As with resources, creating a role is also very simple. All roles must implement
Zend_Acl_Role_Interface. This interface consists of a single
Zend_Acl_Role is provided by
a basic role implementation for developers to extend as needed.
Zend_Acl, a role may inherit from one or more roles. This is
to support inheritance of rules among roles. For example, a user role, such as "sally",
may belong to one or more parent roles, such as "editor" and "administrator". The
developer can assign rules to "editor" and "administrator" separately, and "sally"
would inherit such rules from both, without having to assign rules directly to "sally".
Though the ability to inherit from multiple roles is very useful, multiple inheritance
also introduces some degree of complexity. The following example illustrates the
ambiguity condition and how
Zend_Acl solves it.
Example 28. Multiple Inheritance among Roles
The following code defines three base roles - "guest",
"member", and "admin" - from which other roles may
inherit. Then, a role identified by "someUser" is established and
inherits from the three other roles. The order in which these roles appear in the
$parents array is important. When necessary,
Zend_Acl searches for access rules defined not only for the
queried role (herein, "someUser"), but also upon the roles from which
the queried role inherits (herein, "guest", "member", and
$acl = new Zend_Acl();
$parents = array('guest', 'member', 'admin');
$acl->addRole(new Zend_Acl_Role('someUser'), $parents);
echo $acl->isAllowed('someUser', 'someResource') ? 'allowed' : 'denied';
Since there is no rule specifically defined for the "someUser" role and
Zend_Acl must search for rules that may be
defined for roles that "someUser" inherits. First, the "admin" role is visited, and
there is no access rule defined for it. Next, the "member" role is visited, and
Zend_Acl finds that there is a rule specifying that "member"
is allowed access to "someResource".
Zend_Acl were to continue examining the rules defined for
other parent roles, however, it would find that "guest" is denied access to
"someResource". This fact introduces an ambiguity because now
"someUser" is both denied and allowed access to "someResource", by reason of having
inherited conflicting rules from different parent roles.
Zend_Acl resolves this ambiguity by completing a query when
it finds the first rule that is directly applicable to the query. In this case,
since the "member" role is examined before the "guest" role, the example code would
When specifying multiple parents for a role, keep in mind that the last parent listed is the first one searched for rules applicable to an authorization query.