<nav type="pills" justified="false">
  * [[:user_manuals|Back to Documentation]]
  * [[:technical:rba-adjust|Adjust RDA rights]]
</nav>

-----

====== Adjusting the rights of a role  ======
===== Introduction =====


  * RADIUSdesk allows the admin of a cloud to be in one of three possible roles.
    * Admin
    * Operator
    * View
  * The rights of the admin is dictated by the role they are in.
  * This document will cover the technical details of RBA in CakePHP and also how to manage the rights for each role.

-----------------

===== RBA in CakePHP =====
  * Each controller in CakePHP has various methods that are called.
  * These methods are recorded in a config file with the convention **Rba** + contoller name + **.php**.
  * Refer to the RbaPermanentUsers.php here:
<code php>
<?php

$config = [];
$config['RbaPermanentUsers'] = [
    'admin'     => ['*'],
    'view'      => [
        'exportCsv',
        'index',
       //'add',
       //'import',
      //'delete',
        'viewBasicInfo',
      //'editBasicInfo',
        'viewPersonalInfo',
      //'editPersonalInfo',
        'privateAttrIndex',
      //'privateAttrAdd',
      //'privateAttrEdit',
      //'privateAttrDelete',
      //'restrictListOfDevices',
      //'autoMacOnOff',
        'viewPassword',
      //'changePassword',
      //'emailUserDetails',
        'enableDisable',
      
        //Buttons
        //'btnRadius',
        //'btnGraph',
        //'btnByod',
        //'btnTopup',
    ],
    'granular'  => [
        'exportCsv',
        'index',
        'add',
        'import',
        'delete',
        'viewBasicInfo',
        'editBasicInfo',
        'viewPersonalInfo',
        'editPersonalInfo',
        'privateAttrIndex',
        'privateAttrAdd',
        'privateAttrEdit',
        'privateAttrDelete',
        'restrictListOfDevices',
        'autoMacOnOff',
        'viewPassword',
        'changePassword',
        'emailUserDetails',
        'enableDisable',
        
        //Buttons
        'btnRadius',
        'btnGraph',
        'btnByod',
        'btnTopup',
    ],
    'logActions'    => true,    //Flag to set if we want to actions logged
    'logExcludes'   => [
        'index'
    ]
];

return $config;
?>
</code>
  * The file returns an array called **$config** with a key that matches the filename without **.php**.
  * In our sample it is **RbaPermanentUsers**.
  * The value of this key in turn contains an array with the following keys:
    - **admin**: Typically contains a wildcard array.
    - **view**: Contains an array with all the methods / actions in the controller you want to apply RBA to. Some might be commented out to show they are not available to the **view** role.
    - **granular**: Contains an array with all the methods / actions in the controller you want to apply RBA to. Some might be commented out to show they are not available to the **operator** role.
    - **logActions**: Specify if actions on this controller needs to be recorded in a log.
    - **logExcludes**: Specify which actions should be excluded from the log records.

----------------

==== Special entries 'btn' ====
  * You might have noticed there are entries under a heading **Buttons**.
  * These are special entries that are uses to show or hide certain buttons on the applet for an admin role.
  * If for instance you do not want to show the Topup button, you can simply comment that entry out.
  * The Topup button will then not be included.

--------------

===== Components involved with RBA =====

==== AaComponent ====
  * The AaComponent will check if there is a RBA config file and then apply any restrictions on the role that needs to be applied with a informative error message.

--------------

==== GridButtonsRbaComponent ====
  * The GridButtonsRbaComponent will check if there is a RBA config file and use that to construct the buttons on the applet's toolbar.