具有多个角色级别的RBAC的DB模式 [英] DB schema for RBAC with multiple levels of roles

问题描述

我试图想出一个RBAC的数据库模式，我想要能够创建部门和职位。职位将扩展部门的通用权限。我应该创建一个单一的角色表，持有职位和部门？或者，我应该创建3个表：职位，部门和角色，职位和department表有角色表的外键？ Thx提前为大家帮忙！

I'm trying to come up with a DB schema for an RBAC, and I want to be able to create "departments" and "positions". Positions will extend the generic privileges of departments. Should I just create a single "roles" table, holding both the positions and departments? Or should I create 3 tables: positions, departments, and roles, with the positions and departments table having a foreign key to the roles table? Thx in advance for your help everyone! Cheers.

推荐答案

我在试用自定义RBAC实现时的体验如下：

My experience while experimenting with a custom RBAC implementation is as follows:

1. 您阅读了很多RBAC文献，并认为您了解它。然后你去尝试实现它，只是意识到你并没有真正理解它。

1. You read a lot of the RBAC literature and think you understand it. Then you go ahead and try to implement it, just to realize you didn't really understand it at all. Eventually it will make sense as you move along in the project.

根据您的问题，您已经知道要应用RBAC的业务领域。但是现在忘记实际的业务对象。您的RBAC实现应该是通用的，意味着您具有由角色，用户，权限，操作等表组成的数据库模式。

Based on your question, you already know the business domain to which you want to apply RBAC. But forget about the actual business objects for now. Your RBAC implementation should be generic, meaning that you have a DB schema consisting of Role, User, Permission, Operation, etc tables. Then you will have objects which map to such tables (one-to-one relation).

一旦你有这样的对象RBAC实现，它可以被建模到几乎任何业务领域，如你提到的'Deparment'。

Once you have this RBAC implementation, it can then be modeled to practically any business domain, such as a 'Deparment' that you have mentioned.

请记住，这不是所有完美的...我已经增强/修改/派生自实际的RBAC文学，以添加自定义功能，增强性能等。

Just remember that it's not all perfect... I've enhanced/modified/derived from the actual RBAC literature in order to add custom features, enhance performance, etc.

我没有工作了一会儿，所以我希望我在以下是正确的：

I haven't worked on this for a while, so I hope I'm correct in the following:

• 用户：实例被创建并保存到它的备份表。
  

• 角色：创建实例并将其保存到其支持表中。角色将分配给用户。

• User: Instances are created and saved to it's backing table.

• Role: Instances are created and saved to it's backing table. Roles will get assigned to users.

权限：权限基本上是对对象的操作的组合。权限分配给角色。

Permission: A permission basically is a combination of an Operation on an Object. Permissions get assigned to roles.

操作：操作只是您想要的。它可以是CRUD（创建，读取，更新，删除），也可以是人类（或系统）对对象（或对象组）执行的打印，搜索或任何操作。

Operation: An operation is simply anything you want. It could be CRUD (create, read, update, delete) or it could also be 'print', 'search' or anything a human (or system) can perform on an object (or group of objects).

使用这个框架，你应该能够映射：

With this framework, you should be able to map:

• 谁可以将用户分配给部门


• 谁可以将其从部门中删除




• 哪些用户可以在部门中使用


• 哪些用户可以执行哪些对部门的操作（创建，读取，更新，删除）


• 等。

• Who can assign users to a department
• Who can remove them from departments
• How many users can be in a department
• What kind of users (based on their assigned roles) can be in a department
• Which rolls can perform which operations to a department (create, read, update, delete them)
• Etc.

这篇关于具有多个角色级别的RBAC的DB模式的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！