preface

Role-based Access Control (RBAC) is a role-based Access Control. Nowadays, the permission design of the mainstream permission management system is THE RBAC model or the distortion of the RBAC model.

We need to think about a question: why do we do permission management?

My understanding is that in each system, each user has different permissions. For example, for a data table, the administrator can modify, add, view and other operations, while ordinary users can only view. So how to design user permissions, is the problem we need to consider.

RBACWhat is the model

Role-based Access Control (RBAC) : role-based Access Control. Indirectly grant permissions to users by associating roles with users and roles with permissions.

Here’s a question to ponder: Why add a layer of character relationships? Can’t I just associate permissions with the user directly?

If a few users have same authority, the same authority needs to be added for these users when increasing, and corresponding authority also needs to be modified when modifying. With roles, we can directly associate these users with the same role. You only need to bind the role to the user when adding the role, and you only need to modify the role when modifying the role.

In fact, my understanding, the most important is to correspond with real life. For example, in schools, each person (user) has a different identity (role) and has different permissions. For example, a teacher is not only a teacher, but also the vice president, so we can associate the two roles of teacher and vice president for him. But when he is not the vice president, he is promoted to the president, so we can cancel the association of the role of vice president and associate the role of president with him. Companies, too, feel comfortable doing this (imagine how it could be done without roles, and see the benefits of the RBAC model by comparison).

In fact, this is the idea of adding a layer, just like in Java database operation, JDBC is not that layer, we only need to face JDBC on the line; There are clusters do traffic distribution, load balancing, gateway, Nginx is not that layer; The same goes for characters.

Check out Linux permission management!

RBACClassification of models

RBAC0 model

The simplest user, role, and permission model. There are two types:

  1. Users and roles have a many-to-one relationship. That is, a user can correspond to only one role, and a role can correspond to multiple users.
  2. Users and roles have a many-to-many relationship. That is, one user can correspond to multiple roles, and one role can correspond to multiple users.

If the system has a single function, fewer users, relatively clear post authority and ensures that there will not be concurrent posts, the many-to-one authority system can be considered. In other cases, many-to-many permission system should be used as far as possible to ensure the scalability of the system. For example: Zhang SAN is both administrative and financial, so Zhang SAN has the authority of both administrative and financial roles.

RBAC1model

The concept of role inheritance is introduced on the basis of RBAC0. That is, the child role can inherit all permissions of the parent role.

Usage scenario: For example, there are managers, supervisors, and specialists in a business department. The authority of the supervisor should not be greater than that of the manager, and the authority of the commissioner should not be greater than that of the supervisor. If RBAC0 model is used as the authority system, it is very likely to misallocate the authority, and the supervisor will eventually have the authority that the manager does not have.

The RBAC1 model solves this problem well. After creating a manager role and configuring permissions, the permissions of the manager role inherit those of the manager role, and the permissions of the manager role can be deleted

RBAC2model

Based on the RBAC0 model, some restrictions on roles are added: roles are mutually exclusive, cardinality constraints, prerequisite roles, etc.

  • Mutually exclusive roles: A user cannot be assigned to multiple roles in a set of mutually exclusive roles. Mutually exclusive roles refer to two roles that have permission restriction on each other. Example: A user in a financial system cannot be assigned to both the accountant role and the auditor role.
  • Cardinality constraint: The number of users assigned to a role is limited, which refers to how many users can own the role. For example, if a role is created specifically for the CEO of a company, the number of roles is limited.
  • Prerequisite Role: A role with a lower level of authority is required to obtain a higher level of authority. For example, you can have the permission of general manager only if you have the permission of deputy general manager.
  • Runtime mutual exclusion: For example, a user is allowed to have membership in two roles, but both roles cannot be activated at the same time at run time.

RBAC3model

Called the unified model, it contains RBAC1 and RBAC2, including RBAC0 by transitivity, synthesizing all the characteristics of RBAC0, RBAC1 and RBAC2, which will not be described here.

What are permissions

Permission is the collection of resources, resources here refers to all content in the software, including modules, menus, pages, fields, operation functions (add, delete, change and check) and so on. In terms of specific permission configuration, there are various forms at present. According to my personal understanding, permissions can be divided into page permissions, operation permissions and data permissions.

Page permissions: all systems are composed of a page, page and then constitute a module, whether the user can see the menu of this page, whether to enter this page is called page permissions.

Operation rights: All actions and interactions of users in the operating system are operation rights, such as adding, deleting, modifying, and searching.

Data rights: General business management systems have data privacy requirements: who can see what data, can not see what data. For example, the person in charge of Jingdong In Guangdong can see the warehouse information in Guangdong, but he can’t see the warehouse information in Beijing, because it is not within his data authority.

User groups

When the platform user base increases and role types increase, it will be a heavy workload for the administrator to assign roles to users directly. At this point we can introduce the concept of “user groups”, which are groups of users with the same attributes.

For example: after joining the concept of user groups, department as a group of users, can be given directly to the department role (10000 May be dozens of staff department), the department has a department permission, so that all users of the department have the department permission, without the need for each user separately and specify the role, greatly reducing the workload of assigned permissions.

In addition, you can specify roles for specific users. In this way, users have all permissions of the user group and their own permissions.

The advantages of user groups, besides reducing workload, are easier to understand and increasing multi-level management relationships. For example, when we configure the organizational structure, in addition to joining departments, we can also join departments, posts and other levels to differentiate the permissions of members within user groups.

In addition to reducing the workload, it’s easier to understand. For example, create user groups by department. A user switches from department A to Department B. This is what actually happens. If there is no user group, then we remove all roles from department A and replace them with all roles from Department B. There is no difference in the nature of this operation, but there is some difference in the form of the actual situation, which is not easy to understand. After adding the user groups, all you need to do is leave group A and join group B. This is very close to the actual situation.

Project reference

This is a well-known open source project that has nothing to do with me!

If according to the authority management system

Demo picture: