Latest permission ideas :-)

Description: Permission hierarchy (top-down)

0 System Configuration
(The granularity of the system's own functions depends on the developer)
It is divided by the display and hiding of system menus, buttons, and other controls.

1. Role-Based Permissions
(The role identity defined in the system belongs to the subset of 0)
It is divided by the display and hiding of system menus, buttons, and other controls.

2. Role-based user-level Permissions
(It depends on the union of roles owned by users in the system. It is a union of multiple 1 roles)
It is divided by the display and hiding of system menus, buttons, and other controls.

3. Data Record-level Permissions
When the Page Control-level operation permissions are the same based on public accessible pages, the permissions of data records are different.
(Depending on the functional division during system design, it is more due to the positions and department-related issues handled by users)
The same function has different perspectives from different perspectives based on different business identities. The processing methods for different systems may be different, for example, some systems are processed separately in the form of multiple pages, while others are processed based on the different service identities of users as the corresponding page data acquisition and import parameters.
In essence, the processing method of the former can be merged using the method of the preceding 1.
For the latter, it is required to be linked to the business identity of the System user, which can be described in the following example: the data perspective and control permissions of users in different departments or positions are different. Note: permissions will no longer be linked to roles as described above. A role is essentially a system menu level owned by a user in the system and the operation permission on the visual level of page controls, it cannot be classified into records of data tables.

4. lifecycle-based Permissions
The permissions of different roles, persons, business departments, and positions can be managed by standing at a certain system function, such as a project or within a specified period of time. It is time-based and life-cycle that can automatically die out, that is, automatically cancel the corresponding permissions.
It is a combination of Multiple permissions (Block-level and data record-level permissions of functional controls) based on the preceding two types.

5 permissions required in the system: for users, the permissions are based on a set of functional controls, data records, and lifecycles.

......
Solution:

Subject object definition

System functions (including functional controls)
System User
System role
Business identity (department or position)
Lifecycle object (Project)

Link Description

1. system functions can be divided into different system roles.
2. system users can have multiple system roles
3. system users can have multiple business identities
4. system roles and business identities are not the same, but = is not exactly the same. Their definitions are different and there is no direct relationship between them.
System role: it refers to the identity entity that is owned by the System user for the menu items of software functions and specific page forms in the software system, as well as whether the controls in the form have the visible and operable rights., required for system users
Business identity: it refers to the identity descriptions related to the enterprise in the real world, which are also mandatory for enterprise users but not required for system users.
5. Relationship definition between enterprise employees and system users
Any enterprise employee who wants to use a software system must register as a system user before using the system, and the subject IDs between them are the same, that is, once you become a system user, you can think that the System user is an enterprise employee with the same logo.
6. A lifecycle object can be a project in the business.
......
Idea:
Permission filtering (filtering by level of permission or by level of disruption) is used to allocate and manage permissions.

:-)