RBAC's permission control for department model

The common RBAC operation has been broadly understood. But when I create a model of a department, there are multiple departments in the business, there are multiple groups under the department, and there are many operations under the Department and the group. How do you separate these permissions?

These operations are only one, but are differentiated by department or group ID. How do I grant permissions by ID in RBAC?

Reply content:

The common RBAC operation has been broadly understood. But when I create a model of a department, there are multiple departments in the business, there are multiple groups under the department, and there are many operations under the Department and the group. How do you separate these permissions?

These operations are only one, but are differentiated by department or group ID. How do I grant permissions by ID in RBAC?

RBAC is based on "role", where all authorized objects are "roles", not other departments or what IDs, organize people in those departments and groups into "roles", or create correspondence between departments/groups and roles, and then authorize them.

Suppose there's 部门经理 such a role

• In department A, 部门经理 operate a department of business

• In department B, 部门经理 operate the affairs of Department B.

If you follow the general practice, you will design A部门经理 and B部门经理 Two characters can be differentiated, a bit of egg pain. So I think there's a problem with the granularity of operations here.

In the RBAC model, the Permission usual understanding is Resource : Operation : Instance , but I think it can be fixed as Resource : Operation : Domain , here the domain refers to the function of the field, can be an organization (organization,department), a certain range (Mine, Others '), an instance (Instance), each domain is a dimension, verify that permissions need to be validated in a Resource : Operation separate dimension after the validation of a string, seemingly there is no framework to do.

