How to implement authentication and authorization system quickly and easily in web system

Access control and RBAC model

Access control

The common multi-user system will involve http://www.aliyun.com/zixun/aggregation/38609.html "> Access control, the so-called access control, refers to a way to allow live limited access to the user's ability and scope." This is mainly due to the need for the system to protect the key resources to prevent illegal intrusion or misoperation of the business system damage. In short, access control is that which users have access to which resources.

Generally speaking, the access control system consists of three components:

Principal: The entity that issues an access request, usually the user or user process. Object: A protected resource, usually a program, data, file, or device. Access policy: The mapping rules of subject and object to determine whether a subject has access to the object.

RBAC model

The concept of role-based access control (RBAC) has been put forward in the 70 's, but it was not until the 90 's that the development of security demand caused widespread concern. The core idea of RBAC is to classify the access rights of the system resources or to establish the hierarchical relationship, to abstract the concept of role, and then to associate the user and the role according to the security policy, so as to achieve the control between the user and the authority. Through introducing the role and using it as the intermediary of authority management, RBAC divides the access control system into two parts, that is, the relation between the rights and the role and the user, and has the advantage of being flexible and easy to control.

The establishment and implementation of RBAC model are two hotspots in the research of role-based access control. The RBAC96 model is widely accepted for its comprehensive and systematic description of multiple levels of meaning. The National Standards and Technology Association (NIST), based on RBAC96, has developed a RBAC standard, which mainly divides RBAC into: Core RBAC, Hierarchical Rbac, Constraint RBAC.

The RBAC96 model contains 4 levels, as shown in Figure 1:

Figure 1. RBAC96 model

which：

RBAC0: The core RBAC, which contains RBAC, is the most basic model and contains only the basic RBAC elements, namely user, role, privilege, session. There is a peer relationship between the roles, and there are no additional constraints between the objects. RBAC1: A role inheritance relationship is established on the basis of RBAC0. RBAC2: also contains the RBAC0 and defines the constraints, the common constraints that need to be considered in practice include role mutexes and role cardinality. RBAC3: Contains the RBAC1 and RBAC2, that is, the inherited relationship of both roles, including the constraint relationship, is the most complex model.

Figure 2 clearly describes the user, role, permissions, inheritance, and constraint relationships in the RBAC model.

Figure 2. RBAC Model Diagram

Constraints are an important part of RBAC, and the more common constraints include:

Mutex role constraint: refers to the principle that the same user can only be assigned up to one role in the set of mutually exclusive roles to support "separation of duties" principles. Mandatory role constraints: Also known as prerequisite constraints, are important constraints defined on User Role Assignment relations (UA) and Permission Role Assignment Relationships (PA), where the assigned role or permissions depend on another role or privilege. Cardinality constraint: Also defined as a constraint on UA and PA, which controls the allocation of advanced permissions in the system by defining the maximum number of users that a role can be assigned or the number of roles a permission can allow to be allocated.