Permission control for the big talk System

In software development, it is very important to add the permission control function to the software so that different users have different permissions for use, this feature is more important. As you know, the current applications generally appear in the form of Menu access functions. According to the general practice, as long as users register to access different applications, they can access different functional menus, so as to achieve functional permission control, but there is such a problem, this method is powerless, the current application software, in order to improve the ease of operation of the software, the same function may have different access methods, such as tool bar and right-click menu. Similarly, the same function may be called in different places of the software, not just restricted for use.ProgramTo ensure the ease of use of applications.

Build robustPermission management systemTo ensure the security of the management information system.Permission management systemIs available in the Management Information SystemCodeOne of the most Reusable Modules. Any multi-user system inevitably involves the same permission requirements, all need to solve entity identification, data confidentiality, data integrity, anti-denial and access control and other security services (according to ISO7498-2 ).

The permission system is the cornerstone of a complete project. Permission control can be divided into two parts: Functional permission Control and Data permission control. Introduction to permission control, what is RBAC,RBAC The model is currently the most widely accepted permission model.The following describes the basic knowledge of RBAC.

RBAC Model
access control is a defense against unauthorized resource usage. The basic goal is to restrict the access permissions of the access subject (users, processes, services, etc.) to the Access Object (files, systems, etc.), so that the computer system can be used within the legal scope; determine what a user can do and what a program that represents a certain user interest can do [1].
there are three access control policies in the enterprise environment: autonomous access control method, forced access control method, and Role-Based Access Control Method (RBAC ). The autonomy is too weak and the force is too strong. The two have a large workload and are not easy to manage [1]. Role-Based Access Control is an effective solution to centralized resource access control for large enterprises. two notable features: 1. reduce the complexity of authorization management and management overhead ; 2. flexible Support supports enterprise security policies and provides great scalability for enterprise changes.

NIST (The National Institute of Standards and Technology, US National Institute of Standards and Technology) StandardsRBACModel4Component Model.4Component models are basic models.Rbac0(Core RBAC), Role classification modelRbac1(Hierarchal RBAC), Role restriction ModelRbac2(Constraint RBAC) And Unified ModelRbac3(Combines RBAC)[1].Rbac0Model1.

 

 

 

Implementation of permission control in a specific project:

In our projects, we generally come into use with the following concepts: Role, user, department, organization, company, and role-operable functions, as shown in, * The symbol represents the relationship between multiple objects. We can see the relationship between objects below:

Department organizations and users are multi-to-many relationships, roles and departments are multi-to-many relationships, roles and users are multi-to-many relationships, roles and functions are multi-to-many relationships, each department and organization belongs to only one company.

Permission assignment follows RBAC ( Role Based Access Control : Role-Based Access Control). A user or department organization must belong to a specified role and have the specified permissions.

In, a function refers to a function tree list, which is a control identifier. It is like a key, which grants permissions to anyone. This key can be assigned to different objects, for example, buttons, menus, pages, links, etc. Generally, if a user does not have a brand new page, the error prompt page is returned. If the button has no permissions, it may be hidden or disabled, as are menus and links.

Function management refers to the Function Identification. Generally, it is a tree concept based on the business. It can start from a business category and end with a specific fine-grained function, such as a button or link.

How can we use the above control functions in the project?

 

Page Object Access
Shows the Page Object Inheritance relationship.

The actual business page (as shown in light blue), inherited from Basepage Basic page, Basepage The page provides the basic permission authentication function. Oninit You can specify the page control identifier in the function to control the page access permissions, as shown below:

Because the systemWhen the user logs in and passes the verification, the function list of the role corresponding to the user is retrieved and put into the session, then each specific business page (or button, menu, Link, etc.) only needs to determine whether the user has a function control ID. If yes, it is considered to have this function, otherwise, the corresponding processing will be performed, such as redirecting to the specified error page (which is handled by default in the basepage), or the program determines to hide some functions or data columns.

 

Menu Control

In addition, a menu is a very important resource in a project and needs to be dynamically displayed based on the user's permissions. The menu display is a recursive process. If the parent menu has no permissions, if yes, the parent menu is displayed and the sub-menu is traversed. If yes, the sub-menu is displayed. If no sub-menu is displayed, the sub-menu is displayed.
The menu has a permission control identifier, which can be used to determine whether a user has permissions.

 

 

User Management, user authorization, and other operations are met by every system. If there are many enterprise applications, you can put these control contents into an Independent Permission control system, the corresponding permission control WebService can be called by the subsystem, so that a series of application systems can be built centered on the permission system.

If there are not many business products in an enterprise, You can integrate the full set of control and interface display. Other accesses can be accessed by calling the business interface.