如何在组级别实施ACL?例如.只有学校A的老师可以更新学校A的日历 [英] How to implement ACL at a group level? E.g. only teachers in school A can update school A's calendar
问题描述
尝试使用Spring Security ACL解决以下问题:只有学校A的老师才能更新学校A的日历.
Trying to solve the following problem using Spring Security ACL: only teachers in school A can update school A's calendar.
是否可以实现这样的权限结构而无需为每个老师添加ACL条目以在该学校的日历上拥有更新权限(方法1)?还是可以定义学校A组,将该学校中的每个老师分配给该组,并在该学校的日历上授予该组写许可(方法2)?
Is it possible to implement such permission structure without adding an ACL entry for each teacher to have update permission over that school's calendar (approach #1)? Or is it possible to define school A group, assign every teacher in that school to that group and give the group write permission over the school's calendar (approach #2)?
方法2是可取的,因为方法将为单个项目(如日历)生成相同数量的记录,但是如果共享了另一个项目(例如,学校A的留言板),方法2将仅需要一条额外的记录,方法#1将要求每位老师都拥有新记录,如果删除或添加一位老师(2次删除/2次更新),则很难维护.
Approach #2 is preferable because approaches would generate the same amount of records for a single item like the calendar, but if another item was shared (school A's message board for example) approach #2 would only require 1 additional record, approach #1 would require new records for every teacher and harder to maintain if a teacher is removed or added (2 deletes/2 updates).
推荐答案
您可以在Spring ACL中向Grant_authorities授予权限.基本上,由于您位于某个组中,因此可以为该组(显式或隐式)创建授予的权限.属于该组的用户将获得GA.权限已分配给GA.如果将用户从组中删除,则删除GA,他们将失去访问权限.
You can grant permissions in spring acl to granted_authorities. Basically, by virtue of being in a certain group, you create a granted authority for that group (either explicit or implicit). The users who are part of the group get the GA. Permissions are assigned to the GA. If the user is removed from the group, remove the GA, and they will lose the access.
这篇关于如何在组级别实施ACL?例如.只有学校A的老师可以更新学校A的日历的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
