许可操作模式/设计建议 [英] Patterns / design suggestions for permission handling

问题描述

我们有权处理在我们（的ASP.NET Web）应用程序的一个相当复杂的系统。用户都可以在不同种类的对象的特定权限，某些权限甚至包装成组/已分配给用户的角色。在pretty的所有的这一切都结束了繁乱的地方，用于确定用户是否可以做/看到的东西，你必须评估权限许多不同的来源，这是按需某种方式进行，并根据具体的情况。

We have a rather complicated system of permission handling in our (ASP.NET web) application. Users can have specific permissions on different kinds of objects, some permissions are even packed into groups / roles that are assigned to users. All in all this ends up in a pretty complicated mess where for determining whether a user can do / see something you have to evaluate many different sources of permissions and this is done somehow on-demand and based on specific situations.

我的问题是（从一个高的水平点）是否有一些建议/常见的设计模式，以处理一般的权限概念，以及可能还有什么是处理它们在你的架构你的经验。

My question is (from a high level point of view) whether there are some suggestions / common design patterns to deal with permission concept in general and probably also what is your experience with handling them in your architecture.

推荐答案

用户和组与测试布尔UserHasPermission的能力（SOME_PERMISSION） 用于与集团相关的原子权限进行授权的标准方法，但事情正在发生变化，以基于声明的：

Users and Groups with the ability to test bool UserHasPermission( SOME_PERMISSION ) for an atomic permission associated with a Group is the standard approach for authorization, however things are changing to Claims-based:

http://msdn.microsoft.com/en-us/magazine/ ee335707.aspx

http://msdn.microsoft.com/en-us/magazine/ cc163366.aspx

http://www.infoq.com/news/十分之二千〇九/基于指南，要求身份

据但是，是不是适合于所有情况。

It however, is not ideal for all situations.

有关的旧模式，我发现性能可以通过在权限检查使用记忆化来获得。这样，我不打算给每个会话的数据库n次，检查访问控制。记忆化在高速缓存有效存储与相同参数的呼叫的结果，因此通过特定用户的所有呼叫查询XYZ许可将返回相同的结果。当然，你一定要保存在memoized权限在会话的用户所以它的每个用户。如果您加载在登录的权限，那么你就不需要对其进行缓存，但在大型系统有时很多权限，这是最需要的时候才得到他们。

For the old model, I find that performance can be gained by using memoization during permissions checks. That way I'm not going to the database n times per session to check access control. Memoization effectively stores in a cache the result of a call with the same parameters, so all calls by a particular user to check XYZ permission would return the same result. Of course, you'd make sure you stored the memoized permissions for the user in the Session so it's per-user. If you load the permissions at login then you don't need to cache them, but in large systems with many permissions sometimes it's best to get them only when needed.

http://www.infoq.com/news/2007/01/ CSHARP内存

这篇关于许可操作模式/设计建议的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！