The common RBAC operation has been broadly understood. But when I create a model of a department, there are multiple departments in the business, there are multiple groups under the department, and there are many operations under the Department and the group. How do you separate these permissions?
These operations are only one, but are differentiated by department or group ID. How do I grant permissions by ID in RBAC?
Reply content:
The common RBAC operation has been broadly understood. But when I create a model of a department, there are multiple departments in the business, there are multiple groups under the department, and there are many operations under the Department and the group. How do you separate these permissions?
These operations are only one, but are differentiated by department or group ID. How do I grant permissions by ID in RBAC?
RBAC is based on "role", where all authorized objects are "roles", not other departments or what IDs, organize people in those departments and groups into "roles", or create correspondence between departments/groups and roles, and then authorize them.
Suppose there's 部门经理
such a role
In department A, 部门经理
operate a department of business
In department B, 部门经理
operate the affairs of Department B.
If you follow the general practice, you will design A部门经理
and B部门经理
Two characters can be differentiated, a bit of egg pain. So I think there's a problem with the granularity of operations here.
In the RBAC model, the Permission
usual understanding is Resource : Operation : Instance
, but I think it can be fixed as Resource : Operation : Domain
, here the domain refers to the function of the field, can be an organization (organization,department), a certain range (Mine, Others '), an instance (Instance), each domain is a dimension, verify that permissions need to be validated in a Resource : Operation
separate dimension after the validation of a string, seemingly there is no framework to do.