Role-Based Access Control

RBAC

Role-Based Access Control (Role-Based Access Control) IntroducedRoleConcept,The purpose is to isolateUser (That is, the action subject,Subject)AndPrivilege (Permission, indicatingResourceAn operation, that isOperation + Resource).

RoleAs a user(User)And Permissions(Privilege)Proxy layer, decouples the relationship between permissions and users, and all authorization should be givenRoleInstead of directlyUserOrGroup.PrivilegeIs the permission granularityOperationAndResourceIndicatesResourceOneOperation. For example, delete news.Role-privilegeYesCopying-to-SequenceThis is the core of permissions.

Role-Based Access Control Method (RBAC) Are:1.Due to role/Ratio of permissions to roles/Changes Between user relationships are much slower, reducing the complexity of authorization management and management overhead.2.It flexibly supports enterprise security policies and provides great scalability for enterprise changes.

RBACBasic concepts:

RBACThe permission authorization is actuallyWho,What,How. InRBACIn the model,Who,What,HowConstitutes the access permission triple,That is"WhoPairWhat (which)ProceedHowOperations".

Who: The owner or subject of the permission (for examplePrincipal,User,Group,Role,ActorAnd so on)

What: Target object or resource (Resource,Class).

How: Specific permissions (Privilege,).

Operator: Operation. IndicatesWhatOfHowOperation. That isPrivilege + Resource

Role: Role, a set of a certain number of permissions. Units and carriers for permission allocation,The purpose is to isolateUserAndPrivilegeLogical Relationship.

Group: User group, unit and carrier of permission allocation. Permissions are assigned to the Group Regardless of specific users. A group can contain groups.(To Inherit Permissions)And can also contain the permissions of users in the group that inherit the group.UserAndGroupIs a many-to-many relationship.GroupIt can be hierarchical to meet the requirements of permission control at different levels.

RBACThe focus isRoleAndUser, permission. CalledUser assignment (UA)AndPermission assignment (PA ).Both sides of the link areCopying-to-SequenceLink. YesUserThere can be multipleRole,RoleCan include multipleUser.

All usedRDBMSAll know,N: mYou need an intermediate table to store the relationship between the two tables. ThisUAAndPaIt is equivalent to an intermediate table. In fact, the wholeRBACAll are based on the relational model.

SessionInRBACIs a relatively obscure element. Standard: eachSessionIs a ing, one user to multipleRole. When a user activates a subset of all his rolesSession. EachSessionAnd a singleUserAndUserCan be associated with one or moreSession.

InRBACSystem,UserActually playing a role(Role), You can useActorTo replaceUserThis idea comes fromBusiness Modeling with UMLBookActor-RoleMode. Considering that multiple people can have the same permissions,RBACIntroducedGroup.GroupIt can also be seenActor. WhileUserTo a person.

HereGroupAndGbac(Group-Based Access Control).Group(Group) is different.GbacMostly used in the operating system. TheGroupDirectly associated with permissions. In factRBACI also borrowed someGbac.

GroupAndUserIt is related to the organization, but not the organization. The two are conceptually different. An organizational unit is an abstract model of a physical company structure, including departments, persons, and positions. The permission model describes abstract concepts. The organizational structure is generally usedMartin FowlerOfPartyOr the responsibility mode to model.

PartyInPersonAndUserIs the relationship between eachPersonCorresponds toUser, But maybe not allUserAll have correspondingPerson.PartyDepartment inDepartmentOr OrganizationOrganization, Can correspondGroup. OtherwiseGroupIt does not necessarily correspond to an actual organization. For example, you can have a deputy managerGroupMultiple people share the same responsibilities.

the introduction of the group concept not only solves the problem of multiple people with the same role, but also solves another authorization problem of the Organization: for example, I hope all A Department members can view the news of A department. With such a A department's group , you can directly authorize this group .