During this period of time, I learned about OA permission management. Due to video quality problems, many of them are not very clear. This article gives a special summary of the requirements.
The first step is the use case diagram. Generally, there is at least one role (Senior Administrator) in permission management. Generally, there are two or more common roles. The following uses the simplest two as an example for analysis.
Describe the use case:
1. system users
System Administrator: has the highest level of system permissions and implements global information management and data maintenance.
Common users: System Administrators assign permissions to access and operate roles.
2. log on to the system and check whether the user's IP address source is in the blacklist. Perform the first firewall protection for the system. Verify and log on to the user name and password. If the account and password match, go to the user's work interface. Otherwise, the system prompts the user "the user name or password is incorrect. Please enter it again". The window jumps back to the user login window.
3. The work window system initializes the work window based on the user's permissions. Users of different roles have the corresponding work window interface.
4. the user management system administrator shall input, maintain, and authorize user information, and designate an organizational unit for the user. The system should be able to retrieve data based on department numbers, user numbers, and user names.
5. A role management role is a collection of users who have the specified permissions to perform specific resource access and operations. To manage users with similar permissions by category, roles such as system administrator, Administrator, user, and guest are defined. A role has a parent-child relationship. If the system administrator assigns resources with permissions through role authorization, the permissions of a role can only be authorized within the upper-level permission range. Role management includes role information entry, information maintenance, Role authorization to users, and viewing the Role user list.
6. Organization Management corresponds to the department or organization of an enterprise, which is used to manage users by group and classification. An organization has a parent-subordinate relationship and can perform unlimited sub-section operations, including organization information entry, organization information maintenance, and inspection of organizational employees.
7. Resource Management Resource permissions are the system's control over the display and access of user-accessed resource paths (including images, attachments, pages, etc. Resources have a parent-child relationship. To facilitate the rendering and loading of the interface, the parent-child hierarchy of resources should not exceed three layers.
8. Operation Management is a button control or operation related to resource access control. It is used to manage resource permissions in a more fine-grained manner.
Step 2 user authorization process
The user authorization process mainly completes the assignment of user roles and user organizations, and shows the inter-call relationship between system use cases. The authorization process is as follows:
1. create user information and assign business roles;
2. Perform role management. If there is no corresponding role, you can create the role and authorize the resource in the role management module;
3. Assign organizations to users to complete user authorization.
Step 3: database conceptual model:
Step 4 permission management
1. A user can have multiple roles. A role can be assigned to multiple users.
2. Permission indicates an operation on a resource:
A) the so-called resource, that is, the system module
B) operations, including adding, deleting, modifying, and querying
3. The general functions of the permission management system include authorization and authentication.
4. Authorization refers to granting permissions to roles or users
A) if user a has roles B and C, by default, user a will have all permissions assigned to roles A and C (that is, by default, user A inherits all permissions of its roles)
B) If a user has multiple roles, the user's permissions are a collection of these role permissions.
C) if a user has multiple roles and authorization conflicts between roles (for example, if a role is "Allowed" for the same operation on the same resource ", the other role is "not allowed"), and the priority level of the role will prevail (the so-called priority level, that is, for the role of this user, there is a sequence, the same role may have different priorities for different users)
D) In addition to Role authorization, you can also grant permissions to users. For all operations on a resource, we can set these permissions to "inherit" or "not inherit" for users"
I. Inheritance: this means that these permissions will use the permissions of the roles they (that is, users) have, rather than the permissions they (that is, users) set separately.
Ii. do not inherit: these permissions will use their own permissions, rather than the permissions of their roles.
5. authentication refers to some operations performed by a user to access resources. The user can determine whether to allow access by the user based on authorization.
A) Real-time judgment (whether or not the user has the right to access) is required during user access)
B) the query function should be provided to query all permissions of a user.