"Database Design-2" Permission design-System login user Rights design

Requirements Analysis---scenariosSuppose you need to design a personnel management system for the company, and assign system login accounts to all leaders and employees. There are several requirements: 1.permission levels are different:company leaders can view all employee information after login, department leaders can only view the information of staff in the department after login, the employee can only view their own information after login;2. Access permissions are different: If the company leader login, you can view the employee pay distribution interface, while the employees can not see; 3. Operation permissions are different: If the system administrator can be in the information publishing interface to edit the release information, and ordinary employees can only be viewed in the information publishing interface, can not be modified, deleted and added.

Functional Analysis1. Login to a system, basic needs user input user name, password;
2. Each user's roleis different, its access rights are generally different,such as:System administrator: You can view all the interfaces; normal users: Only part of the interface is viewable. 3. Different users, even if the same interface can be viewed, but in this interface can be done Operation PermissionsAlso different, such as: User 1: Can be in the interface 1 on the increase and deletion check; User 2: Can only be viewed on the interface 1, does not have the ability to add or delete, 4. Different users basically have different roles, such as: User 1, User 2 respectively for the Administrator role, the operator role, also exists between roles Permission LevelDifferences, such as: role 1: The corresponding provincial administrator;==> can view all school information saved; role 2: Corresponding to the city level administrator;==> can view all school information in the city;Role 3: Corresponding to county level administrators;==> can view all school information in the county;regardless of the province, city, county which system administrator, they can access the interface is the same (that is, access rights are the same), and in each interface can do the same permissions , the difference is that each administrator role can access the number of schools and school scope is different, This is called the difference: permission levels are different;
Summary:from the above analysis, the following concepts are mainly involved:1. Role:such as the system Administrator role, the System Operator role, the general user role;Different roles, their access rights are different, the set of modules (interfaces) that can be accessed is different;the permission level of the role is also different, the level of authority such as: company leaders, some leaders, ordinary staff;2. Module: (interface)module refers to the specific interface, each module has a different operation, such as adding and removing changes;3. Access rights: Determine the set of modules (interfaces) that the role can access;
4. Operation Rights: Determine the set of operations that can be performed on each module (interface), such as additions and deletions;5. Permission level: That is, determine the scope of the role can be accessed, such as:role 1: Permission level iscompany leaders, thencan view all company employee information;role 2: The authority level is the department leader, you can only view all employee information for that department.

Database Design Overall Model:


1. Module definition table:
Modules are hierarchical, such as: Information Management--contact management;
Each module has a superior module. 2. Role Definition table:Contains a role permission level for assigning a permission level to a role; a role permission level: A menu option that includes company leadership, departmental leadership, and general staff; 3. Authorization Definition table:Used to assign access rights to roles and assign permissions to each module, 1 roles can contain multiple modules, and 1 modules can be assigned to multiple roles, so the roles and modules are many-to-many relationships, and this many-to-many relationship can be achieved by using a relational table, that is, by combining the primary key and implementing the relational table:
The table contains the field "Operation permission" to assign operation permissions to each interface, see: If the module has the function of adding and checking, then the operation Rights 15, that is, the binary "1111", if the module only to view the function, the operation permission is 2, that is, binary "0010", the same, "0111" indicates that the module has change, check function; 4. System User table:
The role permission level---> in the table should be consistent with the permission level in the owning role, and the field is repeated in this table for easy querying. role Permission LevelValue:
1. Company leader: company_id cannot be empty; 2. Department Leaders:company_id, dept_id cannot be empty;3. General Staff:company_id, dept_id, staff_id cannot be empty;

Login Execution Process1. When the system logs in, first enter the user name, password; 2. Are you sure access Rights: 2.1 Determine the user's "role number", 2.2 in the "Authorization definition table" according to the "role number" to find the appropriate module, the collection of modules found is access rights; 3. Are you sure Operation Permissions：
3.1 Each module that is queried in the 2.2 step has the corresponding operation permission , which constitutes the operation permission of each module;4. Determine the level of privilege :4.1 in combination with the user's "role permission Level" + "corporate Identity" + "department identification" + "employee identification", go to the employee information sheet to find the appropriate employee, as follows:    role Permission LevelValue:1. Company leaders: Find < Employee Information sheet. Company Identity = = The user. Corporate identity > All Users;2. Department Leaders:Find < Employee Information sheet. Company identity = = The user. Company logo && Employee Information sheet. Department identity = = The user. Department Identificationall users of > ;3. General Staff:Find < Employee Information sheet. Company identity = = The user. Company logo && Employee Information sheet. Department identity = = The user. Department Identification && Employee Information sheet. Staff logo = = the user. Company logoall users of > ;   

From for notes (Wiz)

"Database Design-2" Permission design-System login user Rights design