How to Implement ABAC with PHP‑Casbin for Fine‑Grained Access Control

ABAC with PHP‑Casbin

PHP‑Casbin is an open‑source, high‑performance access‑control library that supports multiple models, including Attribute‑Based Access Control (ABAC). ABAC makes authorization decisions based on attributes of the subject, object, or action rather than static strings.

The official ABAC example configuration consists of four sections:

[request_definition]
r = sub, obj, act

[policy_definition]
p = sub, obj, act

[policy_effect]
e = some(where (p.eft == allow))

[matchers]
m = r.sub == r.obj.owner

In this example, the matcher checks whether the subject (r.sub) matches the owner attribute of the object (r.obj.owner).

Next, define objects with attributes in PHP:

$data1 = new \stdClass();
$data1->name = 'data1';
$data1->owner = 'alice';

$data2 = new \stdClass();
$data2->name = 'data2';
$data2->owner = 'bob';

Finally, use the enforcer to evaluate access requests. The enforce method returns true when the matcher condition holds and false otherwise:

$e->enforce('alice', $data1, 'read');  // true
$e->enforce('alice', $data2, 'read');  // false

$e->enforce('bob', $data1, 'read');    // false
$e->enforce('bob', $data2, 'read');    // true

This demonstrates how ABAC can provide fine‑grained, attribute‑driven authorization without hard‑coding resource identifiers.