Configuration of Zend 2 Acl instances using XML

3.1.1 2018-07-05 17:09 UTC

This package is auto-updated.

Last update: 2024-05-22 22:22:58 UTC


Quality Assurance

PHP 5.6 PHP 7 Build Status Test Coverage Code Climate

The above badges represent the current development branch. As a rule, I don't push to GitHub unless tests, coverage and usability are acceptable. This may not be true for short periods of time; on holiday, need code for some other downstream project etc. If you need stable code, use a tagged version. Read 'Further Documentation' and 'Installation'.

Test Contract in the docs directory.

Please note that developer support for PHP5.5 was withdrawn at version 3.0.0 of this library. If you need support for PHP 5.5, please use a version >=2,<3


Provides the ability to specify a Zend ACL using XML. The XML is validated by an XSD file which you can also use in your XML editor


Zend/Permissions/Acl is a great and lightweight way of providing access control to your applications, but it can be a PITA to configure using the native command set. As it happens, it is ideally placed, because of its structure, to be driven by an XML configuration.

This also means that the ACL can be managed by some third party application or service.
It is not beyond the wit of most to be able to write an XSL translation for instance, that takes a definition from LDAP and converts to this library format to be able then to control the ACL from your organisation's LDAP servers.


The current library handles reading nested XML files (or content) and returning an ACL. If you'd like new features, please suggest them in the issues tracker, or better still, fork the lib and issue a pull request (but please don't forget the unit tests!)


To understand how to use it, see the test files, in particular, take a look at AclDirectorTest as a starting point and work down from there.

In essence you need to do two things

  1. Provide an XML definition of the ACL
  2. Tell the Director where the XML is

This library depends on the Builder Pattern and the Strong Type libraries.

Defining the XML

For the canonical truth, study the XSD file located in src/chippyash/Zend/Acl/Xml/xsd

There is also an example XML file used for testing located in test/src/chippyash/Zend/Acl/Xml/fixtures

The XSD namespace is It is publicly available at the same url.

Your XML file should be defined as

<?xml version="1.0" encoding="UTF-8"?>
<acl xmlns=""

NB. you can replace the second part of the xsi:schemaLocation attribute to point at a local disk version of the XSD if you want to tinker with the XSD. e.g.

xsi:schemaLocation=" ../../zendacl.xsd"

Essentially, Zend-ACL defines the ACL in three parts:

  • Roles
  • Resources
  • Rules

Whilst you can define Roles and Resources independently, Rules require that you have already defined Roles and Resources to act on. Rules also allow you to set additional privileges and assertions.

To provide an ACL you must specify all three parts.


  • A role can have the following optional attributes:
    • type: string: default = "GenericRole". Name of your specialized role class. The default uses the Zend GenericRole
    • parents: string: default = none. Comma separated list of names of parents for this role
  • Content for the role element is the role name


  • A resource can have the following optional attributes:
    • type: string: default = "GenericResource". Name of your specialized resource class. The default uses the Zend GenericResource
    • parent: string: default = none. Name of parent for this resource. NB. unlike roles, resources may only have a single parent.
  • Content for the resource element is the resource name


  • A rule has an obligatory attribute:
    • type: string: one of 'ALLOW' or 'DENY'
  • A rule has the following optional arguments:
    • roles: string: default = "*". comma separated list of role names that the rule applies to
    • resources: string: default = "*". comma separated list of resource names that the rule applies to
    • assertion: string: default = none. Fully namespaced class providing the assertion.
      The class must exist and implement the Zend\Permissions\Acl\Assertion\AssertionInterface. You can find an example in test/src/chippyash/Zend/Acl/Xml/Stubs
  • a rule can contain optional <privilege> elements. Each <privilege> element contains the name of an arbitrary privilege.

Importing definitions

You can import other ACL definitions into your definition by using the


If no path given, then expect file to be in same directory as parent file. If path begins .., then expect file to be in directory relative to parent file. If path supplied, then expect file to be in that directory. Thus the following are all valid:



All definition items are processed in the order that they appear in the XML file. Imports are processed first, by a L2R, depth first strategy.

Build the ACL

    use Chippyash\Zend\Acl\Xml\AclDirector;
    use Chippyash\Type\String\StringType;

    $location = new StringType('/location/of/my/acl.xml');
    $director = new AclDirector($location);
    $acl = $director->build();

Alternatively, you can pass in the XML to act on as a string, rather than a file. The string must of course conform to the zendacl.xsd ( schema and be valid XML.

    use Chippyash\Zend\Acl\Xml\AclDirector;
    use Chippyash\Type\String\StringType;

    $content = new StringType($myAclXml);
    $director = new AclDirector($content);
    $acl = $director->build();

Changing the library

  1. fork it
  2. write the test
  3. amend it
  4. do a pull request

Found a bug you can't figure out?

  1. fork it
  2. write the test
  3. do a pull request

NB. Make sure you rebase to HEAD before your pull request


The library is hosted at Github. It is available at


Install Composer

For production


    "chippyash/zend-acl-xml-builder": ">=3,<4"

to your composer.json "requires" section

For development

Clone this repo, and then run Composer in local repo root to pull in dependencies

    git clone ZendAclBuilder
    cd ZendAclBuilder
    composer install --dev

To run the tests:

    cd ZendAclBuilder
    vendor/bin/phpunit -c test/phpunit.xml test/

Other stuff

Check out ZF4 Packages for more packages


This software library is released under the BSD 3 Clause license

This software library is Copyright (c) 2015-2018, Ashley Kitson, UK


V0... pre releases

V1.0.0 First version

V1.1.0 New feature: Namespaced the XSD and placed on public server

V1.2.0 New features:

  • ACL definitions can import other definitions
  • XML can be passed in as string as well as file

V1.2.1 Remove hard dependency on Zend-ACL version

V2.0.0 BC Break: change chippyash\Zend\Acl namespace to Chippyash\Zend\Acl

V2.0.1 moved from coveralls to codeclimate

V2.0.2 Add link to packages

V2.0.3 Verify PHP 7 compatibility

V2.0.4 Update dependencies

V2.0.5 update composer - forced by packagist composer.json format change

V3.0.0 BC Break. Withdraw support for old PHP versions

V3.1.0 Change of license from GPL V3 to BSD 3 Clause

V3.1.1 readme update