The general rbac operations are clearly understood. However, when I create a department model, there are multiple departments in my business. There are multiple groups under the department, and there are many operations under the department and the group. How to separate these permissions? There is only one of these operations, but the IDs of different departments or groups are used to distinguish between common rbac operations. However, when I create a department model, there are multiple departments in my business. There are multiple groups under the department, and there are many operations under the department and the group. How to separate these permissions?
There is only one such operation, but the IDs of departments or groups are used to differentiate different departments. In this way, how do I grant permissions by id in rbac?
Reply content:
The general rbac operations are clearly understood. However, when I create a department model, there are multiple departments in my business. There are multiple groups under the department, and there are many operations under the department and the group. How to separate these permissions?
There is only one such operation, but the IDs of departments or groups are used to differentiate different departments. In this way, how do I grant permissions by id in rbac?
RBAC is based on "Roles". All authorization objects are "Roles", rather than other departments or other IDs. The personnel in these departments and groups are organized as "Roles 」, or create a department/group and role correspondence, and then authorize.
Assume thatDepartment Manager
Such a role
In Department,Department Manager
Operate the transactions of department
In Department B,Department Manager
Operate the transactions of department B
If we follow the general practice, we will designDepartment A manager
AndDepartment B Manager
Only two roles can be distinguished. Therefore, I think there is still a problem of Operation granularity.
In the RBAC model,Permission
The general understanding is:Resource : Operation : Instance
But I think it can be correctedResource : Operation : Domain
The Domain here refers to the Domain that is used. It can be an Organization (Department), a certain scope (Mine, Others), or an Instance ), each Domain is a dimension, and the authentication permission must be verifiedResource : Operation
The string needs to be verified separately in various dimensions. It seems that there is no framework to do this.