId()
|| $user->hasRole('ROLE_ADMIN');
}
}
Laravel Gate/Policy
<?php
declare(strict_types=1);
namespace App\Policies;
use App\Models\Document;
use App\Models\User;
final class DocumentPolicy
{
public function view(User $user, Document $document): bool
{
if ($document->is_public) {
return true;
}
return $user->id === $document->owner_id
|| $user->hasRole('admin');
}
public function update(User $user, Document $document): bool
{
return $user->id === $document->owner_id
|| $user->hasRole('editor');
}
public function delete(User $user, Document $document): bool
{
return $user->id === $document->owner_id
|| $user->hasRole('admin');
}
}
Anti-Patterns
| Anti-Pattern |
Problem |
Solution |
| Inline role checks |
if ($user->role === 'admin') scattered in code |
Use Voter/Policy abstraction |
| Hardcoded permissions |
Permissions compiled into code |
Store in database/config |
| Missing deny-by-default |
Forgetting to deny when no rule matches |
Default to DENY |
| Role explosion |
Too many roles (one per use case) |
Switch to ABAC or group permissions |
| Checking in views only |
No server-side enforcement |
Always check in backend |
| No audit logging |
Cannot trace who accessed what |
Log every authorization decision |
| Caching without invalidation |
Stale permission grants |
Event-driven cache invalidation |
| God role |
Single admin role with all permissions |
Granular admin sub-roles |
Common Violations Quick Reference
| Violation |
Where to Look |
Severity |
| No authorization on API endpoints |
Controllers, routes |
Critical |
| Hardcoded role names in business logic |
Domain layer, services |
Warning |
| Missing tenant isolation in queries |
Repositories, query builders |
Critical |
| No CSRF protection on state-changing forms |
Form handlers, middleware |
Critical |
| Permissions not cached |
Voter/Policy implementations |
Warning |
| No audit trail for access decisions |
Authorization layer |
Warning |
| Overly permissive default roles |
Role configuration |
Warning |
Detection Patterns
# Authorization implementations
Grep: "Voter|VoterInterface|AbstractVoter" --glob "**/*.php"
Grep: "Gate::define|Gate::allows|Gate::denies|@can" --glob "**/*.php"
Grep: "Policy|AuthorizesRequests" --glob "**/*.php"
# Role checks
Grep: "hasRole|isGranted|->can\(|->cannot\(" --glob "**/*.php"
Grep: "ROLE_|Permission::|PermissionEnum" --glob "**/*.php"
# Inline role checks (anti-pattern)
Grep: "role\s*===?\s*['\"]admin|role\s*===?\s*['\"]user" --glob "**/*.php"
# Tenant isolation
Grep: "tenant_id|tenantId|getTenantId" --glob "**/*.php"
Grep: "TenantScope|MultiTenant|BelongsToTenant" --glob "**/*.php"
# Casbin
Grep: "Enforcer|casbin|model\.conf|policy\.csv" --glob "**/*.php"
# Security configuration
Grep: "security\.yaml|security\.php|access_control" --glob "**/*.{yaml,php}"
Grep: "#\[IsGranted|@IsGranted|@Security" --glob "**/*.php"
# Missing authorization
Grep: "class.*Controller" --glob "**/*.php"
Grep: "class.*Action" --glob "**/Action/**/*.php"
References
For detailed information, load these reference files:
references/models.md — Detailed ACL, RBAC, ABAC, ReBAC analysis with scalability comparisons and PHP examplesreferences/php-implementations.md — Symfony Voters, Laravel Gates/Policies, Casbin PHP, permission caching strategies