I wanted to deny the use of MDM to everyone who wasn't admin. I was expecting to be able to set up a deny rule then allow access to it for some users but it doesn't seem to work like this.
The basic principle is deny everything then allow you to create permissions (or roles) specifying the routes you want to allow.
After installing mdm add the following to your
return [ 'components' => [ 'authManager' => [ 'class' => 'yii\rbac\DbManager', 'defaultRoles' => [ 'guest' ] ], ], 'modules' => [ 'mdm' => [ 'class' => 'mdm\admin\Module' ], ], 'as access' => [ 'class' => 'mdm\admin\components\AccessControl', 'allowActions' => [ '*' ] ], ];
This will allow access to every page as though the MDM module was not installed.
Next we have to create a route rule for every controller or module. On the management page go to the "Routes" section. Look down the list and add all the top level routes i.e. from the list /a/b/c, /a/b/*, /a/* choose /a/*. One of the will be /mdm/* (if that is what you have called the MDM module when you installed it).
From the management page go to the "Roles" section and click "Create". Enter "guest" as the name and for the description you can add "Default role assigned to all users". Finish by clicking create. You are presented with the ability to then add allow routes to your role. Highlight all the routes that your guest is allowed to use and click the ">>" button to move them over into the allowed section.
If you are being all proper like, then you would create a permission called guest_routes, assign all the routes to the permission, then assign the permission to the newly created "guest" role.
Back to the management page and click "Permissions" and then "Create". For name enter "admin_routes" and for the description "Routes allowed to administrators". After clicking "Create" you are taken to the screen allowing you to add all the routes that this permission allows the user to use.
Now go back to the management page and add the permission to what ever makes sense for you. I have a role called "Super User" which is assigned to me, so all I have to do is add "admin_routes" permission to the "Super User" role.
The final step is to tighten up the front access rules to deny all. Make the following change to your
return [ 'as access' => [ 'class' => 'mdm\admin\components\AccessControl', 'allowActions' => [ ] ], ];
As far as I could work out, there's no deny rule. It works by denying everything and only allowing the things you specify. It would be nice to have a
denyActions that allowed you to specify a route to automatically deny then set up a permission to allow access. It would certain be a lot less work in this case particularly as I will have to keep updating it as I add controllers and modules.