Roles explanation needs to be better

[Digital-Pig-LLC]

I just found in: authorization.global.php, this:
/**
* Example:
'roles' => [
'A' => [],
'B' => ['A'],
'C' => ['B'],
],
* A has no parent role.
* B has A as a parent. That means A inherits the permissions of B.
* C has B as a parent. That means B inherits the permissions of C, and A inherits the permissions of C.
*/

In RBAC, the idea is that roles inherit permissions from their parent roles. So, if a role doesn't have a parent, it should define its permissions explicitly.

The text seems to imply that "admin" inherits permissions from "superuser," but if "superuser" has no permissions, "admin" won’t inherit anything meaningful from "superuser."

In a more logical setup:

• superuser should have all the permissions explicitly defined.
• admin would then inherit those permissions.
• user and guest follow a similar logic.

If "superuser" has no parent, it must have explicit permissions to be meaningful.

[alexmerlin]

The permissions of a superuser may be defined by the developer.
Being a minimal project, Dotkernel API does not include specific permissions for that role.
It is rather an informative role, to let developers know that the role hierarchy may be extended further.

You are right, the current explanatory text might be somewhat confusing, we will rephrase it.

[pinclau]

@Digital-Pig-LLC https://docs.dotkernel.org/api-documentation/v5/core-features/authorization/#usage

If it helps, for example:
for "'B' => ['A']" you could read, "B gives all permission to A". so in this case A inherits all permissions from B,
and because "'C' => ['B']" that you could read "C gives all permissions to B".
So in this case all permissions from C and B ends up to A.

[Digital-Pig-LLC]

I understand what it's saying, the issue is that the documentation uses the term "inherits" and then describes the opposite of inheritance.
If an object has no parent, it is not a part of any inheritance whatsoever. It may be a part of a composition system but not an inheritance system.
Consider the real world: if I have no parents I simply don't exist. We model things from the real world. But I could exist (IVF) if I were "composed" from existing things.

[arhimede]

@Digital-Pig-LLC we are simply copying the mezzio rbac structure and wording
https://docs.mezzio.dev/mezzio-authorization-rbac/v1/basic-usage/

[Digital-Pig-LLC]

@Digital-Pig-LLC we are simply copying the mezzio rbac structure and wording https://docs.mezzio.dev/mezzio-authorization-rbac/v1/basic-usage/

That's not a reason to get something wrong and cause confusion. You all work under the same umbrella, maybe you should mention it to someone on the project or escalate it.

RBAC Inheritance
In RBAC, inheritance usually works top-down: child roles inherit permissions from their parent roles. If a parent role has no permissions, the child role won’t pass its permissions up to the parent. The parent role remains without permissions unless explicitly granted.

It’s always the parent role that dictates the baseline permissions, and the child role can add more but doesn’t transfer them upwards.

Again, I understand what you're getting at, but what you're describing is simply not inheritance. If it's anything, it's composition.