Coarse granularity and fine-grained permission control

1.1 What is coarse-grained and fine-grained permissions

Coarse-grained rights management, rights management for resource types. Resource types such as: menus, URL connections, user-added pages, user information, class methods, page buttons ...

Coarse granularity rights Management such as: Super Administrator can access the user to add pages, users information and other pages.

Department administrators can access the user Information page to include all the buttons on the page.

Fine-grained rights management, rights management for resource instances. Resource instances are specific to a resource type, such as a modified connection with a user ID of 001, a user information of 1110 classes, and an employee of the administration department.

Granular rights Management is data-level rights management.

Granular rights management such as: The department manager can only access the staff information of the Department, the user can only see their own menu, the region Manager can only view the sales orders in the jurisdiction.

Examples of coarse-grained and fine-grained:

The system has a user List query page, the user list query sub-permissions, if coarse granular management, Zhang San and John Doe have the user list query permissions, Zhang San and John Doe can access the user list query.

Further fine grain management, Zhang San (administration Department) and John Doe (development) can only query their own department of user information. Zhang San can only view the user information of the Administration Department, John Doe can only view the user information of the development department. Granular Rights Management is data-level rights management.

1.2 How to achieve coarse-grained and granular rights management

How do I implement coarse grained rights management?

Coarse grained rights Management It is easier to extract rights-managed code from the system architecture level. For example, authorization is achieved through SPRINGMVC interceptors.

How do I implement granular rights management?

Fine-grained rights management at the data level is not common, for fine-grained rights management is part of the system business logic, if the business layer to deal with relatively simple, if the fine-grained rights management unified at the system architecture level to extract, it is more difficult, even if the extraction of the function may also exist the extension is not strong.

It is recommended that granular rights management be controlled at the business level.

For example: The Department manager only inquires the staff information of the Department, in the Service interface provides a department ID parameters, controller in accordance with the current user information to which the user belongs to which department, call service when the Department ID into the service, Realize that the user only queries the staff of the Department.

1.3 Implementation based on the URL interception method

Based on the method of URL interception, it is a common way to implement in actual development.

For Web systems, URL interception can be implemented via the filter filter, or URL-based interception using the SPRINGMVC interceptor.

1.4 Implementation using the Rights Management framework

For coarse-grained rights management, it is recommended to use excellent rights management framework to achieve, save development success, improve development efficiency.

Shiro is an excellent authority management framework.

Coarse granularity and fine-grained permission control