RBAC role-based access control model

RBAC

RBAC role-based access control, RBAC believes that the process of authority authorization can be abstractly summarized as: whether Who can perform How access operations on What

Introduction to RBAC

Role-Based Access Control Model

In the RBAC model, there are three basic components: users, roles, and permissions. RBAC controls the permissions of users by defining the permissions of roles and granting a certain role to users, and realizes the logical separation of users and permissions (different from the ACL model), which greatly facilitates the management of permissions:

• User (user): Each user has a unique UID identification and is granted different roles
• Role: Different roles have different permissions
• Permission: access rights
• User-role mapping: the mapping relationship between users and roles
• Role-permission mapping: mapping between roles and permissions

RBAC supports three well-known security principles: the principle of least privilege, the principle of separation of duties and the principle of data abstraction

• Principle of Least Privilege: RBAC can configure a role as the minimum set of privileges it needs to complete a task
• Principle of separation of responsibilities: Sensitive tasks can be accomplished together by invoking mutually independent and mutually exclusive roles, such as requiring a bookkeeper and a financial administrator to jointly participate in unified posting operations
• The principle of data abstraction: it can be reflected by the abstraction of permissions, such as abstract permissions such as borrowing and deposits for financial operations, instead of using typical read, write, and execute permissions

advantage:

• Simplifies the relationship between users and permissions
• Easy to expand and maintain

shortcoming:

• The RBAC model does not provide a control mechanism for the order of operations, which makes it difficult for the RBAC model to adapt to systems that have strict requirements on the order of operations

3 Models of RBAC

• RBAC0, the simplest and most primitive implementation, is also the basis of other RBAC models
• Based on the RBAC0 model, RBAC1 introduces the inheritance relationship between roles, that is, there is a distinction between upper and lower roles on roles.
• RBAC2 implements role access control based on the RBAC0 model.

RBAC data table design

databasecreate database test default character set utf8mb4;

Relationship between tables: 1 to 1, 1 to many or many to 1, many to many

1 to 1 implementation

There are two specific implementation methods: shared primary key and unique foreign key. such as employee information and login IDs

shared primary key

create table if not exists tb_emps(
	id bigint primary key auto_increment comment '雇员编号',
	name varchar(32) not null comment '姓名',
	sex boolean default 1 comment '性别',
	education varchar(32),
	birth date comment '出生日期',
	hire_date date comment '入职日期',
	salary numeric(8,2) comment '月薪'
)engine=innodb default charset utf8 comment '雇员信息';

create table if not exists tb_users(
	id bigint primary key comment '用户编号',
	foreign key(id) references tb_emps(id) on delete cascade,
	username varchar(32) not null unique comment '用户名称',
	password varchar(32) not null comment '用户口令',
	create_time datetime default now() comment '创建时间',
	update_time timestamp default current_timestamp on update
	current_timestamp comment '修改时间',
	salt varchar(32) comment 'md5加密的盐值',
	user_locked boolean default 0 comment '账户是否锁定'
)engine=innodb default charset utf8 comment '登录账户';

unique foreign key

create table if not exists tb_emp(
	id bigint primary key auto_increment,
	......
)engine=innodb default charset utf8;

create table if not exists tb_user(
	id bigint primary key auto_increment,
	... ...
	emp_id bigint not null unique,
	foreign key(emp_id) references tb_emp(id) on delete cascade
)engine=innodb default charset utf8;

1 to many or many to 1

The implementation method is the association of primary and foreign keys, which is most used in relational databases, such as employees and departments

create table tb_dept(
	id bigint primary key auto_increment,
	name varchar(32) not null,
	address varchar(50)
);
create table tb_emp(
	id bigint primary key auto_increment,
	name varchar(32) not null,
	... ...,
	dept_id bigint,
	foreign key(dept_id) references tb_dept(id)
);

many to many

In fact, many-to-many relationships are not directly supported in relational databases, and intermediate tables must be introduced. For example, students choose courses

create table tb_student(
	id bigint primary key auto_increment,
	... ....
);

create table tb_course(
	id bigint primary key auto_increment,
	......
);

create table tb_choice(
	student_id bigint not null,
	course_id bigint not null,
	primary key(student_id,course_id),
	foreign key(student_id) references tb_student(id) on delete cascade,
	foreign key(course_id) references tb_course(id) on delete cascade
);

Implementation of permission control table

• The user information table is used to store login user related data, such as user name, password, etc. It is mainly used to judge whether the user who visits is a certain user

  create table tb_users(
  	id bigint primary key auto_increment comment '代理主键',
  	username varchar(32) not null,
  	password varchar(32) not null,
  	... ...
  );
  

• Role table, a role can be understood as an alias for a set of permissions, not equal to a position.

create table tb_roles(
	id bigint primary key auto_increment,
	title varchar(32) not null unique,
	... ...
);

• Permission table, in order to simplify the development in the system, is often combined with the menu table, so as to achieve the purpose of convenient definition. In a specific application, the purpose of permission control is achieved through whether the menu is displayed or not. In specific applications, it is necessary to consider using infinite classification for menus

create table tb_privs(
	id bigint primary key auto_increment,
	title varchar(32) not null comment '菜单项标题',
	url varchar(50) comment '点击菜单后跳转的目标地址',
	parent_id bigint comment '用于表示当前菜单项是哪个菜单项的子菜单',
	foreign key(parent_id) references tb_privs(id) on delete cascade,
	chilren boolean default 0 comment '不是必须的列，是为了编程方便引入的额外列，用于表示是否有子菜单项'
	-- 还可有其它和编程相关的列，例如层级等
);

sample data

id	title	url	parent_id	children
1	commodity management	null	null Here, use parent_id as null to indicate the root menu item	1
2	new product	/products/add	1	0
3	delete item	/products/del	1	0

• A table used to represent the relationship between users and roles. Because there is a many-to-many association between users and roles, an intermediate table must be introduced

create table tb_users_roles(
	user_id bigint not null,
	role_id bigint not null,
	primary key(user_id,role_id),
	foreign key(user_id) references tb_users(id) on delete cascade,
	foreign key(role_id) references tb_roles(id) on delete cascade
);

• A table used to represent the relationship between roles and permissions. Because there is a many-to-many relationship between roles and permissions, an intermediate table must be introduced

create table tb_roles_privs(
	role_id bigint not null,
	priv_id bigint not null,
	primary key(role_id,priv_id),
	foreign key(role_id) references tb_roles(id),
	foreign key(priv_id) references tb_privs(id)
);

• According to business needs, there may also be a problem that some permissions need to be directly granted to a user. If this function needs to be supported, an intermediate table between users and permissions needs to be created