'role' | ['roles'] | '*' * 'prefix' => 'Prefix' | , (default = null) * 'plugin' => 'Plugin' | , (default = null) * 'controller' => 'Controller' | ['Controllers'] | '*', * 'action' => 'action' | ['actions'] | '*', * 'allowed' => true | false | callback (default = true) * ] * You could use '*' to match anything * 'allowed' will be considered true if not defined. It allows a callable to manage complex * permissions, like this * 'allowed' => function (array $user, $role, Request $request) {} * * Example, using allowed callable to define permissions only for the owner of the Posts to edit/delete * * (remember to add the 'uses' at the top of the permissions.php file for Hash, TableRegistry and Request [ 'role' => ['user'], 'controller' => ['Posts'], 'action' => ['edit', 'delete'], 'allowed' => function(array $user, $role, Request $request) { $postId = Hash::get($request->params, 'pass.0'); $post = TableRegistry::get('Posts')->get($postId); $userId = Hash::get($user, 'id'); if (!empty($post->user_id) && !empty($userId)) { return $post->user_id === $userId; } return false; } ], */ return [ 'Users.SimpleRbac.permissions' => [ [ 'role' => '*', 'plugin' => 'CakeDC/Users', 'controller' => '*', 'action' => '*', ], [ 'role' => 'user', 'plugin' => 'CakeDC/Users', 'controller' => 'Users', 'action' => ['register', 'edit', 'view'], ], [ 'role' => 'user', 'plugin' => 'CakeDC/Users', 'controller' => 'Users', 'action' => '*', 'allowed' => false, ], [ 'role' => ['user'], 'controller' => ['Pages'], 'action' => ['other', 'display'], 'allowed' => true, ], ]];