Yii2 – Custom Role Based Access Control

Authorization is the process of verifying that a user has enough permission to do something. Yii provides two authorization methods: Access Control Filter (ACF) and Role Based Access Control (RBAC).

This tutorial will show you how you can create Custom-Role Based Access Control (C-RBAC) without using migrations and authManager. Previously I had written a post regarding how to program, Basic User Login From Database in an Yii2 application. This previous post was continue to login with Role Based Access Control.

A role represents a collection of permissions (e.g. create posts, view post, update posts & delete post). A role may be assigned to one or multiple users. To check if a user has a specified permission, we may check if the user is assigned with a role that contains that permission.


Implementing a role based access control is a very easy process using CRUD (without using migrations and authManager) and you can even load your roles from the database if you want.

Step1: Creating necessary tables in the database [without using migration]

The first step is to create necessary tables in the database. Below is the sql you need to run in the database.

uses four database tables to store its data:

  • modulesTable: the table for storing all modules items. Defaults to “modules_list“.
  • rolePermissionTable: the table for storing authorization item hierarchy. Defaults to “role_module_permission“.
  • userTable: the table for storing authorization modules assignments. Defaults to “user“.
  • roleTable: the table for storing roles. Defaults to “role_types“.


Add Modules into Table:

Modules Table


Create CRUD for Roles:

Create CRUD for Roles


Set Permission for each Roles:

Set Permission for each Roles


View Role Permissions:

Vie Role Permissions


Assign role to User:

Assign role to Users


Step2: Create components file as ModulesPermission

In this ModulesPermission you can get menus, roles and permissions. Because most access check is about the current user. This is done by adding the following files to the components folder.


Step3: Setting up the config file

Now you can set up the config file to use the components as ModulesPermission. This is done by adding the following lines to the components section of your config file.


Step4: Get menus access

Get current user menu access using Yii::$app->Permission->getMenus().


Step5: Check role based access control

With the authorization data ready, access check is as simple as a call to the beforeAction method. Because most access check is about the current user, for convenience Yii provides a shortcut method Yii::$app->Permission->getPermission(), which can be used like the following in all controllers:


Step6: Add permission action in site controller.


Step7: Create access denied error page in site folder as denied file name.



Prakash S

Prakash S

I would like to introduce myself as a Software professional opting for the career in software industry. I'm Prakash S, a MCA graduate and trained as industry level practice for Software technology. Basically I am a PHP Developer but now days exploring more in HTML5, CSS, AngularJS and jQuery libraries.