General Rights Management Design Chapter _ Design mode

Blog Address: http://www.blogjava.net/amigoxie/

A Introduction

Because some of the system's rights management functions, although gradually improve, but always some unsatisfactory place, always want to take a moment to better think about the design of the Authority system.

Permission system has always been an indispensable part of our application system, if each application system to redesign the system's permissions to meet the needs of different system users, will waste a lot of our valuable time, so it is very meaningful to spend time to design a relatively universal permission system.

Two Design Objectives

Design a flexible, universal and convenient authority management system.

In this system, we need to control all the resources of the system, then what resources are included in the system. We can simply summarize these resources as static resources (functional operations, data columns) and dynamic resources (data), also known as Object resources and data resources, the latter is our system design and implementation of the name.

The goal of the system is to control all the object resources and data resources of the application system, such as the function menu of the application system, the buttons of each interface, the columns of the data display and the control of the permissions of various row-level data.

Three Related objects and their relationships

Probably sort out the relevant concepts of the permission system, as follows:

1. Permissions

All permissions information for the system. Permissions have a hierarchical relationship and are a tree-like structure. Let's look at an example

System Management

User Management

View User

New users

Modify User

Delete User

For each of the above permissions, there are two situations, one is accessible, the other is authorized, for example, for "View User", if the user is granted only "accessible", then he cannot assign this permission to others.

2. The user

The specific operator of the application system, the user can own the permission information, can belong to the 0~n role, can belongs to the 0~n group. His permission set is the set of permissions that he has, the permissions that each role belongs to, and the permissions that each group has. The relationship between it and the permissions, roles, and groups is N to N.

3. Role

To classify and manage many users with similar permissions, the concept of roles is defined, such as system administrators, administrators, users, visitors, and so on. A role has a hierarchical relationship that can form a tree view, and the permissions of the parent role are a combination of the permissions of itself and all of its child roles. The user of the parent role, the group of the parent role, can be pushed in the same vein.

4. Group

In order to better manage users, users are grouped into groups, referred to as users. Groups also have a hierarchical relationship and can form a tree view. In fact, we know that groups can also have their own role information, permission information. This makes me think of our QQ user group, a group can have multiple users, a user can also join multiple groups. Each group has its own permission information. For example, view a group share. QQ Group can also have their own role information, such as General group, Advanced group and so on.

For the four types of objects mentioned above, let's take a look at the relationship between them.

As you can see in the picture above, the relationship between the four is very complex, and the actual situation is more complex than this diagram, permissions, roles, groups have a superior and subordinate relationship, authority management is a more difficult problem in the application system, to design a common rights management system, the workload is really not small.

Of course, for some projects, permission issues are not so complicated. Some only need to involve the rights and users of two types of objects, only need to assign permissions to users.

In other cases, a role object, such as a role-based permission system, is introduced, where only the roles are assigned permissions, the user is subordinate to the role, and the user is not required to assign role information separately.

After we have cleared up the object relationship, let's proceed to the design of the database. When modeling a database, the relationship between N and N is generally required to include an association table to indicate the relationship between the two. Preliminary estimate, this system needs at least 10 tables, namely: Permission table, user table, Role table, Group table, User Rights association table, User Role Association table, Role Rights Association table, Group Rights Association table, Group Role Association table, User Group Association table. Of course, it may also lead to some related tables. Let's draw the tables in the PowerDesigner.

The tables and their relationships are as follows:

1. User table

2. Role table

3. Permission table

4. Group table

5. Role Permission Table

6. Group Permission Table

7. Group Role Table

8. User Rights table

9. User Role Table

10. User Group table

11. Organization Table

12. Operation Log Table

1. Introduction 1.1 Writing Purpose

This document describes the overall design, interface design, overall interface design, data structure design, system error handling design and system safety data of the universal privilege Management system. 1.2 Background

A, the software system name: Universal Authority management system;

B, Task creators, developers: Xie stars;

C, in the Java EE Web system requires the use of rights management system. 1.3 Terminology

This system: Universal Authority management system;

SSH: The English full name is secure Shell. 1.4 Prospective readers and reading suggestions

1.5 reference materials

"General permission management System Requirements Specification"

"Universal Rights Management System Database design specification" 2. Overall Design 2.1 Design objectives

Permission system has always been an indispensable part of our application system, if each application system to redesign the system's permissions to meet the needs of different system users, will waste a lot of our valuable time, so it is very meaningful to spend time to design a relatively universal permission system.

The design goal of this system is to control all the resources of the application system, such as the function menu of the application System, the button control of each interface and so on. 2.2 Operating Environment

Operating system: Windows System OS and Linux family operating system. 2.3 Network Structure

The universal Rights management system can be implemented in Java swing and can be invoked in desktop applications and Web application systems. If you need to adapt to all of your development languages, you can publish its APIs to Web service. Temporarily implemented with Java swing. 2.4 Overall design ideas and processing process

Before explaining the overall design idea, we first explain the relevant concepts of the system:

1. Rights Resources

All permissions information for the system. Permissions have a hierarchical relationship and are a tree-like structure. Let's look at an example

System Management

User Management

View User

New users

Modify User

Delete User

For each of the above permissions, there are two situations, one is accessible, the other is authorized, for example, for "View User", if the user is granted only "accessible", then he cannot assign this permission to others.

2. The user

The specific operator of the application system, the user can own the permission information, can belong to the 0~n role, can belongs to the 0~n group. His permission set is the set of permissions that he has, the permissions that each role belongs to, and the permissions that each group has. The relationship between it and the permissions, roles, and groups is N to N.

3. Role

To classify and manage many users with similar permissions, the concept of roles is defined, such as system administrators, administrators, users, visitors, and so on. A role has a hierarchical relationship that can form a tree view, and the permissions of the parent role are a combination of the permissions of itself and all of its child roles. The user of the parent role, the group of the parent role, can be pushed in the same vein.

4. Group

In order to better manage users, users are grouped into groups, referred to as users. Groups also have a hierarchical relationship and can form a tree view. In fact, we know that groups can also have their own role information, permission information. This makes me think of our QQ user group, a group can have multiple users, a user can also join multiple groups. Each group has its own permission information. For example, view a group share. QQ Group can also have their own role information, such as General group, Advanced group and so on.

For the four objects mentioned above, we can sort out the graphs between them, as follows:

The overall design idea is to divide the system into group Rights management, role Rights Management, user Rights Management, organization management and operation Log Management five parts.

Group Rights Management includes four sections that contain users, their roles, group rights resources, and group total permissions resources, and the permission information of a group can be represented by a formula: Group permissions = Permission collection of the owning role + permissions for the group itself.

Role rights management includes three parts including user, include group, and role permissions, and the calculation formula for the permissions of a role is: Role permissions = Role permissions.

User Rights management includes five parts, including roles, owning groups, user rights, user's total permissions resources, and organization management. The total permission information for a user has the following calculation formula: User Rights = Owning role Permission collection + Owning Group permission Collection + user own permissions.

Organization Management is the organization that the user belongs to manage, organize to display with the tree structure, the organization manages has the organization to increase, delete, change, check function.

The action log manages the operational log used to manage this system.

Note: Because groups and roles have a hierarchical relationship, the permissions of the subordinate groups or roles can only be selected in the permissions of their immediate superiors, and the total permissions of the subordinate groups or roles cannot be greater than the total permissions of the immediate superior. 2.5 Modular Structure Design

The function module structure of this system is as shown in the following figure:

2.6 Unresolved issues

No.      3. Interface design (tentatively) 3.1 user interface (tentatively) 3.2 external interface (tentatively) 3.3 internal Interface (tentatively) 4. Overall design of the interface

This section describes the implementation of the user interface, which is preceded by the following conventions for page elements:

4.1 Group Rights Management

When the user selects the "Modify" button, the user is ejected from the list, and the operator can modify the user included in the group by checking or canceling the check.

When the user selects the "Modify" button, the pop-up role tree structure allows the operator to modify the role that the group belongs to by checking or canceling the check.

Modify the permission information for the group by canceling the check for the permissions that you already have, or by adding a check to the permission, and then clicking the "Save" button to save the change information.

4.1.5 Group Management in the following figure, when you select group 1, right-click the list of actions that can be ejected from the group, including adding, deleting, and modifying buttons, so that you can add subgroups under that group, delete the group, and modify the functionality of the group.

4.2 Role Rights Management 4.2.1 contains users

When the user selects the "Modify" button, the user is ejected from the list, and the operator can modify the user included in the role by checking or canceling the check.

4.2.2 Include group

When the user selects the "Modify" button, the user is ejected from the list, and the operator can modify the group included in the role by checking or canceling the check.
4.2.3 Role Permissions

Modify the permission information for the role by canceling the check for the permission that you already have, or by adding a check to the permission, and clicking the "Save" button to save the change information. 4.2.4 Management Role

In the following illustration, when you select group 1, right-click the list of actions that can be ejected from the group, including adding, deleting, and modifying buttons, so you can add subgroups under that group, delete the group, and modify the functionality of the group.
4.3 User Rights Management 4.3.1 roles

When the user selects the "Modify" button, the pop-up role tree structure allows the operator to modify the role that the user belongs to by checking or canceling the check. 4.3.2 Owning Group

When the user selects the "Modify" button, the pop-up group's tree structure allows the operator to modify the group to which the user belongs by checking or canceling the selection. 4.3.3 User Rights

Modify the user's permission information by canceling the check, or by adding a check to the permission, and clicking the "Save" button to save the change information. 4.3.4 Total Permissions

Modify the user's permission information by canceling the check, or by adding a check to the permission, and clicking the "Save" button to save the change information. 4.3.5 User Management

When you select a user, click the right button, pop-up menu list: Modify, delete, Cancel, click the Modify and delete button to achieve the user's deletion and modification functions.

Select an organization, such as the "Guangzhou branch" in the following table, pop-up menu list: Add a child organization, delete the organization, modify the organization, add Users, Cancel, click the Add User button to achieve the user's add function.

4.3.6 Organization and Management

Select an organization, such as the "Guangzhou branch" in the following table, pop-up menu list: Add child organization, delete organization, modify organization, add user, Cancel, click Add Child organization, delete organization, modify organization button can realize organization add, delete and modify function.

4.4 Operation Log Management 4.4.1 query operation log

Operation Name: |________| Operation Person: |________|

Operating time from |________| To |________| Query [Reset] Delete

Number operation name Operation content operator operation time

1 xx1--Amigo 2007-10-8

2 xx2--XXYY 2007-10-8

...

After you enter the query information on the chart, click the "Query" button to query for information that meets the criteria. 4.4.2 Delete action Log

Operation Name: |________| Operation Person: |________|

Operating time from |________| To |________| Query [Reset] Delete

Number operation name Operation content operator operation time

1 xx1--Amigo 2007-10-8

2 xx2--XXYY 2007-10-8

...

After you enter the query information on the chart, click the "Query" button to query for information that meets the criteria. Then click the "Delete" button to delete the operation log that matches the query criteria. 5. Data structure Design

The model of database design See "Universal Rights Management System _ Database model. PDM". For a description of the table, see the General Rights Management System Database design specification. 5.1 Design principles 5.1.1 Naming specifications

database table, primary key, foreign key, index naming all in uniform rules, in the form of case sensitive, various objects named length not more than 30 characters, so that the application system to adapt to different database platform. Consistency and integrity of 5.1.2 data

In order to ensure the consistency and integrity of the database, it is often possible to reduce the redundancy of the data by the way of the association between tables. Inter-table Association is a mandatory measure that, when established, inserts, updates, and deletes for the parent table (parent table) and child table (children table) to occupy the overhead of the system. If the data redundancy is low, the integrity of the data is easy to be guaranteed, but it increases the operation of the connection query between tables, so it is necessary to improve the response time of the system. Using Rules and Constraints (Check) to prevent system operators from accidentally entering errors that cause data is another common tool for designers, however, unnecessary rules and constraints can also take up unnecessary overhead of the system, and it is important to note that constraints are faster than rules for validating data. All these need to be considered in the design phase according to the type and frequency of the system operation. 5.2 Database Environment Description

Database: MySql5.0

Design Library Modeling tool: PowerDesigner12.0 5.3 Database naming rules

The table name begins with a T, and the foreign key begins with a FK, and the index begins with a. 5.4 Logical Structure

The name of the PDM file is: "Universal Rights Management System _ Database Model". 5.5 Physical Storage

The database modeling tool PowerDesigner12 can export PDM as a text file and save the database script into a text file. 5.6 Data backup and Recovery

The database needs to be backed up on a regular basis (once a day), the backup file format is BACKUP_YYYYMMDD, and the database is corrupted, with the latest backup file for recovery. 6. System error Handling design 6.1 error message

Error classification

Subkeys and their encodings

Wrong name

Error code

Note

Database error

Connection

Connection Timeout

100001001

Connection disconnected

100001002

Database itself error code

Database itself error code

100002+ Database error code

TCP connection Error

Connection

Connection Timeout

101001001

Connection disconnected

101001002

Other TCP connection errors (socket self error code)

101002+ Socket Error code

Configuration information Error

Input parameter Not Configured

102001

Output parameters Not Configured

102002

Group Admin Partial Customization Error

103001--103999

Role Management Partially custom error

104001--104999

User admin Partial customization Error

105001--105999

Operation Log Management

106001--106999 6.2 Remedial measures

In order to remedy the system in a timely manner when some failure occurs, the following remedial measures are provided:

A Backup technology regularly backs up database information (once a day) and restores it to the latest database scripts when the database is corrupted for some reason. 7. System security Design 7.1 data transmission security Design

SSH can transmit data through the technology of online packet encryption; Using SSH, you can encrypt all the data that is transmitted, even if someone intercepts the data and cannot get useful information. At the same time the data compression, greatly accelerated the speed of transmission. Through the use of SSH, you can ensure that data transmission is more secure and transmission efficiency is high. 7.2 Security Design of application system

Operator information is required to provide operational records. The system's exception information needs to be recorded, and is ready for later viewing. Only authorized users can log on to the system, and for an operation, they need to have the appropriate permissions to operate. 7.3 Data Storage Security Design

Sensitive information such as the user's password is encrypted using MD5.