There isn't really a layer of complexity that can be removed, but rather a simpler design.

From what I gather just one table should get you out of trouble if the roles you want to assign users are well defined.
I.e. Admin can do anything
guest can only view but can't do anything else
member can view, add, edit delete etc...
etc....

Then all you need to do is check to see if a user is a member of a predefined group.
The only problem is that if a user is part of several groups then things get a bit complicated and that is were a full blown RBAC design becomes the best option.

Good work Ben
Ur Rbac looks very promising
Im trying to use on my current project now

some stupid question
can u explain in simple english what is object,privillegd,domain and roles is

thanks in advance

This isn't a stupid question at all. It is an important one.
The RBAC is based on grammar and is meant to reflect the way we speak and write.

An object is anything that can have an action applied to it. Or in other words it is always a "noun".
An action is always a "verb".

So anything that in normal grammar can be classified as a "noun" is an object.
For example: thread, page, journal, phone number, recipe, car, boat, paragraph, article, post, etc...

Most of the times "objects" on forums end up being "pages". admin pages, user pages, guest pages, moderator pages, etc....

As you can see there are literally millions of objects you can define.

-----
A domain is a collection of objects that share something in common. That "something in common" can really be anything, and it is up to you to decide what is a good domain or criteria to group objects by.

You can see that the RBAC design allows the same object to be part of many different domains, since an object may have criteria that meet different domains.

For example if you have a "car" object. This car may be made in 1986, is blue, make is Ford, and it is a diesel engine.
So it potentially can be part of 5 different domains, i.e. cars made in 1986, or cars that are blue, or all Ford cars, or all diesel engine cars.

As you can see a domain is abstract, and only makes sense after YOU define what a domain should represent.
The first thing you should do then is always start by defining your domains, then place the appropriate objects into it.

-----
A privilege table is just a collection of actions. It is similar to domains except that you use it to group actions that have something in common.

Generally (but not always) that something in common is related to what you want a "role" to be able to do.
So most of the time the privileges will be something like: admin_privileges, user_privileges, guest_privileges. etc...

Again one action can be part of many privileges. For example the admin_privileges will include 'new, edit, delete, view, etc....' whereas the guest_privileges will only have the 'view' action.

Remember an action is ALWAYS a verb.
So a privilege is defined by a collection of actions that make sense to YOU. You can define them anyway you like.

--------
A role, is directly related to 'users' of your site. You can define thousands of different roles, but most of the time a simple website will only have about 5 to 10. (For more complex websites you can define a role for each member.)

Anyway, to keep things simple, a role is generally "administrator", "member", "guest", "moderator" etc...

If you were implementing a website for a soccer team then a role would be "captain", "goal_keeper", "attacker", "defender"...

As you can see a member can have more than one role. A person could be "captain" as well as "goal_keeper".

So broadly speaking a role corresponds to a category of users that have a predefined function, or rank, or age, or whatever you want to group people into...


Hope this makes things a bit clearer.

Well explain...thanks ben

I facing some problem when i run ur sql script in phpmyadmin
This is what mysql throw to me

/************ Foreign Key: fk_users_has_roles_roles ***************/ ALTER TABLE rbac_users_has_roles ADD CONSTRAINT fk_users_has_roles_roles FOREIGN KEY ( roles_id ) REFERENCES rbac_roles( id ) ;

MySQL said:
#1005 - Can't create table 'rbac.#sql-908_29' (errno: 150)

still no response with the sql thinggy

edit column roles_id in table rbac_user_has_roles

set integert datatype value to 11 and set the attribute to none (from unsignned to nothing)

Just got to this. Looks like you have worked it out :-) The answer is also at the start of the thread. I have to update the files on the server.
Cheers,

Ben

actually ben i want to know what is the core file for ur rbac

is it class.rbac_bv.php or class.rbacAdmin_bv.php or need both off this file in order to work properly?

Both these files are important. The Admin file is used to manipulate the database, and the other file is use to query the database.

i have hard time to implement the rbac eith admin gui

it give an error something like this:

Fatal error: require_once() [function.require]:
Failed opening required 'PEAR/Config.php' (include_path='.;C:\wamp\bin\php\php5.2.9-2\PEAR') in C:\wamp\bin\php\php5.2.9-2\PEAR\Common.php on line 865

any help ben?