Hello, I'm Master Tang~
Let's talk today.Conceptual modeling of permissions.
Conceptual model of permissions
subscribers
In the permission model, the user is the central object of system permission control and the direct subject of all operational behavior. Users' permissions determine what resources they can access and what operations they can perform in the system.
Users represent the actual operators in the system and can be categorized depending on the system scenario:
- C-suite: such as the average consumer.
- B-end users: Employees within the system may come from different departments and have different responsibilities.
Each user has a unique identifier, which is used for authentication and permission checking in the system. The basic information of a user usually includes: username, password, status and other information.
character
A role is the bridge between users and permissions in the permission model. It represents a collection of permissions, usually corresponding to positions or responsibilities in an organization, such as administrator, operations manager, store manager, and so on. By assigning privileges to roles and then assigning roles to users, the system can realize flexible and efficient privilege management. Role design needs to consider the following points:
- Correspondence of responsibilities: Roles should clearly reflect the user's job responsibilities and avoid overlapping or vague responsibilities.
- Appropriate permissions: Assign appropriate permissions to roles to ensure the smooth running of the work, while avoiding security risks caused by excessive permissions.
- Flexible and Extensible: When adjusting permissions, you only need to modify the set of permissions for a role, and all the user permissions associated with the role will be updated accordingly.
With well-designed roles, organizations can effectively manage user privileges and significantly reduce the complexity of privilege assignment and maintenance.
user group
User groups are an important tool in the permission model for bringing together users with similar permission needs for unified management and efficient authorization.
By adding users to user groups and assigning roles or privileges to user groups, the system can simplify the privilege management process and improve management efficiency. User groups can be adapted to a variety of business requirements, for example:
- Departmental level privilege management: users from the same department are added to a user group to unify the management of privileges.
- Project-level privilege management: Users involved in the same project are added to a user group and given the required privileges for the project.
office
Position is the specific embodiment of the user's duties and responsibilities in the organization, and is also an important basis for the division of permissions in the permission model. Through the position, the user can be assigned permissions that are in line with his/her scope of responsibilities, ensuring that the permissions control is fine-tuned and consistent with the business requirements.
Different positions correspond to different authority needs, and as the scope of the job expands, the authority increases step by step. Common divisions of authority include:
- General Staff:Access only functions related to performing daily tasks, such as merchandise loading and unloading, order processing, and shipment management.
- Department Manager:In addition to having the privileges of an ordinary employee, you can also manage departmental business, such as reviewing subordinates' requisitions and viewing departmental performance data.
- Senior management:Have a global view with access to all functions, including viewing operating reports, financial statements, and developing business strategies.
A position usually corresponds to a single role, e.g., a "finance manager" position corresponds to a "financial management role". However, some complex positions may require multiple roles to fulfill their responsibilities. For example, a Director of Operations may require both an Operations Role and a Human Resources Role.
By assigning permissions through positions, we can ensure that users can only access resources that are relevant to their responsibilities, thus avoiding unnecessary misuse of permissions.
functional privilege
Functional permissions control the functional modules available to users in the system, the pages they can visit, and the actions they can perform. Simply put, it determines which menus you can see, which pages you can visit, and which buttons you can click.
The granularity of control of functional permissions typically includes: module permissions, page permissions, button permissions, and field permissions.
data privilege
Data permissions through the list of data row-level control, to achieve different users have different data view range in the system.
The key to implementing data permissions is to specify the control dimensions of the data rules, which commonly include:
- founder: Limit access by the creator of the data.
- Organizational units: Delimit access based on the organizational unit to which the data belongs.
- business line: Segment access by the line of business to which the data belongs.
The following are common applications of data permissions in real business:
RBAC Privilege Model Example
A sample RBAC permission model is shown. multiple tenants can be managed under the SaaS platform. each tenant (e.g., HQ A, B, and C) has an independent organizational structure that ensures data isolation and system flexibility.
Each tenant has a separate organizational structure, and multiple users can be added within the tenant for personnel management.
A role can be associated with multiple functional modules. For example, the "Store Manager" role may include cashier, merchandise, inventory, customer, finance, and employee management functions, covering all the functions required for store operations.
Data permissions are also critical. Access to the data of user "Zhangsan" is limited to store A to ensure information security.
The distribution of permissions at the headquarters level is similar. For example, "Li Si", as the "Director of Operations", has broader authority to view cross-store data (all stores under branch A) and has full control over business operations.
This permission design meets complex business needs and leaves room for future development. Through reasonable configuration, SaaS platform can provide precise authority control for all kinds of enterprises.
This article has been featured on, my tech site: Inside there are, algorithm Leetcode detailed explanation, interviews eight stock text, BAT interview questions, resume templates, architecture design, and other experience sharing.