Radius/app/config/security.yml

security:
    providers:
        oauth:
            id: base_oauth_bundle.oauth_user_provider

    role_hierarchy:

        # RADIUS_PROFILE
        ROLE_SONATA_RADIUS_PROFILE_READER: [ROLE_ADMIN, ROLE_SONATA_ADMIN_RADIUS_PROFILE_LIST, ROLE_SONATA_ADMIN_RADIUS_PROFILE_VIEW]
        ROLE_SONATA_RADIUS_PROFILE_EDITOR: [ROLE_SONATA_RADIUS_PROFILE_READER, ROLE_SONATA_ADMIN_RADIUS_PROFILE_CREATE, ROLE_SONATA_ADMIN_RADIUS_PROFILE_EDIT]
        ROLE_SONATA_RADIUS_PROFILE_ADMIN: [ROLE_SONATA_RADIUS_PROFILE_EDITOR, ROLE_SONATA_ADMIN_RADIUS_PROFILE_DELETE, ROLE_SONATA_ADMIN_RADIUS_PROFILE_EXPORT]

        # ACCESS
        ROLE_SONATA_ACCESS_READER: [ROLE_ADMIN, ROLE_SONATA_ADMIN_ACCESS_LIST, ROLE_SONATA_ADMIN_ACCESS_VIEW]
        ROLE_SONATA_ACCESS_EDITOR: [ROLE_SONATA_ACCESS_READER, ROLE_SONATA_ADMIN_ACCESS_CREATE, ROLE_SONATA_ADMIN_ACCESS_EDIT]
        ROLE_SONATA_ACCESS_ADMIN: [ROLE_SONATA_ACCESS_EDITOR, ROLE_SONATA_ADMIN_ACCESS_DELETE, ROLE_SONATA_ADMIN_ACCESS_EXPORT]

        # NAS_MODEL
        ROLE_SONATA_NAS_MODEL_READER: [ROLE_ADMIN, ROLE_SONATA_ADMIN_NAS_MODEL_LIST, ROLE_SONATA_ADMIN_NAS_MODEL_VIEW]
        ROLE_SONATA_NAS_MODEL_EDITOR: [ROLE_SONATA_NAS_MODEL_READER, ROLE_SONATA_ADMIN_NAS_MODEL_CREATE, ROLE_SONATA_ADMIN_NAS_MODEL_EDIT]
        ROLE_SONATA_NAS_MODEL_ADMIN: [ROLE_SONATA_NAS_MODEL_EDITOR, ROLE_SONATA_ADMIN_NAS_MODEL_DELETE, ROLE_SONATA_ADMIN_NAS_MODEL_EXPORT]

        # NAS
        ROLE_SONATA_NAS_READER: [ROLE_ADMIN, ROLE_SONATA_ADMIN_NAS_LIST, ROLE_SONATA_ADMIN_NAS_VIEW]
        ROLE_SONATA_NAS_EDITOR: [ROLE_SONATA_NAS_READER, ROLE_SONATA_ADMIN_NAS_CREATE, ROLE_SONATA_ADMIN_NAS_EDIT]
        ROLE_SONATA_NAS_ADMIN: [ROLE_SONATA_NAS_EDITOR, ROLE_SONATA_ADMIN_NAS_DELETE, ROLE_SONATA_ADMIN_NAS_EXPORT]

        # WORKFLOW
        ROLE_SONATA_WORKFLOW_READER: [ROLE_ADMIN, ROLE_SONATA_ADMIN_WORKFLOW_LIST, ROLE_SONATA_ADMIN_WORKFLOW_VIEW]
        ROLE_SONATA_WORKFLOW_EDITOR: [ROLE_SONATA_WORKFLOW_READER, ROLE_SONATA_ADMIN_WORKFLOW_CREATE, ROLE_SONATA_ADMIN_WORKFLOW_EDIT]
        ROLE_SONATA_WORKFLOW_ADMIN: [ROLE_SONATA_WORKFLOW_EDITOR, ROLE_SONATA_ADMIN_WORKFLOW_DELETE, ROLE_SONATA_ADMIN_WORKFLOW_EXPORT]

        # ACTION
        ROLE_SONATA_ACTION_READER: [ROLE_ADMIN, ROLE_SONATA_ADMIN_ACTION_LIST, ROLE_SONATA_ADMIN_ACTION_VIEW]
        ROLE_SONATA_ACTION_EDITOR: [ROLE_SONATA_ACTION_READER, ROLE_SONATA_ADMIN_ACTION_CREATE, ROLE_SONATA_ADMIN_ACTION_EDIT]
        ROLE_SONATA_ACTION_ADMIN: [ROLE_SONATA_ACTION_EDITOR, ROLE_SONATA_ADMIN_ACTION_DELETE, ROLE_SONATA_ADMIN_ACTION_EXPORT]

        ROLE_ADMIN_TENANCIES: ROLE_ADMIN_TENANCIES
        ROLE_ADMIN: [ROLE_USER, ROLE_SONATA_ADMIN]
        ROLE_SUPER_ADMIN: [ROLE_ADMIN, ROLE_USER_CREATE, ROLE_ADMIN_TENANCIES, ROLE_ALLOWED_TO_SWITCH]

    firewalls:

        dev:
            pattern: ^/(_(profiler|wdt)|css|images|js)/
            security: false

        api:
          pattern: ^/api
          stateless: true
          oauth_proxy: true

        secured_area:
            pattern: ^/
            logout:
                path:   /logout
                target: /
                success_handler: base_admin.security.logout.handler
            anonymous: true
            # HWIOAuthBundle + BaseOAuthBundle Configuration
            oauth:
                login_path: /login
                failure_path: /login
                check_path: /login
                resource_owners:
                    login: /login_check
                oauth_user_provider:
                    service: base_oauth_bundle.oauth_user_provider

    access_control:
        - { path: ^/login, roles: IS_AUTHENTICATED_ANONYMOUSLY }
        - { path: ^/admin/, role: ROLE_ADMIN }
        - { path: ^/api/onus/onus/migrate.json, role: IS_AUTHENTICATED_ANONYMOUSLY }
        - { path: ^/api/profiles/profiles/migrate.json, role: IS_AUTHENTICATED_ANONYMOUSLY }
        - { path: ^/api, role: ROLE_USER }