Manage Permissions Group description

This paper deals with the method and implementation of an object oriented model of rights management. By analyzing the elements of each access scene, and abstracting the elements into a model, it can be used to implement access control. Forgive me for what I've taken. "Four-dimensional rights management model" "Access Control Matrix (ACM)" Such an unpleasant name, but I was only half a year ago this insight.

1. Access control matrix (ACM)

Note: Actions in any use cases that generate value to the user of the system are controlled in the following four dimensions:

L Operator (Operator rights Control):

The body of an action when doing something. Divided into: User, role, unit

L Operatemethod (Operation method permission control):

Function of the operation to determine, such as: Read, write, check, delete, etc.

L Object (Operation object permission control):

The impact object of an action, usually a business object, such as a form

L Object.fields (Action object property Item permission control)

Business requires an option-sensitive object property item, such as a data item in a form, a simple control on a form, and so on

2. Composition of four-dimensional data in ACM

Operator: operator, according to the needs of the business to set the control project is divided into users, roles, units three kinds. According to the needs of the business, can control the role of operator sequence or orthogonal operating rules;

Operate method: Methods of operation, depending on the object of the business operation, may be business operations or low-level crud operations;

Object: Action objects, the current operation of the object, according to business needs can be: business objects, such as: projects, forms;

Object Fields: Manipulating object properties, requiring the data item of a bound object with permission control. such as: Form fields, form controls, and so on.

3, the principle of brief

The principle of ACM in authority management and access control. An ACM is a rule matrix consisting of several elements of a certain operational behavior of a control system. Imagine a scene, when an operation is carried out, there must be the following elements: operator, operation method, the object of operation. All ACM Specify the conditions for each element that must be met for a single operation. such as: Have ACM as follows: "Li Houqiang", "Modify", "User Information". On behalf of: "Li Houqiang can modify user information." Of course, this is a simple example, in fact, the situation is far more complex than this example. The first problem to be solved is the instance orientation of the Operation object. That is, when the following access control occurs: "Li Houqiang can modify the name in the user's information, but cannot modify the ID number in the user's information." It is clear that the existing three-dimensional ACM can not meet the requirements.

The Operation objects in ACM are all objects because of the following two characteristics: one is the encapsulation of the data and the other is the abstraction of the object itself. The encapsulation of the data simplifies data processing, the abstraction makes the object form more unified and the method quantity controllable. However, such encapsulation and abstraction will no doubt mask the privilege sensitivity of object members when the business requires permissions to control the level of the members of the object. There are two ways to solve this problem:

Method 1: The object's privileged members are also abstracted into an object in ACM

Operator Operate Method Object