RBAC-based model of common rights management system design
Keywords: design ideas
General data rights management system design (a)
This article provides an integrated data access permissions and capabilities the solution to meet the multi-level organization of centralized management of access control. This method is RBAC (role-based access control methods) to further expand and extend that functionality on the basis of increasing data access rights management, data access and function rights focus.
Function authority: the question of what can do, such as increased sales orders;
Data access: Where can I do the problems, such as look at Beijing Haidian Branch Sales seating of the sales orders;
Resources: the resources of the system, mainly all kinds of business objects, such as sales orders, payment vouchers, etc.;
Type of operation: access to resources may be methods, such as add, delete, modify, etc.;
Function: the operation of the resource, the resource group with the type of binary operation, such as increased sales orders, sales orders and other changes;
Data type: Business systems commonly used data types of permissions, such as companies, departments, projects, individuals, etc.;
Data objects: a specific business object, such as Company A, B department, etc., including all rights relating to the data object value;
Permissions: You can use the feature role, the role of sub-functions of data access permissions and roles;
Role: a specific set of permissions;
User: the main activities involved in the system, such as people, systems.
General data rights management system design (II)
In practice, data access control is generally relatively fixed, such as for companies, departments, individuals, customers, suppliers, etc., that generally the data access type for the specified data object under some of the data.
This method, the data access permission depends on the function, is the functional competence of the further description, explain the role of the functions specified point in the data control.
The method used "is not clearly defined as effective" principle, if the data access function is not defined, then the role has all permissions for this function. If you define the function of certain types of data access, the user only has the data specified under this type of data access.
More convoluted passage, for example the following practical examples.
Sales department of a company in Beijing, Shanghai and Guangzhou Sales Department sales three sales, and now need to define several roles:
Sales Director - Sales Department can look at all the sales orders;
Beijing Sales Manager - Sales Department of Beijing can look at all the sales orders;
Shanghai Sales Manager - Shanghai Sales Department can look at all the sales orders;
Sales Manager Guangzhou - Guangzhou Sales Department can only look at all the sales orders;
The role is defined as follows:
The role of functional data type data object name
Sales Director, Beijing Sales Manager, look at look at the sales order sales order department Beijing Shanghai sales manager, look at the sales order department, Shanghai and Guangzhou sales manager look at the sales order department in Guangzhou
The above definition, the sales director only defines the functional competence, but does not define data access, the sales director to look at all the sales orders; sales manager, respectively, while a few other features of the data defined in this permission, we can only look at specific departments sales orders.
In practice, the department will always be a group leader can look at this group of sales orders for all personnel to deal with the situation, and in some cases, some people only look at my sales orders, these special circumstances in the instructions can not be solved, in the design and implementation for processing.
Beijing Sales Representative - Sales of Beijing can look at all my sales orders;
Beijing sales representative look at the sales order department Beijing
General data rights management system design (c) - Database Design
Let's take a look at the traditional role-based rights management system, as shown below, the most simple role-based access management by the system features, roles, system users, roles and user roles of five parts.
Figure 1: Role-based database structure
For the data access control in the design of role-based rights management to expand, as shown below:
Figure 2: Common data access management system database design
Compare two maps, we can see, the main changes between them are:
1, increase system resources, information and operation type information, the system resources for the tree structure, such as sales module, sales orders, etc.; type of operation records of possible operations such as add, delete, modify, view, query, system resources and functions combination of the type of operation, operation of resources is a system function.
2, data object types and add two table data objects, data object type recording system the need to control the type of object, such as department, warehouse, employees, customers, suppliers, etc.; record the data object instances of object types of objects, such as Beijing Sales Department, Shanghai Sales Department, Joe Smith, John Doe, and so on. (Independent of the benefits of saving will be mentioned later)
3, increase system resources associated with the data object type table (many), this table is the configuration tables, a resource may need to control points, such as sales orders associated with the department may be related to the types of sub-sectoral allocation of authority; sales orders associated with the customer may be related to the customer to assign permissions and so on.
4, increase the data objects associated with the role of authority, this table is truly the ultimate location of data rights management.
With this design, can be minimized to reduce the existing authority to change the system, and can be very flexible to increase control of the data points. In product design software to use, the flexibility to meet customer needs.