非RBAC用户角色和权限系统：与性能的作用 [英] Non RBAC User Roles and Permissions System: a role with properties

问题描述

我们目前的设计 用户角色和权限系统在我们的Web应用程序（ASP.NET），它似乎是我们有几个案例的做不适合经典基于角色的访问控制（RBAC）<内/ STRONG>。我将发布几个问题，每个致力于一个特殊情况。这是我的第二个问题（第一个问题是在这里：<一href=\"http://stackoverflow.com/questions/2839797/non-rbac-user-roles-and-permissions-system-checking-the-users-city\">http://stackoverflow.com/questions/2839797/non-rbac-user-roles-and-permissions-system-checking-the-users-city).

We are currently designing a User Roles and Permissions System in our web application (ASP.NET), and it seems that we have several cases that do no fit within the classical Role-Based Access Control (RBAC). I will post several questions, each devoted to a particular case. This is my second question (the first question is here: http://stackoverflow.com/questions/2839797/non-rbac-user-roles-and-permissions-system-checking-the-users-city).

我们有以下的情况：我们需要实现我们的Web应用程序中的管理员角色即可。然而，经理可以属于一个或几个公司（大集团公司为我们创建这个Web应用程序的范围内）。说，可以有的公司A和B的经理，C公司的经理，等等。

We have the following case: we need to implement a Manager role in our web application. However, a Manager can belong to one or several companies (within a big group of companies for which we are creating this web app). Say, there can be "Manager of companies A and B", "Manager of company C", etc.

根据该经理所属的公司，他的访问以特定操作：例如，他可以只用的，他属于那些企业客户沟通。也就是说，公司A和B的管理器中只能有接触与公司A和B的客户，而不是与公司C的他也可以查看客户详细信息公司A和B的页面，而不是C，等

Depending on the companies that the Manager belongs, he has access to certain operations: for example, he can communicate with clients only of those companies that he belongs to. That is, "Manager of companies A and B" can only have contacts with clients of companies A and B, and not with those of company C. He can also view clients’ details pages of companies A and B and not of C, etc.

看来，这种情况属于RBAC中。然而，这并不是真正的情况。我们需要创建一个 ManagerRole类，将有一个公司财产 - 也就是说，这不会是仅仅作为权限的集合作用（如古典RBAC ），但与性能的作用！

It seems that this case falls within the RBAC. However, this is not really the case. We will need to create a ManagerRole class that will have a Companies property – that is, this will not be just a role as a collection of permissions (like in the classical RBAC), but a role with properties!

此为具有特性的作用的一个例子。会有别人：例如，管理员角色，也将属于一些企业，也将有其他的自定义属性。

This was just one example of a role having properties. There will be others: for example, an Administrator role that will also belong to a number of companies and will also have other custom properties.

这意味着我们将层级或角色类：

This means that we will a hierarchy or roles classes:

class Role – base class  
class ManagerRole : Role  
    List Companies  
class AdministratorRole : Role  
    List Companies  
    Other properties

我们研究了纯RBAC及其在几个系统的实施，和没有发现系统设有层次或角色，每一个自定义属性。在RBAC中，角色只是权限的集合。

We investigated pure RBAC and its implementation in several systems, and found no systems featuring a hierarchy or roles, each having custom properties. In RBAC, roles are just collections of permissions.

我们可以使用许可与性质，像ManagerPermission，AdministratorPermission我们的案件模型，但是这有很多弊端，主要的是，我们将无法分配，如经理角色公司A和B直接用户，而是必须创建包含公司A和B的ManagerPermission一个角色......而且，经理人似乎而是一个角色（在公司的地位），而不是许可从语言学的角度。

We could model our cases using permission with properties, like ManagerPermission, AdministratorPermission, but this has a lot of drawbacks, the main being that we will not be able to assign a role like "Manager of Companies A and B" to a user directly, but will have to create a role containing a ManagerPermission for companies A and B… Moreover, a "Manager" seems to be rather a "role" (position in the company) rather than a "permission" from the linguistic point of view.

将感激任何关于这一问题的想法，以及在这个行业的经验！

Would be grateful for any ideas on this subject, as well as any experience in this field!

感谢您。

推荐答案

让我先说，无论你的问题基本上是相同的，应予以巩固。有在相同的概念的多种变化没有价值。

Let me first say that both of your questions are basically the same and should be consolidated . There is no value in multiple variations of the same concept.

您想任意歧视额外级别增加的基础性作用。

You wish to add an extra level of arbitrary discrimination to the basic role.

要实现这种RBAC的并保留采取任何内在基础设施的优势，你需要做一些妥协，并建立了一些自定义实现的能力。

To implement this sort of RBAC and retain the ability to take advantage of any of the inbuilt infrastructure you will need to make a few compromises and build a few custom implementations.

第一步是采用一个角色定义公约的妥协。例如当您要确定用户是否是角色公司A的经理，你会定义规则，是它的一个属性，code或者一个网站地图，为经理，公司A'，即的isUserInRole（经理，公司A）。

The first step is the compromise of adopting a role definition convention. e.g. when you want to determine if a user is in role 'manager' of 'companyA' you would define the rule, be it an attribute, code or perhaps a sitemaps, as 'manager-companyA' i.e. IsUserInRole("manager-companyA").

第二步是自定义RoleProvider实现，可以分析这个并适当查询您的基础数据源保持分层关系，为此，你将不得不维护提供自定义的UI。

The second step is a custom RoleProvider implementation that can parse this and appropriately query your underlying data source maintaining the hierarchial relationships, for which you will have to provide a custom UI for maintenance.

您将需要在最低限度，落实ASP.Net使用的方法，以确保角色检查或以正确的格式输出。

You will need to, at a minimum, implement the methods used by ASP.Net to ensure that the roles are checked or output in the correct format.

的isUserInRole 将得到一个字符串，你将不得不使用惯例，解析为验证组成部分，如描述previously。

IsUserInRole will get a string that you will have to, using convention, parse into constituent segments for verification, as described previously.

GetRolesForUser 可缓存在cookie中的角色时，必须执行的角色和输出所有排列的分层递归调用。例如用户是公司A和companyB经理等等 GetRolesForUser（用户）应返回由值的数组经理，公司A 和经理-companyB 由它利用高速缓存的角色和不交互轮询RoleProvider。在asp.net基础设施的使用

GetRolesForUser can be called when caching roles in cookies and must perform a hierarchial recursion of the roles and output all permutations. e.g. A user is manager for companyA and companyB so GetRolesForUser("user") should return an array consisting of the values manager-companyA and manager-companyB for use by the asp.net infrastructure that utilizes cached roles and does not interactively poll the RoleProvider.

这类型的方法将为您提供建立ASP.Net RBAC设施最广泛的可用性，同时为您提供您需要的定制。

This type of approach will provide you with the widest availability of established ASP.Net RBAC facilities while providing you with the customization you require.

所以，最后，只要你能调整你的期望和/或重新定义您的要求尽可能的工作在现有的基础设施少（少得多）code，你必须实际设计，实施，测试和维护并更多的时间，你必须花费集中在你的系统的其他方面的还没有到位的完善的基础设施。

So, to conclude, whenever you can adjust your expectations and/or redefine your requirements to work as much as possible with the existing infrastructure the less (MUCH LESS) code you must actually design, implement, test and maintain and the more time you have to spend concentrating on other aspects of your systems that do not already have an established infrastructure in place.

这篇关于非RBAC用户角色和权限系统：与性能的作用的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！