Always want to achieve a relatively perfect authority control system. Some basic knowledge related to authority is summarized in the practice process. Ready to implement RBAC model permission management based on GO-Micro + Casbin + And-Design-Pro.
Warehouse address: Accbase
What are the permissions?
Permission management is a module often involved in the background system. It mainly controls the permissions of different users to access resources, avoiding risks caused by the lack of permission control or improper operation, such as operation errors, account expiration, and privacy data leakage.
Functional division
The rights management system is divided into authorization and authentication.
authorization
: Grants permissions to roles or users.certification
: indicates whether to allow users to access resources based on authorization.
Basic concept
The permissions model
- The permission design model is RBAC model, role-based Access Control. Abstract to
Who (the owner or principal Group, Role) performs How (specific permissions) on What(Which) (the object or resource to Which the permissions are directed)
. Constitute the user – role – permission – resource authorization model.
Permissions noun
Resources (Resources).
Resources are the desired final substance. Menus, pages, buttons, apis, data, and so on are resources.The User (User)
: indicates the user who initiates an operation. The user type can be 2B or 2C, and can be a background management system user.Roles
Each role can be associated with multiple permissions. If a user is associated with multiple roles, the user has multiple permissions of multiple roles. Make the authorization operation convenient and easy to expand. Roles cannot be deleted or disabled at will.Permissions
: indicates a resource accessible to users.- Page permission: the page that a user can see after logging in to the system is controlled by the menu. The menu includes the first-level menu and the second-level menu. As long as the user has the permission of the first-level menu and the second-level menu, the user can access the page.
- Operation rights: Function buttons on the page, including view, Add, Modify, delete, and review. When a user clicks the delete button, the background checks whether all permissions under the user role include the delete rights.
- Data permissions: that is, different users can see different data on the same page. For example, the financial department can only see the user data of its department; for example, users of Hangzhou Branch can only see the data of Hangzhou when they log in to the system. (Generally, the solution is to associate data with specific organizational structure. For example, when granting authorization to users, users select a role and bind to organizations such as finance Department or Hefei Branch at the same time, then the user has the data rights of finance Department or Hefei Branch under this role.)
User groups (Group)
: When the number of platform users increases and the number of role types increases, the administrator can directly assign roles to user groups. Each user in the user group can own the role without authorization.Organization
: Associates organizations with roles. After a user joins an organization, he/she automatically obtains all roles in the organization without the administrator manually assigning them. In addition, the user only needs to adjust the organization to adjust roles in batches. Another function of an organization is to control data permissions. By associating a role with an organization, the role can see only the data permissions of the organization. An organization is a collection.Position (Post)
: There are multiple positions under each organization, each with different levels of authority. A position is an individual for a person.Menu
: Indicates the page that a user can view after logging in to the system. The page can have multiple levels.
correlation
- Users and roles have a many-to-many relationship
- Roles and permissions are many-to-many
Authorization process
Manual authorization
: Adds roles to users and users to roles. To add a role to a user, click a user to grant a role on the user management page. You can add multiple roles to a user at a time. To add users to a role, click a role on the role management page and select multiple users. In this way, users can be assigned roles in batches.The examination and approval authorization
: Indicates that a user applies for a role. The user applies for the role through the OA process, and the role is approved by the superior. The user does not need to be manually granted the role by the system administrator.
Permission System requirements
- The system has a super administrator who has all system permissions
- Different users can see different elements and actions on the page
- Different users have different access rights to the page
- Operation includes: add, delete, change, review, etc
- If a user has multiple roles, the rights of the user are a collection of the rights of these roles
- If this parameter is selected, authorization takes effect without submission
- A User can have multiple roles, and roles can be assigned to multiple users
- The administrator of each user group has the ability to create roles and manage their own roles
- The administrator of each user group has the ability to add users and grant permissions to them
- A user is just a pure user, which records user information, such as user name, password, etc., and the permissions are separated. To have permissions on certain resources, a User must be associated with them through roles.
- A role is a basic unit of user rights. It has a certain number of rights and is assigned to users through a role
- Permissions refer to the operations that users can perform on certain program functions based on roles, such as read, write, modify, and delete files
- Account validity
- Distinguish between roles and positions
- Assign an account to the headquarters of the organization. The administrator of the organization, who then maintains the subordinate data himself
The data table
- User table (account) (UserInfo) (Manage the most basic information of users (in normal business system can be extended user information), such as name, validity period, etc.)
- Role table (RoleInfo) (Manages basic role information. Users can customize various roles)
- Menu list (MenuInfo)
- Userroles (associate users with roles, which role permissions are granted to users (the same user can have multiple roles), and add users by role, such as granting the “employee” role to company owners instead of delegating to each user individually)
- RoleMenu
- Role permission lists (RolePromissions) (associate roles with permission points in the system, that is, actions to complete authorization)
- Action table (used to store user-defined functional operations, such as add, modify, delete, etc.)
- Page Element table (Element)