OA system permission management design (I)

All systems cannot do without permission management. A good permission management module not only makes our system operate freely, but also makes management easy, and adds highlights to the system.

 

L personnel with different responsibilities should have different system operation permissions. An excellent business system is the most basic function.

L you can assign permissions to a group. For a Business System of a large enterprise, it is time-consuming and inconvenient to require the Administrator to assign System Operation permissions to its employees one by one. Therefore, the system puts forward the concept of "group" operations, including those with the same permissions in the same group, and then assigns permissions to the group.

L The permission management system should be scalable. It can be added to any system with permission management function. Like components, they can be repeatedly reused. Instead of re-developing a management system, we need to re-develop the permission management part.

L meet the functional permissions in the business system. In traditional business systems, there are two types of permission management: one is the management of functional permissions, and the other is the management of resource permissions, function permissions can be reused, while resource permissions cannot.

 

For the characteristics of the OA system, the permissions are described as follows:

 

Permission

In the system, the permission passesModule+ActionThe module is a sub-module in the system, which may correspond to a menu, and the action is the whole module (in the B/S system, it is also all operations on a page, for example, "browse, add, modify, delete ). The combination of modules can generate all permissions under this module.

Permission Group

To facilitate permission management, all permissions under one module are combined to form a"Permission Group", That is, the management permission of a module, including all basic permission operations. For example, a permission group (user management) includes operation permissions such as browsing, adding, deleting, modifying, and reviewing a user. A permission group is also a permission.

Role

A set of permissions. a role and a role are in a hierarchical relationship. You can add basic permissions or permission groups to a role to facilitate permission allocation.

User Group

A collection of people with the same characteristics. By granting permissions (roles) to a group, you can quickly grant the same permissions to a class of users. This simplifies the tedious and time-consuming process of granting permissions to users. The user group can be dividedPositions and projectsOr others. A user can belong to one or more groups.

 

There are four ways to grant permissions to an individual (refer to the Office System of Apsara stack)

A.Pass position

A) permissions of job members in the positionInheritancePermissions of the current position cannot be inherited from the permissions of lower-level positions.

 

B)Instance: For the front-end job, if you have the permission to query the attendance, you can set the permission to view the attendance query for the job at the front-end so that they have the permission to use this object, and then set another one, attendance query permission (you can also choose not to set the permission. By default, You can query this module). All front-end personnel have the right to attendance query.

 

B.Project

A) in a project, the permissions of project members come from the permissions of the project in which they are located. They cannot inherit the permissions of lower-level projects. For the project leader, he has full permissions on the project, the same applies to lower-level projects.

 

B)Instance: In a project, a project member can upload a document to the project to view the document of the project. By setting a permission to view the project, the project member can import the document, in this way, each member can access this project, plus the upload and view of the project documents.

 

C) For the leader, because the leader can be granted a leader's right (the leader's right is a special permission, and it contains a permission package with various other permissions), all leader have full permission for the project, the project leader can view, approve, delete, and recover project documents. These permissions are still valid for subordinate projects of the project.

 

C.Role

A) the members in the role inherit the permissions of the role. The role has no parent-child relationship with the role, and they are parallel. Role-based permission granting is another way to grant permissions by job or project type, such as system administrator, data backup engineer, etc...

 

B)Instance: In this system, all personnel should have modules by default, such as my emails, my documents, my logs, My Attendance ......, All system members of these modules should have a role. If we create a role as the default role of the system and add the browsing permission of all default accessed modules to it, system members can access these modules.

 

D.Specify

A) You can specify a specific permission for an individual so that the user can use this permission. Directly specifying a role is a simplified version specified by the role. In order to create a role like a project leader, this step is omitted so that there are not too many roles.

B)Instance: Designate the leader of a project and assign the leader privilege to someone.

 

For positions and projects:

If a new employee is added, the employee changes the position and project team to meet the requirement that the employee will automatically inherit the permissions of the position and project team, and does not need to re-assign permissions.

 

User Management

A user can belong to one or more user groups. by authorizing a user group, you can grant permissions to all users in the group. A user can belong to multiple project groups or assume multiple positions.

Authorization management

Grant a basic permission or role to a user or user group so that the user or user group has a string that grants permissions. If the role, position, and project have the same basic permissions, take one of them; for example, if you leave a role, position, or project group, you only cancel the permissions granted to this role, position, and project group in the user or user group. The user's permissions are a set of permissions granted by all channels. The administrator can view the final permission list of each user.

Permission management

Manage basic operation permissions and permission groups (set of basic operation permissions.