User Authorization RBAC

user authorization

1. RBAC

How to achieve authorization? The industry usually implements authorization based on RBAC.

RBAC is divided into two ways:

Role-Based Access Control (Role-Based Access Control)

Resource-Based Access Control

Role-Based Access Control (Role-Based Access Control) is authorized by role. For example, the role of the subject is the general manager, who can query enterprise operation reports and employee salary information. The access control process is as follows:

According to the judgment logic in the above figure, the authorization code can be expressed as follows:

Java if( subject.hasRole("general manager role id")){ query salary }

If the role required to query salary in the above figure changes to general manager and department manager, then the judgment logic needs to be modified to "judging whether the user's role is the general manager or department manager". Modify the code as follows:

Java if( subject.hasRole("general manager role id") || subject.hasRole("department manager role id")){     query salary }

According to the above example, it is found that when the permission of the role needs to be modified, the relevant code of the authorization needs to be modified, and the scalability of the system is poor.

Resource-Based Access Control (Resource-Based Access

Control) is authorized by resources (or permissions). For example, users must have the permission to query salary to query employee salary information. The access control process is as follows:

According to the judgment in the above figure, the authorization code can be expressed as:

Java if( subject.hasPermission("Query salary permission ID")){     Query salary }

Advantages: The system is designed to define the permission identifier for querying wages. Even if the roles required to query wages are changed to general manager and department manager, there is no need to modify the authorization code, and the system has strong scalability.