Design of a general permission management system

Today, I accidentally saw comrade Sihai's article titled implementing user permission management in the Business System-design.ArticleWell written, some of the words in it seem to have been transferred by the design of other permission management systems. They all seem familiar. Of course, it is not ruled out that those articles were originally written by Comrade Sihai and subsequently transferred by them. I have read Comrade Sihai's article carefully. The analysis is thorough. I used to study the permission management system of B/S for a while. I was a little careful. I want to share with you my personal skills. If I cannot write well, or where is it wrong? I hope my friends will point it out and never beat me.

Comrade Sihai's article includes the following sentence:"In traditional business systems, there are two types of permission management: one is the management of functional permissions, and the other is the management of resource permissions, function permissions can be reused, while resource permissions cannot ". It seems that his permission design does not solve the problem of resource reuse. Of course, if it stores the resource files in different folders separately and uses the URL to determine the permissions, it is another matter.

I am a lazy person. I always want to use a general method and place it wherever appropriate. So I have to worry about database design. In fact, many permission management systems are not the same. Therefore, the permission management systems developed by many developers are not necessarily suitable if they are put elsewhere. They often need to be re-developed, the structure of the permission management system cannot be changed, but only data can be changed. Under the guidance of such an idea, we thought that our structure should not be changed, as common as possible. In fact, the structure is still reflected in the database. Comrade Sihai said:"Permission", "group", and "person ". These three elements can be added at will without affecting each other.

however, I believe that a complete permission management system should include four parts: User, role, module, and resource. In terms of database table design, these four tables are called Entity tables of the permission management system. As long as these four entity tables are made, the structure of the permission management system is complete, such a permission management system is translated into Chinese: The permission management system is a judgment (the word may not be accurate) A system in which a user or role has any function on any resource. In this way, the designed permission management system is universal and scalable, and the system is complete enough. When the four physical tables are completed, it means that the architecture has been set up. What should we do with the logical relationship? At the time of design, I used four other tables to store the logical relationships between them. A total of eight tables, four entity tables, and four logical relationship tables were created. Other permission management systems may have fewer than 8 tables, which is generally less universal. Generally, changes are made on the basis of completeness. Some use inheritance, some use bitwise operations, and others, although not universal, fully utilize their own characteristics, generally, there are fewer than 8 tables, but the translation into Chinese is not complete. It is usually used to determine whether a user has any function on the resource, whether the user or role has permissions on the resource, and so on .... Remember, a general permission management system can dynamically expand without changing the architecture conditions, regardless of the user, role, module, and resource. It only changes data, as long as you have this idea and combined with the characteristics of your own projects, I believe that the design and development of a variety of inaccessible permission management systems will not be a problem.
recommended by everyone, with a picture, as shown below:
transferred from: http://www.cnblogs.com/wlb/archive/2008/12/12/1353752.html