A: Application scenario:In practical applications, data access control points are generally relatively fixed, such as for companies, departments, individuals, customers, suppliers, and so on, which means that data permissions are generally for the specified data type of some data objects. For example: A company has Beijing production department, Shanghai production department and Baoding production department, now need to define several roles: Head of Headquarters-can look at all production department of Products; Beijing production Manager--can only see all the products of Beijing production department; ShanghaiProduction department Manager--can only be inspectedAll products of Shanghai Production department;BaodingProduction department Manager--can only be inspected Baoding Production Department of all products;
Two: Role definition:The above roles are defined as follows:-------------------------------------------------------------------role name feature Data type Data Object-------------------------------------------------------------------Headquarters DirectorLook atProductManager of Production Department of BeijingLook atProductDepartment BeijingShanghai Production Department managerLook atProductDepartment ShanghaiManager of Baoding production DepartmentLook atProductSingle sector Baoding-------------------------------------------------------------------the above definition, the Sales Director defines only function permissions without defining data permissions, so the sales Director is able to view all the products, while several other managers define the data permissions for this function, so they can only view the products of the designated department. In practical applications, departmental groupings are often present, and the team leader is able to see all the people in this groupProductSituation, and in some cases, some people can only look at myProductCases, these special cases cannot be resolved in the above description and need to be handled in design and implementation. Three: Design of general data rights Management system Let's take a look at the traditional role-based rights management system, as shown in, the simplest role-based rights management consists of system function, System role, System user, role function and user role five parts. Figure one: The role-based database structure for the implementation of data rights control, the design of role-based rights management to expand, as shown: Figure II: General data Rights Management system database design comparison of two graphs, we can see that the main changes between them are: 1, increase system resource information and operation type information, system resources for the tree structure, such as sales module, sales orders, etc., the operation type records possible actions, such as add, delete, modify, view, query, etc., system function is a combination of resource and operation type, the operation of resources is system function. 2, increase the data object type and data object two tables, data object type records the type of objects that need to be controlled in the system, such as departments, warehouses, employees, customers, suppliers, etc. data Objects Record object instances of each object type, such as Beijing Sales department, Shanghai Sales department, Zhang San, John Doe, etc. (The benefits of independent preservation will be said later) 3, increase the system resources and data Object Type association table (many-to-many), this table is a configuration table, indicating that a resource may require a control point, such as sales order and Department type Association may involve sub-departments to assign permissions A sales order's association with a customer may involve assigning permissions by customer, and so on. 4, increase the data object and role permissions, this table is really the ultimate realization of data rights management location. This design minimizes changes to the original permission system and provides the flexibility to increase the control point of the data. Used in the design of the product software, it can flexibly meet the needs of customers.
Design of general data rights management system
