具有两个参数的RBAC系统 [英] RBAC system with two parameters

问题描述

我正在寻找具有两个参数的RBAC系统的示例或最佳做法。而不是简单地让用户与角色关联，并且该角色与一组权限关联；用户可以与特定项目的角色相关联，然后用户可以仅对该项目（或该用户拥有该角色的其他项目）拥有该角色的权限。用户可以在一个项目中扮演特定角色，而在另一个项目中扮演不同的角色；授予角色的权限对于每个项目都是一致的；用户对项目的权限取决于用户在项目中所扮演的角色。

I’m looking for an example or best practices for a RBAC system with two parameters. Rather than simply having a user associated with a role, and that role associated with a group of permissions; a user can be associated with a role "for a specific project," and the user can then have the permissions of that role for that project only (or for other projects that the user holds that role for). A user can have a specific role on one project, and a different role on another project; the permissions granted to a role are consistent for every project; and a user’s permissions for a project are based on what role that user has on the project.

（如果有什么不同，我试图限制通过URL查询参数开发页面内容的页面访问，该参数通过GET语句设置项目ID 。）

(If it makes any difference, I’m trying to limit page access where the page content is developed via a URL query parameter that sets the project id through a GET statement.)

ABAC看起来很有前途，但我很难将其包围。我的理解是，用户的属性决定了该用户是否具有该角色（和/或权限）。就我而言，似乎我可以将项目视为用户，并将用户视为项目的属性（如果我的用户担任该项目的角色，则为true；否则为false）。

ABAC looks promising, but I’m having trouble wrapping my head around it. My understanding is that a user’s attribute dictates whether the user has the role (and/or permissions). In my case it seems like I might consider the project to be the "user," and my user as an attribute of the project (true, if my user holds the role for that project or false, if not)

推荐答案

如果要遵守RBAC标准，则对于不同的项目，必须使用不同的角色。例如，如果在项目 P1和 P2中使用了角色 admin，则可以创建角色 P1：admin和另一个角色 P2：admin。

If you want to stick to the RBAC standard, then you will have to use different roles for different projects. For example, if the role "admin" is used in projects "P1" and "P2", you can create a role"P1:admin" and another role "P2:admin".

ABAC确实是另一种可能性。但是，如果我对您的理解正确，那么说用户的属性决定了该用户是否具有角色（和/或权限）是不正确的。 ABAC中只有属性（就角色是属性而言），它比RBAC具有更大的灵活性。在请求中，您可以具有一个代表项目的属性（ P1或 P2），以及另一个代表该特定项目的角色的属性（ admin）。例如，正确指定的策略将能够识别出您是在 P1项目中引用管理员角色。

ABAC is indeed another possibility. However, if I understand you correctly, it isn't correct to say that "a user's attribute dictates whether the user has the role (and/or permissions)". There are only attributes in ABAC (in the sense that roles are attributes), which affords more flexibility than RBAC. In a request, you could have an attribute representing the project ("P1" or "P2"), and another attribute representing the role for that particular project ("admin"). A correctly specified policy will be able to recognise that you are referring to the "admin" role as part of the "P1" project, for example.

这篇关于具有两个参数的RBAC系统的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！