Yii2: Authorization without RBAC

While RBAC allows you to define collection of permissions for your application, sometimes you just want something simpler to control access to certain pages. The simplest way to define your own access rule without using RBACĀ is to make use of $matchCallback property when definining Access Control rules.

In behaviors() function in Controller or Module:

use yii\filters\AccessControl;
public function behaviors() {
    return [
        'access' => [
            'class' => AccessControl::className(),
            'rules' => [
                    'allow' => true,
                    'roles' => ['@'],
                    'matchCallback' => function ($rule, $action) {
                        return my_access_function();


  • Line 9: Access for login users.
  • Line 11: Access is allowed if the function returns true. Forbidden page is displayed if returns false.

Leave a Reply

Your email address will not be published. Required fields are marked *