Authority design of SaaS system based on RBAC

Why does the system need permission control ？

Is there any permission limit in life ？

Disaster film 《2012》 The rich and powerful have the right to board Noah's Ark , The poor people have to wait for disaster ;

Why are there no beautiful people around losers 、 Good girls exist ？

Because rich people and beautiful girls are precious and rare , Rare people play together . Ordinary people often have no right to have the authority they have .

The essence of rights management

web Procedure passed url Switch to view different pages （ function ）, So permission management actually refers to URL management , Yes url Control is the control of permissions .

therefore , How many permissions a person has depends on how many... He can access URL.

RBAC What is it? ？

RBAC（Role-Based Access Control）, It's role-based access control , Is an advanced permission management model .RBAC Associate users with permissions through roles . That is, let a user have several roles , Each role has several permissions .

So it's constructed into “ user - role - jurisdiction ” The authorization model of . In this model , Between users and roles , Between roles and authorities , The average is a many to many relationship .

Concepts in the permission system

user

The specific operator of the application system , Users can have their own access information , Can be attributed to 0～n A character , May belong to 0～n A set of . His permission set is his own 、 The permissions of the roles they belong to 、 The set of permissions that each group belongs to . It's about authority 、 role 、 The relationships between groups are n Yes n The relationship between .

role

In order to classify and manage many users with similar permissions , Defines the concept of roles , For example, system administrator 、 Administrators 、 user 、 Visitors and other characters . Roles have a hierarchy , You can form a tree view , The permissions of a parent role are the combination of the permissions of itself and all its child roles . The user of the parent role 、 The group of the parent role can be inferred .

Group

To better manage users , Group and classify users , It's called user group for short . Groups also have a hierarchy , You can form a tree view . In practice , We know , Groups can also have their own role information 、 Permission information . It reminds me of our QQ User group , A group can have multiple users , One user can also join multiple groups . Each group has its own permission information . For example, view group shares .QQ Groups can also have their own role information , For example, ordinary groups 、 Advanced group, etc .

jurisdiction

All permission information in the system has two meanings . That is, the object of control 、 operation . The authority can be divided into 3 Components ：

Page permissions ： Users can see those pages ;

Operating authority ： What can users do on the page , Add, delete, change, check, etc ;

Data access ： Users can see that data or content ;

Authority module design

Complete permission management can be used as an independent system System development , Small things must also be done as SAAS The core foundation template of the platform , Enter planning at the beginning of the initial iteration 、 Design link . When designing the permission module , Products can be considered from two perspectives ：

1. Authority control management

That is, use all kinds of elements involving permission restrictions in the system 、 Permission control for viewing and other operations .

l The most basic authority management is menu management , Function modules for which the user does not have permission are not displayed on the menu node .

Such as ： After ordinary business personnel log in the system , I can't see 【 User management 】 Menu .

l Function authority management ,B/S The functions of the system are URL, Therefore, function permission management is mainly aimed at URL Access management .

Such as ： Authorized , Department managers can view 【 User management 】 menu , And view department user information , But the permission design requirements , The department manager does not have permission to add users . So I'm visiting 【 Add users 】 The function of （URL） when , There should be a prompt message about whether to authorize . At the same time 【 User management 】 On the page ,【 Add users 】 The button should be grayed out , Can't click .

l Line level authority management

Such as ： Forum administrator , Permission design requirements A Can manage forums 【 News section 】, Can't manage forums 【 Technical communication 】 At this time, the permission design should be based on the corresponding requirements of the forum ID To determine permission information .

l Column level permission management

Such as ： Business permission design requirements , In addition to the sales staff , Other users cannot see the customer's contact information .

At this time, the permission design should judge the corresponding fields （ Column ） Can I display .

l Organization / Department level data authority management

Such as ： Business permission design requirements , Sales Department 1 personnel can only see the sales orders of their own department , The staff of the second sales department can only see the sales orders of their own department , But the sales manager can see the sales orders of Sales Department 1 and sales department 2 at the same time . At this time, the permission design should be judged according to the Department attribute of the sales order data itself

l Scope business data permission management

Such as ： When the salesmen in the hypermarket place a sales order , To select the warehouse information of the corresponding product . Business permission design requirements ,【 Gome 】 The salesperson cannot see... In the drop-down list of warehouse selection 【 Guangzhou warehouse 】, and 【 Large and medium-sized electrical 】 The salesperson cannot see... In the drop-down list of warehouse selection 【 Beijing Shunyi warehouse 】

2. Authority assignment management

The content of authority management is allocated to specific users through the system authorization function , The process of role .

l Authorize users directly , Permissions assigned directly to users have the highest priority .

l Authorize the user's position , The position information of the user can be regarded as a group , Just like a character , However, each user can only be associated with one position information .

l Authorize the role to which the user belongs , The user's role information can be regarded as a permission group , Each user can associate multiple roles .

l Roles are directly associated with specific function permissions （URL）, Negative permissions can also be associated , That is, the permission associated with this role cannot use the negative permission function . Negative permissions have priority .

l Hierarchical Authorization , System administrators can authorize their own permission information to other users . That is, you can set up hierarchical administrators and super Administrators .

Overall interface design

Think about what a simple permission system should do ？ Certainly ： user - role - jurisdiction , The process shown in the figure below ：

Create a role list

Quickly create a role in the role list ： Click create character , Supports configuring permissions when creating roles .

gen Create user list

Quickly create a user in the user list ： Support the function of user association role . Common designs for user rights management include ：

l The role ： When the user chooses “ modify ” Button , Pop up the role tree structure , The operator can modify the role of the user by checking or unchecking .

l Subordinate to the group ： When the user chooses “ modify ” Button , Pop up the tree structure of the group , The operator can check or uncheck to modify the group to which the user belongs .

l User permissions ： Uncheck the existing permissions , Or add a check for a permission , To modify the user's permission information , Click on “ preservation ” Button to save the modification information .

l Total authority ： Uncheck the existing permissions , Or add a check for a permission , To modify the user's permission information , Click on “ preservation ” Button to save the modification information .

l User management ： When a user is selected , Click on the right , Pop up menu list ： modify 、 Delete 、 Cancel , Click the modify and delete button to realize the user's delete and modify functions .

Select an organization , for example “ Guangzhou Branch ”, Pop up menu list ： Add sub organization 、 Delete organization 、 Modify organization 、 Add users 、 Cancel , Click the add user button to add users .

l Organizational management ： Select an organization , Pop up menu list ： Add sub organization 、 Delete organization 、 Modify organization 、 Add users 、 Cancel , Click Add sub organization 、 Delete organization 、 The modify organization button can be used to add an organization 、 Delete and modify functions .

The above case is based on the simplest RBAC0 Model creation , It is applicable to most conventional rights management systems .

Role rights management

We can also add the role level on the basis of the above content . Role permission management design , It usually includes the following ：

l Include users ： When the user chooses “ modify ” Button , Pop up the user list , The operator can modify the users included in this role by checking or unchecking .

l Include group ： When the user chooses “ modify ” Button , Pop up the user list , The operator can modify the group contained in the role by checking or unchecking .

l Role permissions ： Uncheck the existing permissions , Or add a check for a permission , To modify the permission information of the role , Click on “ preservation ” Button to save the modification information .

l Management roles ： Select group 1 When , Right click to pop up the group operation list , Including adding 、 Delete and modify buttons , This completes adding subgroups under this group , Delete the group and modify the functions of the group .

The specific interface is shown in the figure below ：

Group right Limited management

besides , And group permission management

l Include users ： When the user chooses “ modify ” Button , Pop up the user list , The operator can modify the users contained in this group by checking or unchecking .

l The role ： When the user chooses “ modify ” Button , Pop up the role tree structure , The operator can modify the role of the group by checking or unchecking .

l Group permission ： Uncheck the existing permissions , Or add a check for a permission , To modify the permission information of the group , Click on “ preservation ” Button to save the modification information

l Total authority ： Uncheck the existing permissions , Or add a check for a permission , To modify the permission information of the group , Click on “ preservation ” Button to save the modification information

l Group management ： Select group 1 When , Right click to pop up the group operation list , Including adding 、 Delete and modify buttons , This completes adding subgroups under this group , Delete the group and modify the functions of the group

Operation log management

l Query operation log ： Enter the query information in the form above , Click on “ Inquire about ” Button , You can query the qualified information .

l Delete operation log ： Enter the query information in the form above , Click on “ Inquire about ” Button , You can query the qualified information . Then click “ Delete ” Button , You can delete the operation logs that meet the query criteria .

​