Ec (2); this document describes the methods and implementation of an object-oriented model for permission management. This model is formed by analyzing the elements of each access scenario and abstracting the elements. It can be used to control access permissions. Forgive me for taking my own name & ldquo; four-dimensional permission management model & rdquo; & ldquo; ACM & rdquo, but I only had this experience half a year ago. & Nbsp; 1. Access control matrix (ACM) Description: any pair of "script" ec (2); "script"
This document describes an object-oriented model for permission management. This model is formed by analyzing the elements of each access scenario and abstracting the elements. It can be used to control access permissions. Forgive me for taking some ugly names like the four-dimensional permission management model and the ram matrix (ACM, but I only had this experience half a year ago.
1. Access control matrix (ACM)
Note: any operation in use cases that generate value to system users is controlled in the following four dimensions:
L Operator (Operator permission Control ):
The subject of an operation. Divided into: User, role, Unit
L OperateMethod (Operation Method permission Control ):
Determine the operation functions, such as reading, writing, querying, and deleting.
L Object (Operation Object permission Control ):
The impact object of an operation is usually a business object, such as a form.
L Object. Fields (permission Control for operation Object attribute items)
Attribute items of objects that are sensitive to options, such as a data item in a form and simple controls in a form.
2. Composition of Four-Dimensional Data in ACM
Operator: Operator. The control items set based on business needs are divided into users, roles, and units. According to the business needs, Operator can be controlled in order or in order to submit and run rules;
Operate Method: the operation Method, depending on the object of the business operation, may be the business operation or the underlying CRUD operation;
Object: Operation Object. The Object of the current operation can be a business Object, such as a project or a form;
Object Fields: Operation Object attribute, which requires data items of the objects bound to the permission control. Such as form fields and form controls.
3. Principles
The role of ACM in permission management and access control. An ACM is a rule matrix composed of several elements that control a certain operation behavior of a system. Imagine a scenario where an operation must have the following elements: operator, operation method, and operation object. All ACM specifies the conditions for each element that an operation must satisfy. For example, ACM: "Li houqiang", "modify", and "User Information ". "Li houqiang can modify user information ". Of course, this is a simple example. In fact, the situation is far more complex than this example. The first solution is to locate the instance of the operation object. That is, when the following access control occurs: "Li houqiang can modify the name in user information, but cannot modify the ID card number in user information ". Obviously, the existing 3D ACM cannot meet the requirements.
The operation object in ACM becomes an object because it has the following two features: one is Data encapsulation, and the other is that the object itself contains the abstraction of the real object. Data encapsulation simplifies data processing. abstraction makes the object form more unified and the number of methods controllable. However, when the business requires the permission to be controlled to the level of the object's members, such encapsulation and abstraction will undoubtedly block the permission sensitivity of the object members. There are two solutions:
Method 1: Abstract The authorized and sensitive members of an object into objects in ACM.
Operator Operate Method Object