具有两个参数的 RBAC 系统 [英] RBAC system with two parameters

问题描述

我正在寻找具有两个参数的 RBAC 系统的示例或最佳实践.而不是简单地将用户与角色相关联，而该角色与一组权限相关联；用户可以与针对特定项目"的角色相关联，然后该用户只能对该项目(或该用户拥有该角色的其他项目)拥有该角色的权限.用户可以在一个项目中拥有特定角色，在另一个项目中拥有不同角色；授予角色的权限对于每个项目都是一致的；用户对项目的权限取决于该用户在项目中的角色.

I’m looking for an example or best practices for a RBAC system with two parameters. Rather than simply having a user associated with a role, and that role associated with a group of permissions; a user can be associated with a role "for a specific project," and the user can then have the permissions of that role for that project only (or for other projects that the user holds that role for). A user can have a specific role on one project, and a different role on another project; the permissions granted to a role are consistent for every project; and a user’s permissions for a project are based on what role that user has on the project.

(如果有什么不同，我试图限制页面访问，其中页面内容是通过 URL 查询参数开发的，该参数通过 GET 语句设置项目 ID.)

(If it makes any difference, I’m trying to limit page access where the page content is developed via a URL query parameter that sets the project id through a GET statement.)

ABAC 看起来很有希望，但我无法理解它.我的理解是用户的属性决定了用户是否具有角色(和/或权限).就我而言，似乎我可能会将项目视为用户"，而我的用户是项目的一个属性(如果我的用户担任该项目的角色，则为真，否则为假)

ABAC looks promising, but I’m having trouble wrapping my head around it. My understanding is that a user’s attribute dictates whether the user has the role (and/or permissions). In my case it seems like I might consider the project to be the "user," and my user as an attribute of the project (true, if my user holds the role for that project or false, if not)

推荐答案

如果你想坚持 RBAC 标准，那么你将不得不为不同的项目使用不同的角色.例如，如果在项目P1"和P2"中使用角色admin"，您可以创建一个角色P1:admin"和另一个角色P2:admin".

If you want to stick to the RBAC standard, then you will have to use different roles for different projects. For example, if the role "admin" is used in projects "P1" and "P2", you can create a role"P1:admin" and another role "P2:admin".

ABAC 确实是另一种可能.但是，如果我理解正确，那么说用户的属性决定用户是否具有角色(和/或权限)"是不正确的.ABAC 中只有属性(从角色是 属性的意义上说)，它提供了比 RBAC 更大的灵活性.在请求中，您可以拥有一个代表项目的属性(P1"或P2")，以及代表该特定项目的角色的另一个属性(admin").例如，正确指定的策略将能够识别您将管理员"角色称为P1"项目的一部分.

ABAC is indeed another possibility. However, if I understand you correctly, it isn't correct to say that "a user's attribute dictates whether the user has the role (and/or permissions)". There are only attributes in ABAC (in the sense that roles are attributes), which affords more flexibility than RBAC. In a request, you could have an attribute representing the project ("P1" or "P2"), and another attribute representing the role for that particular project ("admin"). A correctly specified policy will be able to recognise that you are referring to the "admin" role as part of the "P1" project, for example.

这篇关于具有两个参数的 RBAC 系统的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！