Detailed Explanation of Authority System Design
<section id="nice" style="font-size: 16px; padding-right: 10px; padding-left: 10px; word-break: break-word; overflow-wrap: break-word; line-height: 1.25; font-family: Optima-Regular, Optima, PingFangTC-Light, PingFangSC-light, PingFangTC-light; letter-spacing: 2px; background-image: linear-gradient(90deg, rgba(50, 0, 0, 0.05) 3%, rgba(0, 0, 0, 0) 3%), linear-gradient(360deg, rgba(50, 0, 0, 0.05) 3%, rgba(0, 0, 0, 0) 3%); background-size: 20px 20px; background-position: center center;"><h2 style="font-weight: bold; font-size: 22px; margin-top: 20px; margin-right: 10px; margin-bottom: 0px;"><span style="font-size: 18px; display: inline-block; padding-left: 10px; border-left: 5px solid rgb(145, 109, 213);">Detailed Explanation of Authority System Design</span></h2>
<blockquote style="border-top: none; border-right: none; border-bottom: none; border-image: initial; font-size: 0.9em; overflow: auto; border-left-width: 3px; color: rgb(106, 115, 125); padding-top: 10px; padding-bottom: 10px; padding-left: 20px; margin-bottom: 20px; margin-top: 20px; border-left-color: rgb(216, 156, 246); background: rgb(244, 238, 255);">
<p style="padding-top: 8px; padding-bottom: 8px; font-size: 14px; word-spacing: 2px; margin-top: 0px; margin-bottom: 0px; color: black; line-height: 26px;">Role-Based Access Control (RBAC for short) refers to the authorization of users' related permissions through their Role, which realizes flexible access control. Compared with granting users' permissions directly, RBAC is simpler, more efficient and extensible.</p>
</blockquote>
<h2 style="font-weight: bold; font-size: 22px; margin-top: 20px; margin-right: 10px; margin-bottom: 0px;"><span style="font-size: 18px; display: inline-block; padding-left: 10px; border-left: 5px solid rgb(145, 109, 213);">Problems and Present Situation of the Old Authority System</span></h2>
<p style="padding-top: 8px; padding-bottom: 8px; line-height: 26px; font-size: 14px; word-spacing: 2px;">In the past, Zhuanzhuan Company did not have a unified authority management system. The authority management was developed by each business or used the authority system of other businesses. The disunity of authority management brought many problems:</p>
<ol style="margin-top: 8px; margin-bottom: 8px; padding-left: 25px; font-size: 15px;">
<li><section style="margin-top: 5px; margin-bottom: 5px; line-height: 26px; color: rgb(1, 1, 1); font-size: 14px;">Each business makes wheels repeatedly, which leads to high maintenance cost</section></li><li><section style="margin-top: 5px; margin-bottom: 5px; line-height: 26px; color: rgb(1, 1, 1); font-size: 14px;">Each system only solves some scenario problems, the scheme is not universal enough, and there is no reliable authority management scheme when selecting new projects</section></li><li><section style="margin-top: 5px; margin-bottom: 5px; line-height: 26px; color: rgb(1, 1, 1); font-size: 14px;">Lack of unified log management and approval process, it is very difficult to trace authorization information</section></li></ol>
<p style="padding-top: 8px; padding-bottom: 8px; line-height: 26px; font-size: 14px; word-spacing: 2px;">Based on the above problems, the company started to build a unified authority system at the end of last year, with the goal of developing a flexible, easy-to-use and safe authority management system for all businesses.</p>
<h2 style="font-weight: bold; font-size: 22px; margin-top: 20px; margin-right: 10px; margin-bottom: 0px;"><span style="font-size: 18px; display: inline-block; padding-left: 10px; border-left: 5px solid rgb(145, 109, 213);">Design mode of industry authority system</span></h2>
<p style="padding-top: 8px; padding-bottom: 8px; line-height: 26px; font-size: 14px; word-spacing: 2px;">At present, there are two mainstream permission models in the industry, which are described below:</p>
<ul style="margin-top: 8px; margin-bottom: 8px; padding-left: 25px; font-size: 15px; list-style-type: circle;">
<li><section style="margin-top: 5px; margin-bottom: 5px; line-height: 26px; color: rgb(1, 1, 1); font-size: 14px;">** Role-based access control (RBAC) **</section></li><li><section style="margin-top: 5px; margin-bottom: 5px; line-height: 26px; color: rgb(1, 1, 1); font-size: 14px;">** Attribute-based access control (ABAC) **</section></li></ul>
<h3 style="margin-top: 30px; margin-bottom: 15px; font-size: 16px; font-weight: bold; text-align: center;"><span style="border-bottom: 2px solid #d89cf6;">RBAC model</span></h3>
<p style="padding-top: 8px; padding-bottom: 8px; line-height: 26px; font-size: 14px; word-spacing: 2px;">** Role-Based Access Control (RBAC) ** refers to the flexible access control by authorizing users' related permissions through their Role, which is simpler, more efficient and extensible than granting users' permissions directly.</p>
<p style="padding-top: 8px; padding-bottom: 8px; line-height: 26px; font-size: 14px; word-spacing: 2px;">A user can have several roles, and each role can be assigned several permissions. Thus, the authorization model of "user-role-permissions" is constructed. In this model, there is a many-to-many relationship between users and roles, roles and permissions.</p>
<p style="padding-top: 8px; padding-bottom: 8px; line-height: 26px; font-size: 14px; word-spacing: 2px;">Describe it with a diagram as follows:</p>
<figure style="margin-top: 10px; margin-bottom: 10px; display: flex; flex-direction: column; justify-content: center; align-items: center;"><img src="https://guide-blog-images.oss-cn-shenzhen.aliyuncs.com/github/javaguide/system-design/security/design-of-authority-system/rbac.png" alt=" Schematic diagram of RBAC permission model " style="max-width: 100%; border-radius: 6px; display: block; margin: 20px auto; object-fit: contain; box-shadow: 2px 4px 7px #999;"><figcaption style="margin-top: 5px; text-align: center; color: rgb(136, 136, 136); font-size: 13px;"> Schematic diagram of RBAC permission model </figcaption></figure>
<p style="padding-top: 8px; padding-bottom: 8px; line-height: 26px; font-size: 14px; word-spacing: 2px;">Schematic diagram of RBAC permission model</p>
<p style="padding-top: 8px; padding-bottom: 8px; line-height: 26px; font-size: 14px; word-spacing: 2px;">When using <code style="overflow-wrap: break-word; padding: 2px 4px; border-radius: 4px; margin-right: 2px; margin-left: 2px; font-family: "Operator Mono", Consolas, Monaco, Menlo, monospace; word-break: break-all; color: rgb(145, 109, 213); font-weight: bolder; background: none;">RBAC模型</code>, users are given different roles based on their common responsibilities and needs by analyzing their actual situation. This relationship between <code style="overflow-wrap: break-word; padding: 2px 4px; border-radius: 4px; margin-right: 2px; margin-left: 2px; font-family: "Operator Mono", Consolas, Monaco, Menlo, monospace; word-break: break-all; color: rgb(145, 109, 213); font-weight: bolder; background: none;">用户 \-> 角色 \-> 权限</code> allows us to get the required permissions from the granted roles instead of managing individual user permissions separately.</p>
<p style="padding-top: 8px; padding-bottom: 8px; line-height: 26px; font-size: 14px; word-spacing: 2px;">Take a simple scenario (Gitlab's permission system) as an example. There are three roles in the user system: <code style="overflow-wrap: break-word; padding: 2px 4px; border-radius: 4px; margin-right: 2px; margin-left: 2px; font-family: "Operator Mono", Consolas, Monaco, Menlo, monospace; word-break: break-all; color: rgb(145, 109, 213); font-weight: bolder; background: none;">Admin</code>, <code style="overflow-wrap: break-word; padding: 2px 4px; border-radius: 4px; margin-right: 2px; margin-left: 2px; font-family: "Operator Mono", Consolas, Monaco, Menlo, monospace; word-break: break-all; color: rgb(145, 109, 213); font-weight: bolder; background: none;">Maintainer</code>, and <code style="overflow-wrap: break-word; padding: 2px 4px; border-radius: 4px; margin-right: 2px; margin-left: 2px; font-family: "Operator Mono", Consolas, Monaco, Menlo, monospace; word-break: break-all; color: rgb(145, 109, 213); font-weight: bolder; background: none;">Operator</code>. These three roles have different permissions. For example, only <code style="overflow-wrap: break-word; padding: 2px 4px; border-radius: 4px; margin-right: 2px; margin-left: 2px; font-family: "Operator Mono", Consolas, Monaco, Menlo, monospace; word-break: break-all; color: rgb(145, 109, 213); font-weight: bolder; background: none;">Admin</code> has the permission to create and delete code repositories. If we grant a user the role <code style="overflow-wrap: break-word; padding: 2px 4px; border-radius: 4px; margin-right: 2px; margin-left: 2px; font-family: "Operator Mono", Consolas, Monaco, Menlo, monospace; word-break: break-all; color: rgb(145, 109, 213); font-weight: bolder; background: none;">Admin</code>, he has both ** Create a code repository ** and ** Delete the code repository ** permissions.</p>
<p style="padding-top: 8px; padding-bottom: 8px; line-height: 26px; font-size: 14px; word-spacing: 2px;">Through <code style="overflow-wrap: break-word; padding: 2px 4px; border-radius: 4px; margin-right: 2px; margin-left: 2px; font-family: "Operator Mono", Consolas, Monaco, Menlo, monospace; word-break: break-all; color: rgb(145, 109, 213); font-weight: bolder; background: none;">RBAC模型</code>, when there are multiple users with the same permission, we only need to create a role with the permission, and then assign different roles to different users. Later, we only need to modify the permissions of the roles, and then we can automatically modify the permissions of all users in the roles.</p>
<h3 style="margin-top: 30px; margin-bottom: 15px; font-size: 16px; font-weight: bold; text-align: center;"><span style="border-bottom: 2px solid #d89cf6;">ABAC model</span></h3>
<p style="padding-top: 8px; padding-bottom: 8px; line-height: 26px; font-size: 14px; word-spacing: 2px;">** Attribute-Based Access Control (ABAC) ** is a more flexible authorization model than <code style="overflow-wrap: break-word; padding: 2px 4px; border-radius: 4px; margin-right: 2px; margin-left: 2px; font-family: "Operator Mono", Consolas, Monaco, Menlo, monospace; word-break: break-all; color: rgb(145, 109, 213); font-weight: bolder; background: none;">RBAC模型</code>. Its principle is to dynamically judge whether an operation can be allowed through various attributes. This model is widely used in cloud systems, such as AWS, Alibaba Cloud and so on.</p>
<p style="padding-top: 8px; padding-bottom: 8px; line-height: 26px; font-size: 14px; word-spacing: 2px;">Consider permission control in the following scenarios:</p>
<ol style="margin-top: 8px; margin-bottom: 8px; padding-left: 25px; font-size: 15px;">
<li><section style="margin-top: 5px; margin-bottom: 5px; line-height: 26px; color: rgb(1, 1, 1); font-size: 14px;">Authorize someone to edit a specific book</section></li><li><section style="margin-top: 5px; margin-bottom: 5px; line-height: 26px; color: rgb(1, 1, 1); font-size: 14px;">When a document belongs to the same department as the user, the user can access the document</section></li><li><section style="margin-top: 5px; margin-bottom: 5px; line-height: 26px; color: rgb(1, 1, 1); font-size: 14px;">When the user is the owner of a document and the status of the document is draft, the user can edit the document</section></li><li><section style="margin-top: 5px; margin-bottom: 5px; line-height: 26px; color: rgb(1, 1, 1); font-size: 14px;">People from Department A are prohibited from accessing System B until 9:00 in the morning</section></li><li><section style="margin-top: 5px; margin-bottom: 5px; line-height: 26px; color: rgb(1, 1, 1); font-size: 14px;">It is forbidden to access the A system as an administrator in places other than Shanghai</section></li><li><section style="margin-top: 5px; margin-bottom: 5px; line-height: 26px; color: rgb(1, 1, 1); font-size: 14px;">Users have permission to operate on orders created before 2022-06-07</section></li></ol>
<p style="padding-top: 8px; padding-bottom: 8px; line-height: 26px; font-size: 14px; word-spacing: 2px;">It can be found that the above scenario is difficult to achieve with <code style="overflow-wrap: break-word; padding: 2px 4px; border-radius: 4px; margin-right: 2px; margin-left: 2px; font-family: "Operator Mono", Consolas, Monaco, Menlo, monospace; word-break: break-all; color: rgb(145, 109, 213); font-weight: bolder; background: none;">RBAC模型</code>, because <code style="overflow-wrap: break-word; padding: 2px 4px; border-radius: 4px; margin-right: 2px; margin-left: 2px; font-family: "Operator Mono", Consolas, Monaco, Menlo, monospace; word-break: break-all; color: rgb(145, 109, 213); font-weight: bolder; background: none;">RBAC模型</code> only describes what the user can do, but the conditions of the operation and the data of the operation, <code style="overflow-wrap: break-word; padding: 2px 4px; border-radius: 4px; margin-right: 2px; margin-left: 2px; font-family: "Operator Mono", Consolas, Monaco, Menlo, monospace; word-break: break-all; color: rgb(145, 109, 213); font-weight: bolder; background: none;">RBAC模型</code> itself does not have these restrictions. But this is precisely the advantage of <code style="overflow-wrap: break-word; padding: 2px 4px; border-radius: 4px; margin-right: 2px; margin-left: 2px; font-family: "Operator Mono", Consolas, Monaco, Menlo, monospace; word-break: break-all; color: rgb(145, 109, 213); font-weight: bolder; background: none;">ABAC模型</code>. The idea of <code style="overflow-wrap: break-word; padding: 2px 4px; border-radius: 4px; margin-right: 2px; margin-left: 2px; font-family: "Operator Mono", Consolas, Monaco, Menlo, monospace; word-break: break-all; color: rgb(145, 109, 213); font-weight: bolder; background: none;">ABAC模型</code> is to dynamically calculate whether users have permission to operate based on users, attributes of accessed data and various environmental factors.</p>
<h4 style="margin-top: 30px; margin-bottom: 15px; font-weight: bold; font-size: 18px;">Principle of ABAC Model</h4>
<p style="padding-top: 8px; padding-bottom: 8px; line-height: 26px; font-size: 14px; word-spacing: 2px;">In <code style="overflow-wrap: break-word; padding: 2px 4px; border-radius: 4px; margin-right: 2px; margin-left: 2px; font-family: "Operator Mono", Consolas, Monaco, Menlo, monospace; word-break: break-all; color: rgb(145, 109, 213); font-weight: bolder; background: none;">ABAC模型</code>, whether an operation is allowed or not is determined by dynamic computation based on object, resource, operation and environment information.</p>
<ul style="margin-top: 8px; margin-bottom: 8px; padding-left: 25px; font-size: 15px; list-style-type: circle;">
<li><section style="margin-top: 5px; margin-bottom: 5px; line-height: 26px; color: rgb(1, 1, 1); font-size: 14px;">** Object **: The object is the user currently requesting access to the resource. User attributes include ID, personal resource, role, department and organization membership, and so on</section></li><li><section style="margin-top: 5px; margin-bottom: 5px; line-height: 26px; color: rgb(1, 1, 1); font-size: 14px;">** Resources **: A resource is an asset or object to be accessed by the current user, such as a file, data, server, or even an API</section></li><li><section style="margin-top: 5px; margin-bottom: 5px; line-height: 26px; color: rgb(1, 1, 1); font-size: 14px;">** Operation **: An operation is what a user attempts to do to a resource. Common operations include "read", "write", "edit", "copy" and "delete"</section></li><li><section style="margin-top: 5px; margin-bottom: 5px; line-height: 26px; color: rgb(1, 1, 1); font-size: 14px;">** Environment **: The environment is the context of each access request. Environment attributes include time and location of access, device of object, communication protocol, encryption strength, and so on</section></li></ul>
<p style="padding-top: 8px; padding-bottom: 8px; line-height: 26px; font-size: 14px; word-spacing: 2px;">During the execution of the decision statement of <code style="overflow-wrap: break-word; padding: 2px 4px; border-radius: 4px; margin-right: 2px; margin-left: 2px; font-family: "Operator Mono", Consolas, Monaco, Menlo, monospace; word-break: break-all; color: rgb(145, 109, 213); font-weight: bolder; background: none;">ABAC模型</code>, the decision engine will dynamically calculate the decision result according to the defined decision statement and combining the factors such as object, resource, operation and environment. Whenever an access request occurs, the <code style="overflow-wrap: break-word; padding: 2px 4px; border-radius: 4px; margin-right: 2px; margin-left: 2px; font-family: "Operator Mono", Consolas, Monaco, Menlo, monospace; word-break: break-all; color: rgb(145, 109, 213); font-weight: bolder; background: none;">ABAC模型</code> decision system analyzes whether the attribute value matches the established policy. If there is a matching policy, the access request will be passed.</p>
<h2 style="font-weight: bold; font-size: 22px; margin-top: 20px; margin-right: 10px; margin-bottom: 0px;"><span style="font-size: 18px; display: inline-block; padding-left: 10px; border-left: 5px solid rgb(145, 109, 213);">Design idea of new authority system</span></h2>
<p style="padding-top: 8px; padding-bottom: 8px; line-height: 26px; font-size: 14px; word-spacing: 2px;">According to the business status of Zhuanzhuan, <code style="overflow-wrap: break-word; padding: 2px 4px; border-radius: 4px; margin-right: 2px; margin-left: 2px; font-family: "Operator Mono", Consolas, Monaco, Menlo, monospace; word-break: break-all; color: rgb(145, 109, 213); font-weight: bolder; background: none;">RBAC模型</code> meets most business scenarios of Zhuanzhuan, and the development cost is far lower than that of <code style="overflow-wrap: break-word; padding: 2px 4px; border-radius: 4px; margin-right: 2px; margin-left: 2px; font-family: "Operator Mono", Consolas, Monaco, Menlo, monospace; word-break: break-all; color: rgb(145, 109, 213); font-weight: bolder; background: none;">ABAC模型</code>, so the new permission system is implemented based on <code style="overflow-wrap: break-word; padding: 2px 4px; border-radius: 4px; margin-right: 2px; margin-left: 2px; font-family: "Operator Mono", Consolas, Monaco, Menlo, monospace; word-break: break-all; color: rgb(145, 109, 213); font-weight: bolder; background: none;">RBAC模型</code>. For the business system that can't be satisfied, we chose not to support it temporarily, which can ensure the rapid landing of the new permission system and make the business use faster.</p>
<p style="padding-top: 8px; padding-bottom: 8px; line-height: 26px; font-size: 14px; word-spacing: 2px;">The standard <code style="overflow-wrap: break-word; padding: 2px 4px; border-radius: 4px; margin-right: 2px; margin-left: 2px; font-family: "Operator Mono", Consolas, Monaco, Menlo, monospace; word-break: break-all; color: rgb(145, 109, 213); font-weight: bolder; background: none;">RBAC模型</code> completely abides by the link <code style="overflow-wrap: break-word; padding: 2px 4px; border-radius: 4px; margin-right: 2px; margin-left: 2px; font-family: "Operator Mono", Consolas, Monaco, Menlo, monospace; word-break: break-all; color: rgb(145, 109, 213); font-weight: bolder; background: none;">用户 \-> 角色 \-> 权限</code>, that is, the user's authority is completely controlled by the role he has, but this will have a disadvantage, that is, adding a role to the user's authority must lead to low efficiency in actual operation. Therefore, on the basis of <code style="overflow-wrap: break-word; padding: 2px 4px; border-radius: 4px; margin-right: 2px; margin-left: 2px; font-family: "Operator Mono", Consolas, Monaco, Menlo, monospace; word-break: break-all; color: rgb(145, 109, 213); font-weight: bolder; background: none;">RBAC模型</code>, we have added the ability to directly add permissions to users, that is to say, we can add roles and permissions to users directly. End user permissions are a combination of owned roles and permission points.</p>
<p style="padding-top: 8px; padding-bottom: 8px; line-height: 26px; font-size: 14px; word-spacing: 2px;">** Permission Model of New Permission System **: User final permissions = permissions brought by the role owned by the user + permissions independently configured by the user, which are combined.</p>
<p style="padding-top: 8px; padding-bottom: 8px; line-height: 26px; font-size: 14px; word-spacing: 2px;">The new permission system scheme is as follows:</p>
<figure style="margin-top: 10px; margin-bottom: 10px; display: flex; flex-direction: column; justify-content: center; align-items: center;"><img src="https://guide-blog-images.oss-cn-shenzhen.aliyuncs.com/github/javaguide/system-design/security/design-of-authority-system/new-authority-system-design.png" alt="新权限系统方案" style="max-width: 100%; border-radius: 6px; display: block; margin: 20px auto; object-fit: contain; box-shadow: 2px 4px 7px #999;"><figcaption style="margin-top: 5px; text-align: center; color: rgb(136, 136, 136); font-size: 13px;">新权限系统方案</figcaption></figure>
<p style="padding-top: 8px; padding-bottom: 8px; line-height: 26px; font-size: 14px; word-spacing: 2px;">New authority system scheme</p>
<ul style="margin-top: 8px; margin-bottom: 8px; padding-left: 25px; font-size: 15px; list-style-type: circle;">
<li><section style="margin-top: 5px; margin-bottom: 5px; line-height: 26px; color: rgb(1, 1, 1); font-size: 14px;">First of all, all users of the group (including external users) are managed uniformly through the function of ** Unified login and registration **, and at the same time, they are connected with the organizational structure information module of the company, thus realizing the consistency of information of the same person in all systems, which also provides feasibility for subsequent authority management based on organizational structure.</section></li><li><section style="margin-top: 5px; margin-bottom: 5px; line-height: 26px; color: rgb(1, 1, 1); font-size: 14px;">Secondly, because the new authority system needs to serve all the business of the group, it needs to support multi-system authority management. Before the user carries on the authority management, needs to select the corresponding system first, then configures the ** Menu permissions ** and ** Data permissions ** information of the system, establishes each authority point of the system. _ PS: Specific description of menu permissions and data permissions, described in more detail below. _</section></li><li><section style="margin-top: 5px; margin-bottom: 5px; line-height: 26px; color: rgb(1, 1, 1); font-size: 14px;">Finally, create different roles under the system, and configure permission points for different roles. For example, the role of store manager has the operation authority of shop assistant and the data viewing authority of our store. After configuring this role, it is only necessary to add this role to the store manager in the future, so that he can have the corresponding authority.</section></li></ul>
<p style="padding-top: 8px; padding-bottom: 8px; line-height: 26px; font-size: 14px; word-spacing: 2px;">After the above configuration is completed, the user's rights management can be carried out. There are two ways to give users permissions:</p>
<ol style="margin-top: 8px; margin-bottom: 8px; padding-left: 25px; font-size: 15px;">
<li><section style="margin-top: 5px; margin-bottom: 5px; line-height: 26px; color: rgb(1, 1, 1); font-size: 14px;">Select the user first, and then add permissions. This method can add any role or menu/data permission point to users.</section></li><li><section style="margin-top: 5px; margin-bottom: 5px; line-height: 26px; color: rgb(1, 1, 1); font-size: 14px;">Select roles first, and then associate users. This method can only add roles to users, and cannot add menu/data permission points separately.</section></li></ol>
<p style="padding-top: 8px; padding-bottom: 8px; line-height: 26px; font-size: 14px; word-spacing: 2px;">The specific design schemes of these two methods will be explained in detail later.</p>
<h3 style="margin-top: 30px; margin-bottom: 15px; font-size: 16px; font-weight: bold; text-align: center;"><span style="border-bottom: 2px solid #d89cf6;">Authority management of authority system itself</span></h3>
<p style="padding-top: 8px; padding-bottom: 8px; line-height: 26px; font-size: 14px; word-spacing: 2px;">For the permission system, it is necessary to design the permission management of the system itself first, that is, to manage "who can enter the permission system and who can manage the permissions of other systems". For the users of the permission system itself, they can be divided into three categories:</p>
<ol style="margin-top: 8px; margin-bottom: 8px; padding-left: 25px; font-size: 15px;">
<li><section style="margin-top: 5px; margin-bottom: 5px; line-height: 26px; color: rgb(1, 1, 1); font-size: 14px;">** Super administrator **: You have all the operation permissions of the permission system, and you can perform any operation of the system itself, and you can also manage the management operations of the application system with access permissions.</section></li><li><section style="margin-top: 5px; margin-bottom: 5px; line-height: 26px; color: rgb(1, 1, 1); font-size: 14px;">** Permission operation user **: A user with a super administrator role for at least one connected application. The operations that the user can perform are limited within the scope of the application system authority. Permission operation user is an identity, which does not need to be assigned, but is automatically obtained according to rules.</section></li><li><section style="margin-top: 5px; margin-bottom: 5px; line-height: 26px; color: rgb(1, 1, 1); font-size: 14px;">** Ordinary users **: Ordinary users can also be considered as an identity, except for the above two categories of people, the rest are ordinary users. They can only apply for access to the system and access to the permission application page.</section></li></ol>
<h3 style="margin-top: 30px; margin-bottom: 15px; font-size: 16px; font-weight: bold; text-align: center;"><span style="border-bottom: 2px solid #d89cf6;">Definition of permission type</span></h3>
<p style="padding-top: 8px; padding-bottom: 8px; line-height: 26px; font-size: 14px; word-spacing: 2px;">In the new permission system, we divide permissions into two categories, namely:</p>
<ul style="margin-top: 8px; margin-bottom: 8px; padding-left: 25px; font-size: 15px; list-style-type: circle;">
<li><section style="margin-top: 5px; margin-bottom: 5px; line-height: 26px; color: rgb(1, 1, 1); font-size: 14px;">** Menu function permissions **: Includes directory navigation for the system, access to menus, and permissions for buttons and API operations</section></li><li><section style="margin-top: 5px; margin-bottom: 5px; line-height: 26px; color: rgb(1, 1, 1); font-size: 14px;">** Data permissions **: Includes query scope permissions that define data. In different systems, it is usually called "organization", "site", etc. In the new permission system, it is uniformly called "organization" to manage data permissions</section></li></ul>
<h3 style="margin-top: 30px; margin-bottom: 15px; font-size: 16px; font-weight: bold; text-align: center;"><span style="border-bottom: 2px solid #d89cf6;">Classification of default roles</span></h3>
<p style="padding-top: 8px; padding-bottom: 8px; line-height: 26px; font-size: 14px; word-spacing: 2px;">Three default roles are designed in each system to meet the basic rights management requirements, as follows:</p>
<ul style="margin-top: 8px; margin-bottom: 8px; padding-left: 25px; font-size: 15px; list-style-type: circle;">
<li><section style="margin-top: 5px; margin-bottom: 5px; line-height: 26px; color: rgb(1, 1, 1); font-size: 14px;">** Super administrator **: This role has all the permissions of the system, can modify the configuration such as role permissions of the system, and can authorize other users.</section></li><li><section style="margin-top: 5px; margin-bottom: 5px; line-height: 26px; color: rgb(1, 1, 1); font-size: 14px;">** System administrator **: This role has configuration capabilities such as authorizing other users and modifying role permissions on the system, but the role itself does not have any permissions.</section></li><li><section style="margin-top: 5px; margin-bottom: 5px; line-height: 26px; color: rgb(1, 1, 1); font-size: 14px;">** Authorized administrator **: This role has the ability to authorize other users. However, the scope of authorization does not exceed the authority you have.</section></li></ul>
<blockquote style="border-top: none; border-right: none; border-bottom: none; border-image: initial; font-size: 0.9em; overflow: auto; border-left-width: 3px; color: rgb(106, 115, 125); padding-top: 10px; padding-bottom: 10px; padding-left: 20px; margin-bottom: 20px; margin-top: 20px; border-left-color: rgb(216, 156, 246); background: rgb(244, 238, 255);">
<p style="padding-top: 8px; padding-bottom: 8px; font-size: 14px; word-spacing: 2px; margin-top: 0px; margin-bottom: 0px; color: black; line-height: 26px;">For example: Authorized administrator A can add permissions to user B, but the added range is less than or equal to the permissions that user A already has.</p>
</blockquote>
<p style="padding-top: 8px; padding-bottom: 8px; line-height: 26px; font-size: 14px; word-spacing: 2px;">After this distinction, ** Have permissions ** and ** Have the ability to authorize ** are separated, which can satisfy all the scenarios of permission control.</p>
<h2 style="font-weight: bold; font-size: 22px; margin-top: 20px; margin-right: 10px; margin-bottom: 0px;"><span style="font-size: 18px; display: inline-block; padding-left: 10px; border-left: 5px solid rgb(145, 109, 213);">Design of Core Module of New Authority System</span></h2>
<p style="padding-top: 8px; padding-bottom: 8px; line-height: 26px; font-size: 14px; word-spacing: 2px;">The overall design idea of the new authority system is introduced above, and the design of the next core module is introduced respectively</p>
<h3 style="margin-top: 30px; margin-bottom: 15px; font-size: 16px; font-weight: bold; text-align: center;"><span style="border-bottom: 2px solid #d89cf6;">System/menu/data rights management</span></h3>
<p style="padding-top: 8px; padding-bottom: 8px; line-height: 26px; font-size: 14px; word-spacing: 2px;">There are the following steps to access a new system to the permission system:</p>
<ol style="margin-top: 8px; margin-bottom: 8px; padding-left: 25px; font-size: 15px;">
<li><section style="margin-top: 5px; margin-bottom: 5px; line-height: 26px; color: rgb(1, 1, 1); font-size: 14px;">Create a system</section></li><li><section style="margin-top: 5px; margin-bottom: 5px; line-height: 26px; color: rgb(1, 1, 1); font-size: 14px;">Configure menu function permissions</section></li><li><section style="margin-top: 5px; margin-bottom: 5px; line-height: 26px; color: rgb(1, 1, 1); font-size: 14px;">Configure data permissions (optional)</section></li><li><section style="margin-top: 5px; margin-bottom: 5px; line-height: 26px; color: rgb(1, 1, 1); font-size: 14px;">Create the role of the system</section></li></ol>
<p style="padding-top: 8px; padding-bottom: 8px; line-height: 26px; font-size: 14px; word-spacing: 2px;">Among them, steps 1, 2 and 3 are all completed in the system management module, and the specific flow is as follows:</p>
<figure style="margin-top: 10px; margin-bottom: 10px; display: flex; flex-direction: column; justify-content: center; align-items: center;"><img src="https://guide-blog-images.oss-cn-shenzhen.aliyuncs.com/github/javaguide/system-design/security/design-of-authority-system/new-authority-system-design-access-flow-chart.png" alt="系统接入流程图" style="max-width: 100%; border-radius: 6px; display: block; margin: 20px auto; object-fit: contain; box-shadow: 2px 4px 7px #999;"><figcaption style="margin-top: 5px; text-align: center; color: rgb(136, 136, 136); font-size: 13px;">系统接入流程图</figcaption></figure>
<p style="padding-top: 8px; padding-bottom: 8px; line-height: 26px; font-size: 14px; word-spacing: 2px;">System access flow chart</p>
<p style="padding-top: 8px; padding-bottom: 8px; line-height: 26px; font-size: 14px; word-spacing: 2px;">Users can add, delete, modify and check the basic information of the system, and the only distinction between different systems is <code style="overflow-wrap: break-word; padding: 2px 4px; border-radius: 4px; margin-right: 2px; margin-left: 2px; font-family: "Operator Mono", Consolas, Monaco, Menlo, monospace; word-break: break-all; color: rgb(145, 109, 213); font-weight: bolder; background: none;">系统编码</code>. At the same time, <code style="overflow-wrap: break-word; padding: 2px 4px; border-radius: 4px; margin-right: 2px; margin-left: 2px; font-family: "Operator Mono", Consolas, Monaco, Menlo, monospace; word-break: break-all; color: rgb(145, 109, 213); font-weight: bolder; background: none;">系统编码</code> will also be used as a prefix for menu and data permission coding, which ensures the global uniqueness of permission coding.</p>
<p style="padding-top: 8px; padding-bottom: 8px; line-height: 26px; font-size: 14px; word-spacing: 2px;">For example, if the encoding of the system is <code style="overflow-wrap: break-word; padding: 2px 4px; border-radius: 4px; margin-right: 2px; margin-left: 2px; font-family: "Operator Mono", Consolas, Monaco, Menlo, monospace; word-break: break-all; color: rgb(145, 109, 213); font-weight: bolder; background: none;">test_online</code>, the menu encoding format of the system is <code style="overflow-wrap: break-word; padding: 2px 4px; border-radius: 4px; margin-right: 2px; margin-left: 2px; font-family: "Operator Mono", Consolas, Monaco, Menlo, monospace; word-break: break-all; color: rgb(145, 109, 213); font-weight: bolder; background: none;">test_online:m_xxx</code>.</p>
<p style="padding-top: 8px; padding-bottom: 8px; line-height: 26px; font-size: 14px; word-spacing: 2px;">The system management interface is designed as follows:</p>
<figure style="margin-top: 10px; margin-bottom: 10px; display: flex; flex-direction: column; justify-content: center; align-items: center;"><img src="https://guide-blog-images.oss-cn-shenzhen.aliyuncs.com/github/javaguide/system-design/security/design-of-authority-system/new-authority-system-management-interface.png" alt="系统管理界面设计" style="max-width: 100%; border-radius: 6px; display: block; margin: 20px auto; object-fit: contain; box-shadow: 2px 4px 7px #999;"><figcaption style="margin-top: 5px; text-align: center; color: rgb(136, 136, 136); font-size: 13px;">系统管理界面设计</figcaption></figure>
<p style="padding-top: 8px; padding-bottom: 8px; line-height: 26px; font-size: 14px; word-spacing: 2px;">System management interface design</p>
<h4 style="margin-top: 30px; margin-bottom: 15px; font-weight: bold; font-size: 18px;">Menu management</h4>
<p style="padding-top: 8px; padding-bottom: 8px; line-height: 26px; font-size: 14px; word-spacing: 2px;">The new permission system first categorizes menus as <code style="overflow-wrap: break-word; padding: 2px 4px; border-radius: 4px; margin-right: 2px; margin-left: 2px; font-family: "Operator Mono", Consolas, Monaco, Menlo, monospace; word-break: break-all; color: rgb(145, 109, 213); font-weight: bolder; background: none;">目录</code>, <code style="overflow-wrap: break-word; padding: 2px 4px; border-radius: 4px; margin-right: 2px; margin-left: 2px; font-family: "Operator Mono", Consolas, Monaco, Menlo, monospace; word-break: break-all; color: rgb(145, 109, 213); font-weight: bolder; background: none;">菜单</code> and <code style="overflow-wrap: break-word; padding: 2px 4px; border-radius: 4px; margin-right: 2px; margin-left: 2px; font-family: "Operator Mono", Consolas, Monaco, Menlo, monospace; word-break: break-all; color: rgb(145, 109, 213); font-weight: bolder; background: none;">操作</code>, as shown in the following figure</p>
<figure style="margin-top: 10px; margin-bottom: 10px; display: flex; flex-direction: column; justify-content: center; align-items: center;"><img src="https://guide-blog-images.oss-cn-shenzhen.aliyuncs.com/github/javaguide/system-design/security/design-of-authority-system/new-authority-system-menu.png" alt="菜单管理界面" style="max-width: 100%; border-radius: 6px; display: block; margin: 20px auto; object-fit: contain; box-shadow: 2px 4px 7px #999;"><figcaption style="margin-top: 5px; text-align: center; color: rgb(136, 136, 136); font-size: 13px;">菜单管理界面</figcaption></figure>
<p style="padding-top: 8px; padding-bottom: 8px; line-height: 26px; font-size: 14px; word-spacing: 2px;">Menu management interface</p>
<p style="padding-top: 8px; padding-bottom: 8px; line-height: 26px; font-size: 14px; word-spacing: 2px;">They respectively represent the following meanings:</p>
<ul style="margin-top: 8px; margin-bottom: 8px; padding-left: 25px; font-size: 15px; list-style-type: circle;">
<li><section style="margin-top: 5px; margin-bottom: 5px; line-height: 26px; color: rgb(1, 1, 1); font-size: 14px;">** Directory **: Refers to the top level directory in the application system, usually to the right of the system Logo</section></li><li><section style="margin-top: 5px; margin-bottom: 5px; line-height: 26px; color: rgb(1, 1, 1); font-size: 14px;">** Menu **: Refers to the multi-level menu on the left side of the application system, usually below the system Logo, and is also the most commonly used menu structure</section></li><li><section style="margin-top: 5px; margin-bottom: 5px; line-height: 26px; color: rgb(1, 1, 1); font-size: 14px;">** Operation **: Refers to a series of parts of a page that can be defined as actions or page elements, such as buttons, interfaces, etc.</section></li></ul>
<p style="padding-top: 8px; padding-bottom: 8px; line-height: 26px; font-size: 14px; word-spacing: 2px;">The menu management interface is designed as follows:</p>
<figure style="margin-top: 10px; margin-bottom: 10px; display: flex; flex-direction: column; justify-content: center; align-items: center;"><img src="https://guide-blog-images.oss-cn-shenzhen.aliyuncs.com/github/javaguide/system-design/security/design-of-authority-system/new-authority-system-menu-management-interface.png" alt="菜单管理界面设计" style="max-width: 100%; border-radius: 6px; display: block; margin: 20px auto; object-fit: contain; box-shadow: 2px 4px 7px #999;"><figcaption style="margin-top: 5px; text-align: center; color: rgb(136, 136, 136); font-size: 13px;">菜单管理界面设计</figcaption></figure>
<p style="padding-top: 8px; padding-bottom: 8px; line-height: 26px; font-size: 14px; word-spacing: 2px;">Design of menu management interface</p>
<p style="padding-top: 8px; padding-bottom: 8px; line-height: 26px; font-size: 14px; word-spacing: 2px;">There are also two ways to use menu permission data:</p>
<ul style="margin-top: 8px; margin-bottom: 8px; padding-left: 25px; font-size: 15px; list-style-type: circle;">
<li><section style="margin-top: 5px; margin-bottom: 5px; line-height: 26px; color: rgb(1, 1, 1); font-size: 14px;">** Dynamic menu mode **: In this mode, additions and deletions of menus are completely taken over by the permissions system. That is to say, if the menu is added to the permission system, the application system will increase synchronously. The advantage of this mode is that modifying menus does not require items to go online.</section></li><li><section style="margin-top: 5px; margin-bottom: 5px; line-height: 26px; color: rgb(1, 1, 1); font-size: 14px;">** Static menu mode **: The addition and deletion of menus is controlled by the front end of the application system, and the permission system only controls the access rights. In this mode, the permissions system can only identify whether the user has the permissions of the current menu, and the specific display control is determined by the front-end according to the permissions data.</section></li></ul>
<h3 style="margin-top: 30px; margin-bottom: 15px; font-size: 16px; font-weight: bold; text-align: center;"><span style="border-bottom: 2px solid #d89cf6;">Role and user management</span></h3>
<p style="padding-top: 8px; padding-bottom: 8px; line-height: 26px; font-size: 14px; word-spacing: 2px;">Role and user management are the core modules that can directly change user rights. The whole design idea is as follows:</p>
<figure style="margin-top: 10px; margin-bottom: 10px; display: flex; flex-direction: column; justify-content: center; align-items: center;"><img src="https://guide-blog-images.oss-cn-shenzhen.aliyuncs.com/github/javaguide/system-design/security/design-of-authority-system/role-and-user-management.png" alt=" Role and User Management Module Design " style="max-width: 100%; border-radius: 6px; display: block; margin: 20px auto; object-fit: contain; box-shadow: 2px 4px 7px #999;"><figcaption style="margin-top: 5px; text-align: center; color: rgb(136, 136, 136); font-size: 13px;"> Role and User Management Module Design </figcaption></figure>
<p style="padding-top: 8px; padding-bottom: 8px; line-height: 26px; font-size: 14px; word-spacing: 2px;">Role and User Management Module Design</p>
<p style="padding-top: 8px; padding-bottom: 8px; line-height: 26px; font-size: 14px; word-spacing: 2px;">The key point of this module design is to consider batch operation. Whether associating users through roles or adding/deleting/resetting permissions to users in batches, the scene of batch operation needs to be designed by the system.</p>
<h3 style="margin-top: 30px; margin-bottom: 15px; font-size: 16px; font-weight: bold; text-align: center;"><span style="border-bottom: 2px solid #d89cf6;">Authority application</span></h3>
<p style="padding-top: 8px; padding-bottom: 8px; line-height: 26px; font-size: 14px; word-spacing: 2px;">In addition to adding permissions to other users, the new permissions system also supports users to apply for permissions independently. In addition to the conventional approval process (application, approval, viewing), this module has a special function, that is, how to let users choose the permissions they want. Therefore, in the design of this module, in addition to directly selecting roles, it also supports reverse selection of roles through menu/data permission points, as shown in the following figure:</p>
<figure style="margin-top: 10px; margin-bottom: 10px; display: flex; flex-direction: column; justify-content: center; align-items: center;"><img src="https://guide-blog-images.oss-cn-shenzhen.aliyuncs.com/github/javaguide/system-design/security/design-of-authority-system/permission-application.png" alt="权限申请界面" style="max-width: 100%; border-radius: 6px; display: block; margin: 20px auto; object-fit: contain; box-shadow: 2px 4px 7px #999;"><figcaption style="margin-top: 5px; text-align: center; color: rgb(136, 136, 136); font-size: 13px;">权限申请界面</figcaption></figure>
<p style="padding-top: 8px; padding-bottom: 8px; line-height: 26px; font-size: 14px; word-spacing: 2px;">Permission application interface</p>
<h3 style="margin-top: 30px; margin-bottom: 15px; font-size: 16px; font-weight: bold; text-align: center;"><span style="border-bottom: 2px solid #d89cf6;">Operation log</span></h3>
<p style="padding-top: 8px; padding-bottom: 8px; line-height: 26px; font-size: 14px; word-spacing: 2px;">System operation logs can be divided into two categories:</p>
<ol style="margin-top: 8px; margin-bottom: 8px; padding-left: 25px; font-size: 15px;">
<li><section style="margin-top: 5px; margin-bottom: 5px; line-height: 26px; color: rgb(1, 1, 1); font-size: 14px;">** Operation pipelining log **: User-viewable and searchable log of key operations</section></li><li><section style="margin-top: 5px; margin-bottom: 5px; line-height: 26px; color: rgb(1, 1, 1); font-size: 14px;">** Service Log Log **: Log logs generated during the running of system services, in which the information amount of service Log is larger than that of operation pipeline Log, but it is inconvenient to search and view. Therefore, the permission system needs to provide the function of operation pipelining log.</section></li></ol>
<p style="padding-top: 8px; padding-bottom: 8px; line-height: 26px; font-size: 14px; word-spacing: 2px;">In the new authority system, all the operations of users can be divided into three categories, namely, adding, updating and deleting. All modules can also be enumerated, such as user management, role management, menu management and so on. After clarifying this information, a log can be abstracted as: Who\ (Who) at what time\ (When) did what to which modules of Who\ (Target). In this way, all the records are put into storage, and it is convenient to view and filter the logs.</p>
<h2 style="font-weight: bold; font-size: 22px; margin-top: 20px; margin-right: 10px; margin-bottom: 0px;"><span style="font-size: 18px; display: inline-block; padding-left: 10px; border-left: 5px solid rgb(145, 109, 213);">Summary and prospect</span></h2>
<p style="padding-top: 8px; padding-bottom: 8px; line-height: 26px; font-size: 14px; word-spacing: 2px;">So far, the core design ideas and modules of the new authority system have been introduced and completed. The new system has a large number of business access and use inside the transfer, and the authority management is much more convenient than before. As a basic system of each company, the flexible and complete design of authority system can help the future business development to be more efficient.</p>
<p style="padding-top: 8px; padding-bottom: 8px; line-height: 26px; font-size: 14px; word-spacing: 2px;">The following two articles:</p>
<ul style="margin-top: 8px; margin-bottom: 8px; padding-left: 25px; font-size: 15px; list-style-type: circle;">
<li><section style="margin-top: 5px; margin-bottom: 5px; line-height: 26px; color: rgb(1, 1, 1); font-size: 14px;">[Design and Implementation of Unified Authority System (Backend Implementation)] (http://bbs.tamanyuan.top)</section></li><li><section style="margin-top: 5px; margin-bottom: 5px; line-height: 26px; color: rgb(1, 1, 1); font-size: 14px;">[Design and Implementation of Unified Authority System (Front-end Implementation)] (http://bbs.tamanyuan.top)</section></li></ul>
<h2 style="font-weight: bold; font-size: 22px; margin-top: 20px; margin-right: 10px; margin-bottom: 0px;"><span style="font-size: 18px; display: inline-block; padding-left: 10px; border-left: 5px solid rgb(145, 109, 213);">Reference</span></h2>
<ul style="margin-top: 8px; margin-bottom: 8px; padding-left: 25px; font-size: 15px; list-style-type: circle;">
<li><section style="margin-top: 5px; margin-bottom: 5px; line-height: 26px; color: rgb(1, 1, 1); font-size: 14px;">Select the appropriate permission model: https://docs.authing.cn/v2/guides/access-control/choose-the-right-access-control-model.html</section></li></ul>
</section>
收藏(826)
分享
相关标签:
