KMP PHP API Reference

AuthorizationApprovalPolicy extends BasePolicy
in package

Authorization Approval Policy for Multi-Level Approval Workflows

This policy class defines authorization rules for AuthorizationApproval entity operations within the KMP Activities plugin. It provides comprehensive access control for multi-level approval workflows, approval queue management, and authorization approval processes with activity-specific permission validation and approver authority verification.

Purpose:

  • Controls access to AuthorizationApproval entity operations through activity-specific permission validation
  • Manages multi-level approval workflows with approver authority verification
  • Provides approval queue access control for individual approvers and administrative oversight
  • Integrates with KMP's RBAC system for activity-specific approval authority validation

Authorization Architecture:

  • Activity-Based Authorization: Approval authority based on activity-specific permission requirements
  • Approver Validation: Integration with ActivitiesTable for approver authority verification
  • Queue-Based Access: Individual approver access to their own approval queues
  • Administrative Oversight: Permission-based access for approval workflow management

Key Features:

  • Activity-Specific Approval Authority: Validates approver permissions for specific activities
  • Multi-Level Workflow Support: Manages complex approval chains with role-based authority
  • Queue Management: Individual and administrative access to approval queues
  • Approval Chain Security: Prevents unauthorized approval operations and workflow manipulation
  • Integration with Permission System: Activity-specific permission validation for approval authority

Approval Authority Validation:

  • Uses ActivitiesTable::canAuthorizeActivity() for activity-specific permission checking
  • Validates approver authority based on activity permission requirements
  • Supports role-based approval authority with warrant validation
  • Integrates with branch scoping for organizational approval boundaries

Access Control Patterns:

  • Individual Approver Access: Direct access to own approval queue and assigned approvals
  • Activity-Based Authority: Permission validation for activity-specific approval operations
  • Administrative Oversight: Permission-based access for approval workflow management
  • Queue Security: Restricted access to approval queues based on approver assignment

Integration Points:

  • ActivitiesTable: Activity-specific approval authority validation
  • PermissionsLoader: Core permission validation and warrant checking
  • BasePolicy: Inherited permission discovery and policy framework integration
  • Authorization Workflow: Multi-level approval process management and validation

Security Considerations:

  • Approval authority validation prevents unauthorized approval operations
  • Activity-specific permission checking ensures proper qualification for approval roles
  • Queue access control maintains privacy and workflow integrity
  • Integration with warrant system provides temporal validation for approval authority
Tags
see
BasePolicy

Parent policy with core RBAC functionality

see
AuthorizationApproval

Authorization approval entity

see
ActivitiesTable

Activity-specific approval authority validation

see
AuthorizationApprovalsController

Approval workflow management

Table of Contents

Methods

before()  : bool|null
Check if $user is a super user and can skip auth with an auto True
canAdd()  : bool
Check if $user can add RolesPermissions
canApprove()  : bool
Check if the user can approve authorization requests.
canAvailableApproversList()  : bool
Determines whether a user may view the list of available approvers for an authorization workflow.
canDelete()  : bool
Check if $user can delete RolesPermissions
canDeny()  : bool
Check if the user can deny authorization requests.
canEdit()  : bool
Check if $user can edit RolesPermissions
canGridData()  : bool
Check if $user can view role
canIndex()  : bool
Check if $user can view role
canMobileApprove()  : bool
Determine whether the user may approve the authorization request from a mobile interface.
canMobileDeny()  : bool
Determine whether the user may deny the authorization request via the mobile interface.
canMyQueue()  : bool
Check if the user can access their own authorization approval queue.
canView()  : bool
Check if the user can view authorization approval records.
canViewPrivateNotes()  : bool
Check if $user can view hidden
scopeIndex()  : mixed
Apply scope for index action.
_getBranchIdsForPolicy()  : array<string|int, mixed>|null
Check if $user can view hidden
_getPermissions()  : bool
Check if $user can view hidden
_getPolicies()  : bool
Check if $user can view hidden
_hasPolicy()  : bool
Check if $user can view hidden
_hasPolicyForUrl()  : bool
Check if $user can view hidden
_isSuperUser()  : bool
Check if $user is a super user

Methods

before()

Check if $user is a super user and can skip auth with an auto True

public before(KmpIdentityInterface $user, mixed $resource, string $action) : bool|null
Parameters
$user : KmpIdentityInterface

The user.

$resource : mixed

The resource.

$action : string

The action.

Return values
bool|null

canApprove()

Check if the user can approve authorization requests.

public canApprove(KmpIdentityInterface $user, AuthorizationApproval $entity, mixed ...$optionalArgs) : bool

Determines approval authority for authorization requests based on activity-specific permission requirements and approver qualification validation through the Activities table authorization system.

Authorization Logic:

  • Validates activity-specific approval authority through ActivitiesTable::canAuthorizeActivity()
  • Resolves activity ID from authorization relationship for permission checking
  • Ensures approver has appropriate permissions for the specific activity type
  • Integrates with KMP's RBAC system for warrant-based temporal validation

Activity-Specific Validation:

  • Each activity has specific permission requirements for approval authority
  • Approvers must have appropriate role assignments and warrant validation
  • Permission checking includes branch scoping and organizational boundaries
  • Supports complex approval hierarchies with role-based authority

Authorization Resolution:

  1. Attempts to resolve activity ID from contained authorization relationship
  2. Falls back to database lookup if relationship not loaded
  3. Validates approver authority for the specific activity through ActivitiesTable
  4. Returns boolean result based on permission and warrant validation

Permission Requirements: Activity-specific approval authority typically includes:

  • Role assignments with approval authority for the activity type
  • Valid warrants for the approval role during the authorization request period
  • Branch-scoped permissions matching organizational approval boundaries
  • Activity-specific permission requirements defined in activity configuration

Usage Examples:

// Controller authorization for approval interface
$this->Authorization->authorize($authorizationApproval, 'approve');

// Service-level approval authority validation
if ($this->Authorization->can($user, 'approve', $authorizationApproval)) {
    $authorizationManager->approve($approval->id, $user->id, $nextApproverId);
}

Security Considerations:

  • Approval authority validation prevents unauthorized approval operations
  • Activity-specific permission checking ensures qualified approvers only
  • Integration with warrant system provides temporal validation for approval roles
  • Database fallback ensures robust authorization resolution
Parameters
$user : KmpIdentityInterface

The requesting user

$entity : AuthorizationApproval

The authorization approval entity

$optionalArgs : mixed

Additional arguments for policy evaluation

Tags
see
ActivitiesTable::canAuthorizeActivity()

Activity-specific approval authority validation

Return values
bool

True if user can approve the authorization request, false otherwise

canAvailableApproversList()

Determines whether a user may view the list of available approvers for an authorization workflow.

public canAvailableApproversList(KmpIdentityInterface $user, AuthorizationApproval $approval, mixed ...$optionalArgs) : bool

Grants access when the user is the approval's assigned approver; otherwise falls back to policy-based permission checks to allow administrative or delegated approver discovery.

Parameters
$user : KmpIdentityInterface

The requesting user.

$approval : AuthorizationApproval

The authorization approval entity whose approver ownership is evaluated.

$optionalArgs : mixed

Additional optional arguments for policy evaluation.

Return values
bool

true if the user can view the available approvers list, false otherwise.

canDeny()

Check if the user can deny authorization requests.

public canDeny(KmpIdentityInterface $user, AuthorizationApproval $entity, mixed ...$optionalArgs) : bool

Determines denial authority for authorization requests based on activity-specific permission requirements and approver qualification validation through the Activities table authorization system.

Authorization Logic:

  • Validates activity-specific approval authority through ActivitiesTable::canAuthorizeActivity()
  • Uses identical authorization logic to approve() method for consistent permission validation
  • Resolves activity ID from authorization relationship for permission checking
  • Ensures approver has appropriate permissions for the specific activity type

Activity-Specific Validation:

  • Denial authority follows same permission requirements as approval authority
  • Approvers must have appropriate role assignments and warrant validation
  • Permission checking includes branch scoping and organizational boundaries
  • Supports complex approval hierarchies with role-based denial authority

Authorization Resolution:

  1. Attempts to resolve activity ID from contained authorization relationship
  2. Falls back to database lookup if relationship not loaded
  3. Validates approver authority for the specific activity through ActivitiesTable
  4. Returns boolean result based on permission and warrant validation

Usage Examples:

// Controller authorization for denial interface
$this->Authorization->authorize($authorizationApproval, 'deny');

// Service-level denial authority validation
if ($this->Authorization->can($user, 'deny', $authorizationApproval)) {
    $authorizationManager->deny($approval->id, $user->id, $reason);
}

Security Considerations:

  • Denial authority validation prevents unauthorized denial operations
  • Uses same permission validation as approval for consistent security model
  • Integration with warrant system provides temporal validation for denial authority
  • Maintains audit trail for denial operations and accountability
Parameters
$user : KmpIdentityInterface

The requesting user

$entity : AuthorizationApproval

The authorization approval entity

$optionalArgs : mixed

Additional arguments for policy evaluation

Tags
see
ActivitiesTable::canAuthorizeActivity()

Activity-specific denial authority validation

Return values
bool

True if user can deny the authorization request, false otherwise

canMobileApprove()

Determine whether the user may approve the authorization request from a mobile interface.

public canMobileApprove(KmpIdentityInterface $user, AuthorizationApproval $entity, mixed ...$optionalArgs) : bool
Parameters
$user : KmpIdentityInterface

The requesting user.

$entity : AuthorizationApproval

The authorization approval entity.

$optionalArgs : mixed

Additional arguments for policy evaluation.

Return values
bool

true if the user can approve the authorization request, false otherwise.

canMobileDeny()

Determine whether the user may deny the authorization request via the mobile interface.

public canMobileDeny(KmpIdentityInterface $user, AuthorizationApproval $entity, mixed ...$optionalArgs) : bool
Parameters
$user : KmpIdentityInterface

The requesting user.

$entity : AuthorizationApproval

The authorization approval entity.

$optionalArgs : mixed

Additional arguments for policy evaluation.

Return values
bool

true if the user can deny the authorization request, false otherwise.

canMyQueue()

Check if the user can access their own authorization approval queue.

public canMyQueue(KmpIdentityInterface $user, AuthorizationApproval $entity, mixed ...$optionalArgs) : bool

Determines access to personal approval queue interface based on general approval authority validation through the Activities table authorization system.

Authorization Logic:

  • Validates user has approval authority for any activity type
  • Uses ActivitiesTable::canAuhtorizeAnyActivity() for general approval capability checking
  • Provides access to personal approval queue dashboard and management interface
  • Supports approver workflow management and queue prioritization

Queue Access Control:

  • Personal queue access requires general approval authority for any activity
  • Prevents unauthorized access to approval workflow interfaces
  • Enables efficient approval queue management for qualified approvers
  • Supports cross-activity approval authority validation

Approval Authority Validation:

  • Checks for any activity approval permissions through Activities table
  • Validates role assignments with approval authority across activity types
  • Includes warrant validation for temporal approval authority
  • Supports branch-scoped approval authority for organizational boundaries

Usage Examples:

// Queue access authorization in controller
$this->Authorization->authorize($this->AuthorizationApprovals->newEmptyEntity(), 'myQueue');

// Service-level queue access validation
if ($this->Authorization->can($user, 'myQueue', $approvalEntity)) {
    $queueItems = $this->getPersonalApprovalQueue($user->id);
}

Queue Management Features:

  • Personal approval queue dashboard access
  • Cross-activity approval workflow management
  • Approval priority and timeline management
  • Integration with notification and reminder systems

Security Considerations:

  • Queue access restricted to users with actual approval authority
  • Prevents unauthorized access to approval workflow interfaces
  • Integration with audit trail for queue access tracking
  • Maintains workflow security and approver accountability
Parameters
$user : KmpIdentityInterface

The requesting user

$entity : AuthorizationApproval

The authorization approval entity

$optionalArgs : mixed

Additional arguments for policy evaluation

Tags
see
ActivitiesTable::canAuhtorizeAnyActivity()

General approval authority validation

Return values
bool

True if user can access their approval queue, false otherwise

canView()

Check if the user can view authorization approval records.

public canView(KmpIdentityInterface $user, AuthorizationApproval|Table $entity, mixed ...$optionalArgs) : bool

Determines view access for authorization approval records based on dual authorization model combining approver ownership and administrative permission validation.

Authorization Logic:

  1. Approver Access: Direct access for assigned approvers to their approval records
  2. Administrative Access: Permission-based access for approval workflow oversight
  3. Permission Validation: Delegates to BasePolicy for administrative viewing permissions

Approver-Based Access:

  • Direct access when entity->approver_id matches requesting user's ID
  • Enables approvers to view their assigned approval records and queue
  • Supports approver workflow management and decision tracking

Permission-Based Access: For administrative operations, typically requires permissions such as:

  • "Activities.viewApprovals": Authority to view approval records and workflows
  • "Activities.manageApprovals": Administrative approval workflow management
  • "Activities.auditApprovals": Access to approval audit trails and analytics
  • Branch-scoped permissions: Organizational boundaries for approval visibility

Usage Examples:

// Approver viewing assigned approval
$this->Authorization->authorize($authorizationApproval, 'view'); // Returns true for assigned approver

// Administrative approval record review
if ($this->Authorization->can($user, 'view', $authorizationApproval)) {
    $approvalDetails = $this->getApprovalDetailsWithHistory($approval->id);
}

Security Considerations:

  • Approver access maintains workflow privacy and assigned responsibility
  • Administrative access requires appropriate permission validation
  • Integration with audit trail for approval record access tracking
  • Prevents unauthorized access to sensitive approval workflow information
Parameters
$user : KmpIdentityInterface

The requesting user

$entity : AuthorizationApproval|Table

The authorization approval entity or table

$optionalArgs : mixed

Additional arguments for policy evaluation

Tags
see
BasePolicy::_hasPolicy()

Core permission validation for administrative access

Return values
bool

True if user can view the authorization approval, false otherwise

_getBranchIdsForPolicy()

Check if $user can view hidden

protected _getBranchIdsForPolicy(KmpIdentityInterface $user, string $policyMethod) : array<string|int, mixed>|null
Parameters
$user : KmpIdentityInterface

The user.

$policyMethod : string
Return values
array<string|int, mixed>|null

_hasPolicy()

Check if $user can view hidden

protected _hasPolicy(KmpIdentityInterface $user, string $policyMethod, BaseEntity|Table $entity[, int|null $branchId = null ][, mixed $grantSource = null ]) : bool
Parameters
$user : KmpIdentityInterface

The user.

$policyMethod : string
$entity : BaseEntity|Table
$branchId : int|null = null
$grantSource : mixed = null
Return values
bool

_hasPolicyForUrl()

Check if $user can view hidden

protected _hasPolicyForUrl(KmpIdentityInterface $user, string $policyMethod, array<string|int, mixed> $urlProps[, int|null $branchId = null ][, mixed $grantSource = null ]) : bool
Parameters
$user : KmpIdentityInterface

The user.

$policyMethod : string
$urlProps : array<string|int, mixed>
$branchId : int|null = null
$grantSource : mixed = null
Return values
bool 

        

        
    




    

    

                                

                

                                
    

        On this page

        
    


                

                            

            

    

        

            
Search results