My understanding in ACL is very limited and my use of SonataAdminBundle is very simple including two roles ADMIN and SUPER_ADMIN.
I do not need this complicated ACL in my project (VIEW, EDIT, LIST, DELETE). I would like to determine the access to a certain admin or action just by the role.
Is it a good practice:
admin.isGranted() or admin.hasAccess() to use the default is_granted('SUPER_ADMIN')?security.authorization_checker isGranted()?How do I determine which ROLE has access to which page? For example, showing only certain admin pages for SUPER_ADMIN in sidebar and not allowing to be accessed by ADMIN.
Sonata role approach defines roles per admin class, included a special role *_ALL that grants complete access to related admin zone, so you could then group these *_ALL under ROLE_ADMIN or ROLE_SUPER_ADMIN roles in your role_hierarchy (security.yml file) e.g.:
role_hierarchy:
ROLE_ADMIN:
- ROLE_USER
- ROLE_FOO_BUNDLE_BAR_ADMIN_ALL
- ROLE_FOO_BUNDLE_BAZ_ADMIN_ALL
# ...
ROLE_SUPER_ADMIN:
- ROLE_ADMIN
- ROLE_ALLOWED_TO_SWITCH
- ROLE_SU_BUNDLE_SU_ADMIN_ALL
# ...
Following this inheritance approach, your can to assign just ROLE_ADMIN for ones users and ROLE_SUPER_ADMIN for other. Even you could do some subgroups of roles to specific actions.