Mastering Casbin: A Powerful Open‑Source Access Control Framework for PHP

Overview

Casbin is a high‑performance open‑source access‑control framework that supports multiple authorization models such as ACL, RBAC, ABAC, and more.

Supported Programming Languages

Key Features

Custom request format, defaulting to {subject, object, action}.

Storage of access‑control models and policies.

Multi‑level role inheritance for both subjects and resources in RBAC.

Super‑user support (e.g., root or Administrator) that bypasses policy checks.

Built‑in operators such as keyMatch for path‑style resource matching (e.g., /foo/bar matches /foo*).

What Casbin Does Not Provide

Authentication – verification of usernames, passwords, etc. Authentication should be handled by separate components.

Management of user or role lists – Casbin expects the application to maintain these mappings.

Core Concepts

The three fundamental elements in Casbin are Model, Policy, and Enforcer: Model: a configuration file (CONF) that defines the PERM metamodel (Policy, Effect, Request, Matchers). Policy: dynamic storage of policy rules, which can reside in .csv files or databases. Enforcer: evaluates whether a given subject can perform an action on an object according to the loaded model and policy.

Installation

composer require casbin/casbin

Quick Start Example (PHP)

Create a model.conf file:

[request_definition]
r = sub, obj, act

[policy_definition]
p = sub, obj, act

[policy_effect]
e = some(where (p.eft == allow))

[matchers]
m = r.sub == p.sub && r.obj == p.obj && r.act == p.act

Create a policy.csv file:

p, alice, data1, read
p, bob, data2, write

Instantiate the enforcer in PHP:

require_once './vendor/autoload.php';
use Casbin\Enforcer;

$e = new Enforcer('path/to/model.conf', 'path/to/policy.csv');

Perform an authorization check:

$sub = "alice"; // user
$obj = "data1"; // resource
$act = "read"; // operation

if ($e->enforce($sub, $obj, $act) === true) {
    // allow alice to read data1
} else {
    // deny request
}