Become Zend Certified

Prepare for the ZCE exam using our quizzes (web or iPad/iPhone). More info...

When you're ready get 7.5% off your exam voucher using voucher CJQNOV23 at the Zend Store


As with resources, creating a role is also very simple. All roles must implement Zend_Acl_Role_Interface. This interface consists of a single method, getRoleId(), Additionally, Zend_Acl_Role is provided by Zend_Acl as a basic role implementation for developers to extend as needed.

In Zend_Acl, a role may inherit from one or more roles. This is to support inheritance of rules among roles. For example, a user role, such as "sally", may belong to one or more parent roles, such as "editor" and "administrator". The developer can assign rules to "editor" and "administrator" separately, and "sally" would inherit such rules from both, without having to assign rules directly to "sally".

Though the ability to inherit from multiple roles is very useful, multiple inheritance also introduces some degree of complexity. The following example illustrates the ambiguity condition and how Zend_Acl solves it.

Example 28. Multiple Inheritance among Roles

The following code defines three base roles - "guest", "member", and "admin" - from which other roles may inherit. Then, a role identified by "someUser" is established and inherits from the three other roles. The order in which these roles appear in the $parents array is important. When necessary, Zend_Acl searches for access rules defined not only for the queried role (herein, "someUser"), but also upon the roles from which the queried role inherits (herein, "guest", "member", and "admin"):

= new Zend_Acl();

$acl->addRole(new Zend_Acl_Role('guest'))
addRole(new Zend_Acl_Role('member'))
addRole(new Zend_Acl_Role('admin'));

$parents = array('guest''member''admin');
$acl->addRole(new Zend_Acl_Role('someUser'), $parents);

$acl->add(new Zend_Acl_Resource('someResource'));


$acl->isAllowed('someUser''someResource') ? 'allowed' 'denied';

Since there is no rule specifically defined for the "someUser" role and "someResource", Zend_Acl must search for rules that may be defined for roles that "someUser" inherits. First, the "admin" role is visited, and there is no access rule defined for it. Next, the "member" role is visited, and Zend_Acl finds that there is a rule specifying that "member" is allowed access to "someResource".

If Zend_Acl were to continue examining the rules defined for other parent roles, however, it would find that "guest" is denied access to "someResource". This fact introduces an ambiguity because now "someUser" is both denied and allowed access to "someResource", by reason of having inherited conflicting rules from different parent roles.

Zend_Acl resolves this ambiguity by completing a query when it finds the first rule that is directly applicable to the query. In this case, since the "member" role is examined before the "guest" role, the example code would print "allowed".


When specifying multiple parents for a role, keep in mind that the last parent listed is the first one searched for rules applicable to an authorization query.

Zend Framework