Reprinted from: http://accessmanager.group.iteye.com/group/topic/39152
Many people are aware of role-based rights management design (RBAC), but most people do not understand what a complete rights management system includes.
Here, we will illustrate the complete rights management content with the usage scenario of rights management. The first is authentication management, that is, authority judgment logic. 1. The most basic authority management is menu management. The function modules that the user does not have authority are not displayed on the menu node. (Many people think this is permission management!) Example: After ordinary business personnel log in to the system, they cannot see the [User Management] menu. 2. Function authority management, the function of the B/S system is reflected in the URL, so the function authority management is mainly for the management of URL access. (Many people don't know what the object of permission management is?) Example: After authorization, the department manager can view the [User Management] menu and view the user information of the department, but the permission design requires that the department manager does not have the permission to add users. Therefore, when accessing the function (URL) of [Add User], there should be a prompt message about authorization. At the same time, on the [User Management] page, the [Add User] button should be grayed out and cannot be clicked. 3. Example of row-level permission management: Forum administrator, permission design requires A to be able to manage the forum [news section], but not the forum [technical exchange] . The permission design at this time should judge the permission information according to the corresponding ID of the forum. 4. Example of column-level authority management: business authority design requirements, except for sales staff, other users can not see the customer's contact information. At this time, the permission design should determine whether the corresponding field (column) can be displayed.
5. Example of organization/department-level data authority management :
business authority design requirements, personnel in sales department 1 can only see sales orders of this department, personnel in sales department 2 can only see sales orders in this department, but sales managers You can see
the sales orders of Sales I and Sales II at the same time.
At this time, the authority design should be judged according to the department attribute of the sales order data itself. 6. Example of authority management of scoped business data : When placing a sales order, a salesperson in a hypermarket should select the warehouse information of the corresponding product. According to the design requirements of business authority, the sales staff of [Gome] cannot see [Guangzhou Warehouse] in the drop-down list of selecting warehouses, while the sales staff of [Dazhong Electrical Appliances] cannot see [Beijing Shunyi Warehouse] in the drop-down list of selecting warehouses. The second is authorization management, that is, the process of rights allocation. The above rights management content must be allocated to specific users through the system's authorization function, and the authorization function should be flexible enough. 1. Authorize the user directly, and the permissions directly assigned to the user have the highest priority. 2. To authorize the post to which the user belongs, the post information of the user can be regarded as a group, which has the same function as the role, but each user can only be associated with one post information. 3. Authorize the roles to which the user belongs. The role information of the user can be regarded as a permission group, and each user can be associated with multiple roles. 4. A role is directly associated with a specific functional permission (URL), and can also be associated with a negative permission, that is, the permission associated with this role cannot use the negative permission function. Negative permissions have priority. 5. Hierarchical authorization, system administrators can authorize their own permission information to other users. That is, you can set up hierarchical administrators and super administrators. The above is a complete authority management system, you have such a complete authority design