Knowledge of Rights Management principles __ Rights Management

1 principles of Rights Management knowledge 1.1 What is privilege management

As long as there are users involved in the system generally have permission to manage, access control of the user access system, in accordance with security rules or security policies to control the user can access and access to their own authorized resources.

The rights management includes the user authentication and authorization two parts.

1.2 user authentication 1.2.1 Concept

User authentication, users to access the system, the system to verify the legality of user identity. The most common methods of user authentication: 1, User name password mode, 2, fingerprint card machine, 3, based on certificate verification methods. The system verifies the identity of the user is legitimate, the user can access the system resources 1.2.2 user authentication process

1.2.3 Key Objects

Subject: The main body, understood as the user, may be the program, all have to access the system resources, the system needs to subject authentication.

Principal: Identity information, usually unique, one subject has more than one identity, but all have a primary identity (primary principal)

Credential: Voucher information, can be a password, certificate, fingerprint.

Summary: The principal needs to provide identity information and credential information when authenticating.

1.3 User Authorization 1.3.1 Concept

User authorization, simple to understand as access control, after the user authentication through the system to access resources control, users have access to resources to access.

1.3.2 Authorization Process

1.3.3 Key Objects

The process of authorization is understood to be: Who's how to what (which).

Who: the main body that subject,subject after the certification through the system access control.

What (which): Resource (Resource) Subject must have access to the resource to access the resource. Resources such as: System user list page, product modification menu, Product ID 001 merchandise information.

Resources are divided into resource types and resource instances :

The system's user information is the resource type, which is equivalent to the Java class.

The user with ID 001 in the system is the resource instance, which is equivalent to the Java object of new.

How: Permissions/licenses (permission), permissions or licenses for resources, subject have permission access resources, how to access/operate need to define permission, permissions such as: User Add, user modification, product deletion. 1.3.4 permission model

Subject (account number, password)

Resources (Resource name, access address)

Permissions (permission name, resource ID)

Role (role name)

Role and permission relationship (role ID, permission ID)

Principal and role relationships (principal ID, role ID)

The following figure:

Typically, enterprise development combines resources and permission tables into a single permission table, as follows:

Resources (Resource name, access address)

Permissions (permission name, resource ID)

To be merged into:

Permissions (permission name, resource name, resource access address)

The above figure is often referred to as the Universal model of privilege management, but in the development of the enterprise according to the characteristics of the system itself will be modified, but the user, role, permissions, user role relationship, role permissions relationship needs to be understood.

1.4.1 assigning permissions

The user needs to assign the appropriate permissions to access the appropriate resources. Permissions are operational licenses for resources.

Typically assigning resources to a user requires persisting the permission information, such as storing it in a relational database.

Write the user information, rights Management, user assigned permission information to the database (permission data model)

1.4.2 Privilege Control (authorization core) 1.4.2.1 role-based access control

RBAC (role based access controls), role-based access control.

Like what:

System roles include: Department manager, general manager. (Roles are divided for users)

Implemented in system code:

If the user is a department manager, you can access the code in the IF

if (User.hasrole (' department manager ')) {

System Resource Content

User Report view

}

Problem:

The role is divided into people, people as users in the system is the active content, if the role can be accessed changes in resources, you need to modify your code, such as: Need to change for the department manager and general manager can be user report view, the code to:

if (User.hasrole (' department manager ') | | user.hasrole (' general Manager ')) {

System Resource Content

User Report view

}

role-based access control is not conducive to system maintenance (scalability is not strong).

1.4.2.2 access control based on resources

RBAC (Resource based access control), based on resource access controls.

Resources are invariant in the system, such as resources: Methods in the class, buttons in the page.

Access to resources requires permission permissions, and the code can be written as:

if (user.haspermission (' User report view (permission identifier) ')) {

System Resource Content

User Report view

}

The above method can resolve the user role change without modifying the code above the permission control.

If you need to change permissions only need to be in the allocation of permissions module to operate, to the department manager or general manager to add or remove permissions.

It is recommended that you implement rights management using resource-based access control. 2 Rights Management solutions

2.1 What is coarse granularity and fine-grained permissions

Coarse-grained rights management, rights management for resource types. Resource types such as: menu, URL connection, user add page, user information, class method, page button.

Coarse-grained rights management such as: Super Administrator can access users to add pages, user information, such as all pages.

The Department administrator can access the user Information page including all the buttons on the page.

Fine-grained rights management, the rights management of resource instances. Resource instances are specific to the resource type, such as: User ID 001 Modification Connection, 1110 class user information, Administration Department staff.

fine-grained rights Management is data-level rights management.

Fine-grained rights Management For example: Department managers can only access the department's employee information, users can only see their own menu, the region Manager can only view the sales orders in the area.

Coarse-grained and fine-grained examples:

The system has a user List query page, the user list query permissions, if coarse granular management, John and Dick have user list query permissions, John and Dick can access the user list query.

Further granular management, John (Administrative Department) and Dick (development Department) can only query their own department of user information. John can only view the Administrative department's user information, Dick can only view the development Department's user information. fine-grained rights Management is data-level rights management.

2.2 How to implement coarse-grained and fine-grained permission management

How to implement granular permission management.

Coarse-grained permission management is easier to extract the code of Rights management to be handled uniformly at the system architecture level. For example: Authorization is achieved through SPRINGMVC interceptors.

How to achieve fine-grained rights management.

There is no commonality to fine-grained permission management at the data level, for fine-grained permission management is a part of the system business logic, if the business layer to deal with relatively simple, if the fine-grained authority management unified in the system architecture level to extract, more difficult, even if the extraction function may also exist expansion is not strong.

It is recommended that fine-grained rights management be controlled at the business level.

For example: The Department manager only inquires the department employee information, provides a department ID parameter in the service interface, controller according to the current user's information obtains that user belongs to which department, when invokes the service the Department ID incoming service, The user is only queried for the department's employees.

2.3 implementation based on URL blocking

Based on the method of URL interception in the actual development of a more commonly used method.

For Web systems, URL blocking can be implemented via filter filter, and SPRINGMVC interceptors are also implemented to intercept based on URLs.

2.4 implementation using the Rights Management framework

For coarse-grained Rights Management, it is recommended to use a good authority management framework to achieve, save development success, improve development efficiency.

Shiro is a good authority management framework.