基于角色的访问控制 (RBAC) 关心权限还是角色? [英] Role Based Access Control (RBAC) cares about permission or roles?

问题描述

阅读http://en.wikipedia.org/wiki/Role-based_access_control 看到人们构建授权/访问控制的方式后，我想到了这个问题为什么我们在检查用户是否被允许执行 X 而不是检查他们的权限时要检查他们的角色?"

After reading http://en.wikipedia.org/wiki/Role-based_access_control and seeing the way people are building authorization/access control, this question came to my mind "Why we are checking roles of users when checking if they are permitted to do X rather than checking their permissions?"

这就是我的理解，用户有角色，角色有权限，这就是用户如何拥有权限(用户不能明确分配给它的权限，它通过拥有角色获得权限)

This is what I understood, Users have Roles, Roles have permission and this is how a user can have permissions (A user cannot explicitly have permissions assigned to it, it gets its permission by having roles)

而且我认为在处理添加用户的请求时检查AddUser"这样的权限是有意义的，但在 .Net 库中以及在 RBAC 的许多示例中，我们看到他们检查角色.就像他们检查用户是否处于管理员角色一样，而不是检查他/她是否具有AddUser"权限.

And I think it makes sense to check for a permission like "AddUser" when processing a request for adding a user but in .Net library and also in a lot of examples in RBAC we see that they check for Roles. Like they check if the user is in the role of Administrators rather than checking if he/she has the permission "AddUser".

为什么?检查权限对我来说更有意义.

Why? It kind of makes more sense to me to check for permissions.

有人可以在这里照亮我吗?

Can someone please illuminate me here?

谢谢

推荐答案

您是对的 - 检查应用程序中的角色而不是权限不是基于角色的访问控制.Spring 安全和许多其他突出的访问控制机制传播了这种安全反模式.为了正确使用 RBAC - 在您的策略实施逻辑中执行权限检查.

You are correct - checking for roles in applications instead of permissions is not Role-Based Access Control. Spring security and many other prominent access control mechanisms propagate this security anti-pattern. For correct RBAC usage - perform permission checks in your policy enforcement logic.

这篇关于基于角色的访问控制 (RBAC) 关心权限还是角色?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！