1, data permissions overview
1.1 What is the data authority?
Data refers to the system user permissions to control the visibility of data resources, popular explanation is: 只有符合条件的用户才能看到该条件下对应的数据资源. Here is a simple example:
the organization of the sales staff can only see the customer information of the organization.
A full-time accounting can only see documents A department and its subordinate departments.
These requirements also can be achieved using a hard-coded, but in the process of rapid development of business, such as this demands more and more data privilege, if all the hard-coded way, we will undoubtedly bring huge development and maintain pressure.
1.2 Analysis of elements
from the perspective explained data authority, 只有符合条件的用户才能看到该条件下对应的数据资源whereby several keys can analyze data in the access control:
1. body. Narrow sense, refers to the main single user, but practically speaking, the rights may be assigned to a particular group or class of people is more convenient, so the body in a broad sense, we can extend the concept of identity associated with the user, role, duties, etc. .
2. Resource. The need to control access to a range of data, such as customer information, department information.
3. Rule Description. That is the main condition for the application of specific data resources.
These are the basic three elements of data permissions.
2, design data permissions
In theory, data authority is described in the user-controlled access system data, user data acquisition condition rules applicable resources, and user conditions of the general rules of resources is not the only, example:
a user fill in documents when the data resources used to comply with the following rules:
materials materials classification code is '01' at the beginning of
and authorities is 'John Doe'
and your organization's customer information is a user-owned organization.
Rule logic program like How to describe it?
2.1 atomic rules and rules
2.1.1 rule
after the description of the previous section, in fact, digital rights can be expressed as a combination of applicability conditions of data resources allocated in different body, the body of this undefined peeling audience, data authority may in fact applicability conditions as described for the applicability conditions of different data sources, we can summarize this data to a rule and this rule is versatile, can be a plurality of audience / body use, we will complete and relatively independent of the data resources declared rules. Rules can be combined directly into the new rules. For example,
materials classified material is coded '01' at the beginning of
this rule may be considered to be a material for this resource.
Material classified material is coded '01' beginning
and the competent authority is 'John Doe'
and your organization's customer information is a user-owned organization.
This rule can be considered for a user / role
2.1.2 atomic rules
We can see from the example cited above, the rules can be a combination of multiple resources applicability conditions, can be spliced multi-level resources applicability conditions, there may be a variety of ways when we describe such a rule, but not like this help us to create rules described, we need to create a standard to regulate it, in this case, we define: for non-combined condition of resources and the resource itself directly attributes defined belongs to the basic rules, such as
material = a
material material classification = a (material classification is a direct property because the material)
are ground rules
and the
materials classified material encoding = a involves the two classification of materials and material properties of the resource, not the rule base.
The same
materials and material = A = A classification of the material nor the ground rules
so that we can declare the ground rules for a single resource descriptions can be called atomic rules.
Declares atomic rule What are the benefits?
1, the rules are simple atomic condition for a limited resource, the logic is simple and does not produce cross-cutting or a cross-service problems.
2, all of the complex can be decomposed into atomic logic rules then assembled.
3, rule decomposed clear mandate to facilitate traceability.
After the figure below, all the data rules are eventually broken down into atomic rule, each application parses only resource conditions responsible for their own, you do not need to generate interdisciplinary connection and dependence, and each rule parsed the results are very clear after the problem very easily traceable. 
2.2 resources and conditions described in
the rules explained earlier part, that the rules of procedure of how to do?
Resources: This is relatively simple, the actual data resources is the need to control, can generally be described as a business object, consider the multi-system support multiple applications, providing a unified registration and access mechanisms can be.
Conditions Description: In order to describe the conditions converted into machine-understandable logic, we need to design a logical expression and expression parser, such as regular expressions, formulas, etc. As most business applications based on relational database development from the realization of the difficulty of reasons, the use of some form of logic is more convenient syntax of SQL.
2.3 Classification rules
the practical application of our rules actually can be divided into two categories
1) Static data type
defined conditions of such rules is generally nothing to do with the environment, such as:
regional classification = Beijing
Category = office supplies
clear and explicit resources the range of values. The results can be calculated in advance and stored for use.
2) dynamic logic type
defined conditions are generally such rules and environmental information, dynamic change according to the environment information such as:
organization customer's organization the user belongs =
closely related to the login user determination condition can not be calculated in advance As a result, the need for dynamic analytical calculation.
Static data type can be pre-calculated efficiency, but will generally problematic data timeliness.
Static data type can be converted into a dynamic logic type, but the dynamic logic type can not generally be converted into static data type.
More than 2.4 application design and analysis rules registered 
enterprise systems, in order to unify data management, some established a number of public positions, some not necessarily, suitable for multi-application multi-scene, we designed an analytical model permissions, each applications have released their own resources for atomic service, then the number of positions in public service agency for public release of the data, atoms and atomic service because the service is directly across the service call, we can only call the order, and the same number of positions posted agency services, because the data is stored in the same location, the rule can be merged.