Data permissions should be designed like this, yyyds!

my Knowledge planet officially launched ( Stamp link ), Looking forward to your joining , Let's rush together ！

Hello everyone , I am ethereal ！

In the actual development of the project, we not only need to control which resources a user can access , You also need to control that users can only access some part of the data in the resource .

To control which resources a user can access, we have a mature permission management model, namely RBAC, But the controlling user can only access some resources （ That is what we often call data permission ） Use RBAC Models are not enough , In this paper, we try to RBAC On the basis of the model, the management and control of data rights are integrated .

First, let's take a look at RBAC Model .

RBAC Model

RBAC yes Role-BasedAccess Control English abbreviations , It means role based access control .

RBAC Different roles will be defined in the system in advance , Different roles have different permissions , A role is actually a set of permissions . All users of the system will be assigned different roles , A user may have multiple roles . Use RBAC Can greatly simplify the management of permissions .

RBAC The model can also be subdivided into RBAC0,RBAC1,RBAC2,RBAC3. Here we don't discuss the differences between them , Interested students can do their own research , We mainly focus on the common RBAC0 Model .

As shown in the figure below is a classic RBAC0 Database design of the model .

stay RBAC Under the model , The system only validates users A Belong to role or not RoleX, Instead of judging users A Access only to users B The data of DataB. We call this problem “ Horizontal authority management issues ”.

Data access

List data permissions , It mainly controls row data through data permission , Let different people have different rules for viewing data ; To achieve data permissions , The most important thing is to abstract data rules .

Data rules

For example, the business opportunity data of our system , You need to control data access from the following dimensions .

1. Sales people can only look at their own data ;

2. The sales manager of each region can only look at the data of each region （ The sales manager of Anhui region looks at the business opportunity data of Anhui region ）, The same is true of BG The leaders in charge can only see where they are BG Business opportunity data of ;

3. Financial personnel can only look at data with the amount less than 10000 .

The above dimensions are data rules .

In this way, we have also clarified several key elements of data rules , Rule field , Regular expressions , Rule value , The rules corresponding to the above three scenarios are as follows ：

1. Rule field ： founder , Regular expressions ：= , Rule value ： Currently logged in by

2. Rule field ： My region , Regular expressions ：= , Rule value ： Anhui region

3. Rule field ： Sales amount , Regular expressions ：< , Rule value ：10000

 Rule field configuration description ： 
 Conditional expression ： Greater than / Greater than or equal to / Less than / Less than or equal to / be equal to / contain / Fuzzy / It's not equal to 
 Rule value ： Specify the value  (  Fixed value / System context variables  )

Linked resources 、 user

Data rules are not enough , We also need to bind data rules to resources and users .

The binding of data rules and resources is very simple , We just need to create an intermediate table , As shown in the figure below ：

In this way, resources can be associated with data rules .

In application design, we need a separate data rule management function , Convenient for us to enter data rules , And then on the resource management page （ Like a list of business opportunities ） You can choose built-in data rules to bind resources and rules .

So how to make different users have different data rules ？

stay RBAC In the model , Users manage resources by granting different roles , Similarly, we can associate roles with data rules when granting permissions , In this way, different users have different data rules .

It's a bit awkward. , Let's go back to the example above .

Salesman 、 Regional Sales Manager 、 Financial people have different roles , They all have the resource permission of opportunity list , However, when binding business opportunity list resource permissions to these roles, we can check the corresponding data rules （ The binding of resources and data rules has been realized ）. Reflected in the database design, we can in the role resource corresponding relationship table Role_Permission Add a field to store the associated data rules , If there are multiple data rules, you can use the separator to split .

Final RBAC The model evolved into a model like this ：

According to the above design, we need to distinguish the data permissions of each region, and we need to establish different regional roles , For example, sales manager of Anhui Province 、 Regional sales manager in Shanghai , Then check the corresponding data rules for the roles . It's like RBAC1 The concept of role inheritance in .

In this way, we have basically realized RBAC Binding to data rules , But we also have a problem of how to land in the system .

Here we need the help of the famous AOP To implement the , This article only talks about principle, not implementation , So let's just mention the implementation plan by the way .

1. Customize a data permission annotation , For example PermissionData

2. In the corresponding resource request method , For example, add a custom annotation to the business opportunity list @PermissionData

3. utilize AOP Capture all the data rules of the user's corresponding role and perform SQL Splicing , In the end in SQL Layer to achieve data filtering .

Continue to optimize

In the above design, we achieve data permissions by binding different data rules to different roles , But consider the following scenario ： The range of data a role needs to see is “ Business opportunity data of Anhui Province and consumer business division ”, In this scenario, according to our previous design, we need to establish two data rules ：

1. My region = Anhui region

2. Business unit = Consumer Division

And then set up 2 Different roles , Grant different data rules separately , If there are many scenes like this, it's easy for characters to explode , So we'll take it out here Data rule group The concept of .

A data rule group has multiple data rules , Data rules pass through each other AND Connect , Put on an application design ：

In the database design, it becomes as follows ：

Summary

Pass above 8 In the design of the table, we have realized RBAC The combination of model and Data permission , Of course, there is still room for further optimization . For example, we can extract the corresponding dictionary table for the rule field and rule value here , Let the data rule table associate these dictionary fields , In this way, when the data rules are configured in the application layer, the administrator does not need to fill in them manually, but selects them from the dictionary items , Reduce the probability of data rule configuration error .

Data permission is a relatively complex function , Here we choose to be in RBAC Based on the model , If you have a better solution, please leave me a message .

The next article will implement the code according to this model , If you are interested, you can pay attention ～

And finally （ Don't whore for nothing , Please pay attention to ）

A purely technical exchange group has been opened （ The crowd is full ）, The atmosphere in the group is pretty good , No advertisement , No routine , Simple bragging force , Talk about life , If you want to enter, you can add my wechat through the QR code below , Remarks into group ！