Permission system basic knowledge notes

Permission system basic knowledge notes

I have always wanted to implement a relatively complete authority control system. In the course of practice, some basic knowledge related to permissions is summarized. Prepare to implement the authority management of the RBAC model based on go-micro + Casbin + And-Design-Pro.

Warehouse address: Accbase

What are the permissions?

Permission management is a module often involved in the back-end system. It mainly controls the permissions of different users to access resources to avoid risk problems caused by lack of permission control or improper operation, such as operating errors, account expiration, and privacy data leakage.

Functional division

Rights management system overall is divided into: .

  1. : Refers to granting permissions to roles or users.
  2. : Refers to when the user accesses certain operations of the resource, it is judged whether the user's access is allowed according to the authorization.

Basic concepts

Permission model

  1. The permission design model is the RBAC model, Role-Based Access Control. Abstract as Who Group Role What(Which) How . It constitutes an authorization model of "user-role-permission-resource".

Permission noun

  1. (Resources): Resources are the final material you want. Menus, pages, buttons, APIs, data, etc. are all resources.
  2. (User): It is the main body that initiates the operation. It can be divided into 2B and 2C users according to the type, and it can be the user of the background management system.
  3. Role : It is an intermediate quantity that connects the relationship between users and permissions. Each role can be associated with multiple permissions. At the same time, a user is associated with multiple roles, then the user has multiple permissions for multiple roles. Makes authorized operation convenient and easy to expand. Roles cannot be deleted or disabled at will.
  4. Permissions : Is the resource that the user can access.
    • Page authority: the page that the user can see when logging in to the system is controlled by the menu. The menu includes the first-level menu and the second-level menu. As long as the user has the first-level and second-level menu authority, the user can access the page.
    • Operation authority: the function buttons of the page, including view, add, modify, delete, review, etc. When the user clicks the delete button, the background will verify whether all the permissions under the user role include the delete permission.
    • Data authority: That is, the data that different users see on the same page is different. For example, the finance department can only see the user data under its department, for example, the Hangzhou branch user can only see the data in Hangzhou when logging in to the system. (The solution is generally to associate the data with the specific organizational structure. For example, when authorizing the user, the user selects a role and binds the organization such as the finance department or the Hefei branch, then the user has the Data permissions under the role of the Finance Department or Hefei Branch)
  5. (Group): When the platform user base increases and the role types increase, the administrator directly assigns a role to the user group, and each user in the user group can have the role without having to operate each user to complete the authorization.
  6. Organization : You can associate an organization with a role. After a user joins an organization, they will automatically get all the roles of the organization, without the need for the administrator to manually grant them. At the same time, users only need to adjust the organization and the roles can be adjusted in batches when they are transferred. Another function of the organization is to control data permissions, and associate roles with the organization, then the role can only see the data permissions under the organization. Organization is a collection.
  7. Post : There will be multiple positions under each organizational department, and the authority of each position is different. Positions are for individuals.
  8. Menu : The page that the user can see when logging in to the system can have multiple levels.

connection relation

  1. User and role are many-to-many relationship
  2. Roles and permissions are in a many-to-many relationship

Authorization process

  1. : Add roles to users, and add users to roles. To add a role to a user is to click on a user to grant a role on the user management page, and you can add multiple roles for the user at a time; to add a user to a role is to click on a role, select multiple users, and achieve The purpose of granting roles to bulk users.
  2. : That is, the user applies for a certain role, then the user applies for the role through the OA process, and then approved by the superior, the user can have the role, without the need for the system administrator to manually grant it.

Permission system requirements

  1. The system has a super administrator with all system permissions
  2. Different users can see different elements and operations on the page
  3. Different users have different access rights to the page
  4. Operations include: adding, deleting, modifying, checking, reviewing, etc.
  5. The user has multiple roles, then the user's permissions are a collection of these role permissions
  6. When authorized operation is selected, it will take effect, no need to submit
  7. User (account) can have multiple roles, and roles can be assigned to multiple users
  8. The administrators of each user group have the ability to create roles and manage their own roles
  9. The administrator of each user group has the ability to add users and grant user permissions
  10. The user is just a pure user, used to record user-related information, such as user name, password, etc., and the authority is separated. For a user (User) to have permission to a certain resource, it must be associated through a role (Role).
  11. A role is the basic unit of permission to use, with a certain number of permissions, and user permissions are granted through roles
  12. Permission refers to the user's access to certain functions of the program according to the role, such as the function of reading, writing, modifying and deleting files
  13. Account validity period
  14. Pay attention to distinguish between roles and positions
  15. Assign an account to the headquarters of the organization. The administrator of the organization, and then maintain the lower-level data by themselves

data sheet

  1. User table (account) (UserInfo) (Manage the most basic information of the user (in the normal business system can extend the user information), such as name, validity period, etc.
  2. RoleInfo (Manage the basic information of roles. Users can customize various roles)
  3. Menu table (MenuInfo)
  4. User Role Table (UserRole) (Establishes an association between users and roles, which role permissions are granted to users (the same user can have multiple roles), and users can also be added by role, such as granting the "employee" role to the company owner , Instead of authorizing each user one by one)
  5. Role Menu Table (RoleMenu)
  6. RolePromissions (RolePromissions) (Associate roles with permission points in the system, that is, complete authorized actions)
  7. Operation table (Action) (used to store various user-defined functional operations, such as adding, modifying, deleting, etc.)
  8. Page element table (Element)