1. User: The final operator and the ultimate beneficiary of permissions. The permission control is actually the permission of the user, not the permission of the role or user group.
2. User Group usergroup: relatively vertical. For example, the user group of the purchasing department is actually composed of the sales personnel of the purchasing department (currently defined as users) and has a clear relationship between the upper and lower levels. The purchasing department can only view documents belonging to the purchasing department, the sales department can only view documents belonging to the sales department, which has a strong nature of departments (groups). However, even though sales personnel in the purchasing department belong to the same department, they do not necessarily have the same permissions, for example, the permissions of managers and general sales personnel must be different.
3. Role role: a user group has a vertical top-down nature, while the role range does not carry such a strong vertical relationship, but has a relatively obvious horizontal (Cross) nature; for example, we now define a role: Manager, which includes managers of various departments, not just the manager of the purchasing department or the sales department, obviously, this 'manager' role has the permissions of managers of all departments at the same time. That is to say, if managers of all departments are only in this 'manager' role, the Sourcing Department Manager not only has the operation permissions of the purchasing department manager, at the same time, the permissions granted to managers of other departments are the same. However, this will inevitably lead to congestion or confusion of permissions. The first object mentioned above: users can be used. When several department managers belong to the same role as the 'manager', you can only assign different permissions to each department manager (the identity is user) authorization is performed separately. Of course, you can also confirm the user's final permissions based on the association or rejection between the user's user group and role.