RBAC knew why, but never understood why.

This time I decided to take a good look at this RBAC as a passive need to write a blog!


RBAC is a what

RBAC is a permission control model, which is quite general, mature and accepted by the public after time precipitation. My understanding is that RBAC and mathematical formula are the same, mathematical problems can apply mathematical formula, and permission system can also apply RBAC permission model.

The concept of role-based Access Control (RBAC) permission model is role-based permission Control. Users are indirectly assigned rights by associating roles with users.

According to the logic of small white (I), the authority, as long as the user to allocate the authority to good cough up, why bother, add a role in the middle, the authority pour hand.

In fact, the reason for adding a layer of characters in the middle is to increase security and efficiency, and further expansion will improve a lot.

For example, if multiple users have the same permission, you need to assign the same permission to these users and modify the permission for these users. After a role is created, you only need to assign rights to the role and assign users with the same rights to the same role, facilitating rights management. For batch user rights adjustment, you only need to adjust the rights of the roles associated with users. This greatly improves the efficiency of rights adjustment and reduces the probability of permission omission.

The RABC permission model is shown below

There are two more types in this model:

1. Users and roles are many-to-one. That is, a user plays only one role and multiple users can play one role.

2. Users and roles are many-to-many. That is, a user can play multiple roles at the same time, and multiple users can play one role. (Our system is many-to-many.)

So, when should you use many-to-one permissions and when should you use many-to-many permissions?

If the system has a single function, fewer users, relatively clear post authority and ensures that there will not be concurrent posts, the many-to-one authority system can be considered. In other cases, many-to-many permission system should be used as far as possible to ensure the scalability of the system. For example: Zhang SAN is both administrative and financial, so Zhang SAN has the authority of both administrative and financial roles.


The type of the RBAC permission model

Above is the RBAC0 model, but also the basic, the simplest, equivalent to the underlying logic, on this basis, and upgrade to RBAC1, RBAC2, RBAC3 model

1. The RBAC1 model

Compared with RBAC0 model, the child role is added and the concept of inheritance is introduced, that is, the child role can inherit all permissions of the parent role.



Usage scenario: For example, there are managers, supervisors, and specialists in a business department. The authority of the supervisor should not be greater than that of the manager, and the authority of the commissioner should not be greater than that of the supervisor. If RBAC0 model is used as the authority system, it is very likely to misallocate the authority, and the supervisor will eventually have the authority that the manager does not have.

The RBAC1 model solves this problem well. After creating a manager role and configuring permissions, the permissions of the manager role inherit those of the manager role, and the permissions of the manager role can be deleted.

2. RBAC2 model

Based on the RBAC0 model, some restrictions on roles are added: roles are mutually exclusive, cardinality constraints, prerequisite roles, etc.

  • Mutually exclusive roles: A user cannot be assigned to multiple roles in a set of mutually exclusive roles. Mutually exclusive roles refer to two roles that have permission restriction on each other. Example: A user cannot be assigned to both the applicant role and the approver role in a payment requisition system.
  • Cardinality constraint: The number of users assigned to a role is limited, which refers to how many users can own the role. Case study: There is a limit to the number of roles created specifically for the CEO of a company.
  • Prerequisite Role: A role with a lower level of authority is required to obtain a higher level of authority. Case: Before you have the authority of general manager, you can have the authority of general manager.
  • Run time mutually exclusive: For example, a user can have the membership of two roles, but the two roles cannot be activated at the same time. For example, a user has multiple roles and the roles have overlapping permissions.

3. The RBAC3 model

Called the unified model, it contains RBAC1 and RBAC2, using transitivity, also RBAC0 included, integrated all the characteristics of RBAC0, RBAC1 and RBAC2, both a role hierarchical and constrained model.

Each model is not immutable, and 1.2.3 is an extension of the base model, including, but not limited to, the choice of how to use it based on actual needs.


What does the product manager mean by a user group?

When the platform user base increases and role types increase, it will be a heavy workload for the administrator to assign roles to users directly. At this point we can introduce the concept of “user groups”, which are groups of users with the same attributes.

For example: after joining the concept of user groups, department as a group of users, can be given directly to the department role (10000 May be dozens of staff department), the department has a department permission, so that all users of the department have the department permission, without the need for each user separately and specify the role, greatly reducing the workload of assigned permissions.

In addition, you can specify roles for specific users. In this way, users have all permissions of the user group and their own permissions.

The advantages of user groups, besides reducing workload, are easier to understand and increasing multi-level management relationships. For example, when we configure the organizational structure, in addition to adding departments, we can also add ranks, posts and other levels to differentiate the permissions of members in user groups.


The above content, part from the network article, add understanding after finishing