Design of universal data Rights Management System (i) Author: Yat-yun Preface: This paper provides a solution to integrate functional permissions and data permissions to meet the centralized control of rights management in multi-level organizations. This method is a further extension and extension of RBAC (role-based access control), that is, to increase the management of data rights on the basis of functional authority, and to realize centralized processing of data and function rights. Explain: function permissions: What can be done, such as increasing sales orders; Data permissions: Where to do the problem, such as the Beijing branch Haidian sales department John sales orders; Terminology: Resources: Resources in the system, Mainly a variety of business objects, such as sales orders, payment forms, operation types: The possible access to resources, such as additions, deletions, modifications, etc. function: the operation of resources, is the resource and operation type of two Yuan group, such as increasing sales orders, modify sales orders, etc. Data types: The types of data rights commonly used in business systems, such as companies, departments, projects, individuals, etc. data objects: specific business objects, such as company A, section B, etc., including all the object values involved in data permissions; Permissions: Functions available to the role, The function permissions of the roles and the data rights of the roles; role: A set of specific permissions; User: The body that participates in the system activity, such as person, system etc. Universal data Rights Management System design (二) method Description: In practical applications, data rights control points are generally relatively fixed, such as for companies, departments, individuals, customers, suppliers, etc. That is, data permissions are typically targeted at some data objects under the specified data type. In this method, the data permissions depend on the functional permission, which is a further description of the function permissions, indicating the data control rights of the role at the specified function point. In this method, the principle of "not expressly defined as valid" is used, and if there is no data permission to define the feature, the role has full permissions for that feature. If a type of data permission is defined for a feature, the user has only the data permissions for the specified data under that type. This passage compares the mouth, here is a practical example. A company has Beijing sales department, Shanghai sales department and Guangzhou sales department three sales department, now need to define several roles: Sales Director -- Be able to view sales orders of all sales department; NorthBeijing Sales Manager -- can only look at all sales orders of sales department, Shanghai sales Manager -- can only see all sales orders in Shanghai sales department; Guangzhou Sales Manager -- can only view all sales orders of Guangzhou sales department; The above roles are defined as follows: ------------------------------------------------------------------- role name function data type data Object ------------ ------------------------------------------------------- Sales Director View Sales Order Beijing Sales Manager View sales order Department Beijing Shanghai Sales Manager View sales order Department Shanghai Guangzhou Sales Manager View sales order Department Guangzhou ------ ------------------------------------------------------------- The above definition, the Sales Director defines only the functional permissions, Instead of defining data permissions, the Sales Director can view all sales orders, while several other sales managers define the data permissions for this feature, so they can only view sales orders for the specified department. in practical applications, there will often be departmental groupings, the team leader can see all the staff in the group to deal with sales orders, and in some cases, some people can only look at my sales orders, These special cases are not resolved in the above instructions and need to be addressed in the design and implementation. Beijing Sales rep -- can only see all sales orders of Beijing sales department; Beijing Sales Representative View Sales Order Department Beijing Personal Universal data Rights Management System design (iii)--database design Let's take a look at the traditional role-based privilege management system, as shown in the following illustration, the simplest role-based rights management consists of five parts: System functions, System roles, system users, role functions, and user roles. diagram One: role-based database structure for the realization of data rights control, in the design of role-based permission management expansion, as shown in the following figure: Figure II: Universal Data Rights Management System database design Comparison Two graphs, we can see, The main changes between them are: 1, increase system resource information and operation type information, system resources for tree-shaped structure, such as sales module, sales order, etc. the operation type records possible operations, such as additions, deletions, modifications, views, queries, and so on, system function is a combination of resource and operation type, The operation of resources is the system function. 2, Add data object type and data Object two table, data object type record the object type that the system needs to control, such asDepartments, warehouses, employees, customers, suppliers, etc. data Objects Record object instances of each object type, such as Beijing Sales department, Shanghai Sales department, John, Dick, etc. (The benefits of independent saving will be as follows) 3, increase the system resources and data object types of the association table (many-to-many), this table is a configuration table, indicating a resource may need a control point, such as sales order and Department type Association may involve the division of assigning permissions ; A sales order's association with a customer may involve assigning permissions by customer, and so on. 4, increase the data object and role permissions of the association, this table is truly the ultimate implementation of data rights management location. Through this design, can minimize the changes to the original permissions system, and can be very flexible to increase the data control point. Used in the design of the product software, it can flexibly meet the needs of customers. The next article will discuss how this structure meets the second part of the functional requirements, and if time permits, further elaboration of the program's design. This design method has been applied to the development of the general Supply chain Management system, please correct me.
Open source Supply chain [Invoicing] System description Directory
trackback:http://tb.blog.csdn.net/trackback.aspx?postid=1041807 [ Click here to collect this article] Yat Yun published on August 09, 2006 13:52:00
Laok published in 2006-08-10 15:51:00 ip:159.226.3.* about defining roles, can you consider defining a series of roles that have dynamic characteristics, such as the Sales manager defined in the text as the role, rather than the definition of Guangzhou sales Manager, Beijing sales Manager, etc. , the structure may be clearer by further abstraction.
Looding published in 2006-08-10 16:11:00 ip:219.142.122.* To:loak
When a sales manager is defined as a role, it is necessary to define the data permissions for the Department object to be used only for this department, which can also achieve different permissions for managers in different regions.
This article is only so separate, the main consideration is to describe the more clearly some
Rill published in 2006-08-10 17:53:00 ip:159.226.5.* write very well, is not fully understand OH
AAAAAAAA published in 2006-08-11 11:33:00 ip:210.83.203.* passing look, very good.
Hulinue published in 2006-08-12 20:21:00 ip:220.180.134.* really good
Hu published in 2006-08-12 20:30:00 ip:220.180.134.* Open source supply chain software where to download?
Looding published in 2006-08-13 14:22:00 ip:61.48.55.* has not yet found a formal announcement, there is a test site: http://219.238.239.50/netmarket/
Due to server configuration issues, only English is currently available (except for menus)
Very good, but can be perfected published in 2006-08-16 16:27:00 ip:124.203.146.* analysis is very good, but also need to improve:
1. The essential elements of the privilege model are divided into three: Subject + action + Object
2, the performance of the types of permissions are divided into two types: Static permissions (general permissions) and dynamic permissions (Workflow)
Looding published in 2006-08-17 18:05:00 ip:219.142.122.* to: Very good, but can be perfected
-----------------------------------------------------------------
1. The essential elements of the privilege model are divided into three: Subject + action + Object
-----------------------------------------------------------------
Permission issue is the WHO does what problem,
Data permissions are the issue of who does what in which scope
----------------------------------------------------------------
2, the performance of the types of permissions are divided into two types: Static permissions (general permissions) and dynamic permissions (Workflow)
----------------------------------------------------------------
I would like to ask what the dynamic permissions here specifically refer to. is authorization. It is the function that the business process can have after it has been in a state. For example, sales orders without approval can not be processed out of the library and so on.
Jerry was posted in 2006-08-22 08:13:00 ip:218.79.234.* This article is really good, when the next article is published. Expect......
Aran published in 2006-09-05 18:22:00 ip:61.237.235.* article is really good, but there is a question to ask, system functions allow users to add, if the deletion of the impact of the program use
such as: The purchase of the new button in the storage list how and users of the purchase of the new access to the list of permissions Hook. Is the ID of the new button related to the functional encoding?
laoding is published in 2006-09-06 13:15:00 ip:219.142.122.* To:aran
After normal release, features ( A new purchase order, for example, cannot be deleted, but can handle whether a role has a feature feature. The permissions of the
user are set in the Rights Management Section, and in the case of a business operation, the permissions are checked at the logic level after the new operation, and the logic layer's associated method has an identifier similar to the functional encoding (no functional encoding is used in this system).