Detailed graphics Role-based access control model RBAC

Others 2019-11-25 13:07:45 views: null

We have developed a system that is bound to face problems of access control, that is, different users have different access, operation and data access. Theory formed permissions control model are: discretionary access control (DAC: Discretionary Access Control), mandatory access control (MAC: Mandatory Access Control), based on the authentication authority attribute (ABAC: Attribute-Based Access Control) and the like. The most commonly developers use is relatively easy to use, is the common RBAC permissions model (Role-Based Access Control), this paper will introduce the permissions model.

A, RBAC permissions model Introduction

RBAC permissions model (Role-Based Access Control) namely: Role Based Access Control. There are several models of key terms:

  • User: operator interface and access the system
  • Authority: the ability to access an interface or authorized to do the qualifications of an operation
  • Role: the user has the same general term for a class of operating authority

Core RBAC permissions model authorization logic is as follows:

  • What is the role of a user?
  • What a role has privileges?
  • Derivation user's permissions by role permissions

Two, RBAC evolutionary process

2.1. User privileges directly associated with

file

Think of access control, people first thought must be a model user permissions directly associated with, simply put, it is: a user has certain privileges. Figure:

  • Joe Smith has the rights to create and remove users, so that he could maintain personnel system
  • John Doe has a records management product and sales records management authority, so he may be a business sales

This model is able to clearly express the relationship between users and permissions, simple enough. But there is also a problem:

  • Now the user is John Doe, later with the increase in personnel, each user will need to reauthorize
  • Or John Doe to leave, we need to recover a variety of privileges for each user

2.2 A user has a role

In the actual business community, users can be classified. For example, for the salary management system, usually classified according to levels: managers, senior engineers, mid-level engineers, junior engineers. User is classified according to certain roles, usually have the same role have the same privileges. After this change, it can be converted for user empowerment empowerment for the role.

file

  • A user has a role
  • There is a role more operations (menu) Permissions
  • An operating privileges can belong to multiple roles

We can use the lower figure of database design model that describes such a relationship.

file

2.3 a user one or more roles

But in the actual application system, a user with a role far from meeting the demand. If we want a user both as a sales role, but also temporarily served as vice president role. how should I do it? In order to increase the applicability of the system design, we usually design:

  • A user has one or more roles
  • A role that contains multiple users
  • There are a variety of roles permissions
  • A privilege belonging to more than one role

We can use the lower figure of database design model that describes such a relationship.

file

Second, access to the page with the operating authority

  • Page access: all systems are composed of one page, the page re-composition module, whether the user can see this page of the menu, whether to enter the page is called page access.
  • Operating authority: any user action, interaction in the operating system needs to have the authority to operate as CRUD like. For example: a button, a hyperlink whether the user can click on, whether permission should see.

file

To meet this demand, we can put the resources page (menu) and operating resources (button) sub-table storage, as shown above. Both may be put into a table stored inside, with a flag to distinguish a field.

Third, the data permissions

Data authority is better understood, it is what a user can access and data manipulation.

  • Generally speaking, the data is determined by the rights organization the user belongs. For example: the production of a production data can only see his own department, the production of two production data can only see his own department; sales department can only look at sales data, the data can not look at the financial sector. The company's general manager can see all the data.
  • In the actual business system, data rights tend to be more complex. Very likely sales department can look at the data production sector, in order to determine the sales strategy, plan of arrangement and so on.

So in order to face complex needs, authority control data is typically written by the programmer personalized SQL to limit the scope of the data, rather than to the permission model or Spring Security or shiro to control. Of course, you can go to solve this problem from the perspective of rights or privileges model framework, but limited applicability.

Look forward to your attention

Guess you like

Origin www.cnblogs.com/zimug/p/11926957.html
Recommended
The number of MaxKB GitHub Stars, an open source knowledge base question and answer system based on large language models, exceeded 5,000!
Ranking
Getting the basic concepts of ROS + catkin Profile
Spring Learning (2) --- Assembling Beans in the IoC Container
js to get the src attribute of the image regularly
STM32 is based on CubeIDE and HAL library basics entry study notes: Bluetooth WIFI STM32 connects to Alibaba Cloud
Short video learning - 3, pandas simple use of pivot_table
Print directory of project configuration log, output log
Understand the difference between vi and vim in Linux in 3 minutes
1 + x certificate Web front-end development HTML5 special exercises
mangodb save and insert the difference
7-1 Family tree processing (50 points) (binary tree solution)
Daily
More
2024-05-13(8)
2024-05-12(28)
2024-05-11(32)
2024-05-10(34)
2024-05-09(32)
2024-05-08(18)
2024-05-07(34)
2024-05-06(6)
2024-05-05(0)
2024-05-04(18)

Code World

© 2018 codetd.com