基于角色的访问控制的数据库架构 [英] DB Schema of a Role Based Access Control

问题描述

我目前正在这里为本地协会开发成员管理，目前正在开发数据库架构.我想与您分享它以改进它，并提供一个基于角色的访问模型(RBAC)的其他示例.我会很感激任何建设性的批评，尤其是对我在表格之间使用的关系的批评.

I'm currently developing a member administration for a local association here and I'm developing the database schema at the moment. I'd like to share it with you to improve it and give other an example of a Role Based Access Model (RBAC). I'd appreciate any constructive criticism especially about the relationships I used between the tables.

链接至高分辨率: http://i.stack.imgur.com/WG3Vz.png

在此使用以下架构:

工作原理:

我正在将现有客户端(实际上是协会的成员)从外部应用程序映射到我的管理应用程序中. (客户表)

I'm mapping existing clients (actually members of the association) from an external application into my administration application. (clients table)

该关联在部门"，细分"等中进行组织(intern_structures表).每个客户都可以是多个部门，细分部门，部门等的成员.

The association is structured in Division, Subdivisions, etc. (intern_structures table). Every client can be a member in multiple Division, Subdivisions, Sections etc.

每个客户都可以在主席，精算师，司库等会员(部门)中拥有一个或多个角色，并且每个角色都具有某些特权，该角色的所有者可以将该特权应用于其部门的其他成员. ，部分等.

Every client can have one or multiple roles in such memberships (divisions,...) like President, Actuary, Treasurer etc. and each role has certain privileges which the owner of the role can apply on others in his Division,Subdivision,Section etc.

凭据连接到应用程序的特定操作.凭证的所有者可以在其范围内的其他成员上执行此操作.可以有多个独立"应用程序，但是它们都共享相同的身份验证/授权系统.

A credential is connected to a certain action of an application. The owner of the credential may execute this action on other members in his scope. There can be multiple "standalone" applications but they all share the same authentication/authorization system.

应用程序在模块/子模块/动作等中进行结构化.示例可能是个人详细信息"模块，并且此模块包含一个名为图片"的子模块，您可以在此应用动作查看，删除，编辑"图片.但是，除非您尝试删除其照片的人所在的部门/部门具有适当的角色，否则您无法删除任何照片.

An application is structured in Modules/Submodules/Actions etc. An example could be a "Personal Details" module and this module contains a submodule called "Picture" and you could apply the actions "view,delete,edit" on this picture. But you can't delete any picture unless the person whose picture you try to delete is in a division/section where you have the adequate role to do so.

内部结构和应用程序结构都是树，实现为邻接列表和嵌套集.邻接表可确保完整性，而嵌套集可让我快速遍历树.

The internal and application structure are both trees, implemented as adjacency list and nested set. The adjacency list ensures the integrity and the nested set allows me to traverse the tree quickly.

一个例外是您可以直接向某人提供某些凭证(client_credentials).如果某人需要对不在其部门/部门中的某人执行某些操作，则需要这样做.

An exception is that you can give someone certain credentials directly (client_credentials). This is needed if someone needs to perform certain actions on somebody who isn't in his divsion/section.

因此，某人可以成为多个部门/部门的成员，并在其所属的每个部门/部门中获得多个角色.我将合并某人通过其多个角色所拥有的所有凭据.凭据始终是肯定的，这意味着不可能使用限制性的凭据.

So, someone can be a member in multiple divsions/sections and obtain multiple roles in every division/section he's a member of. I'm going to merge all credentials someone has through his multiple roles. And credentials are always positive, means restrictive credentials are not possible.

推荐答案

我将再举一个我真正喜欢的RBAC系统的示例.请访问Tony Marston的radicore框架此处

I'm going to give another example of an RBAC system I really like. please check out the radicore framework by Tony Marston here.

我不确定它是否满足您的所有要求，但是您可以将您的工作与之进行比较可以帮助您.

I'm not sure if it meets all of your requirements but something you can compare your work with can help.

这篇关于基于角色的访问控制的数据库架构的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！