AD

Design data permissions

Data permissions design thinking now about user rights are more used model based on RBAC

Currently the user rights are more used model based on RBAC, the role of authority through the definition of the completion of the restrictions on user rights. Presumably part of the functional competence are relatively clear, that is, the system function modules is clearly defined and given access to different roles, so that a functional module in the user access privileges before you can check. However, some of the data permission has been blurred.

In following this article gives a permission model, which referred to the authority of the modeling data.

**blog.csdn**/fly_cloud/archive/2006/08/09/1041807.aspx

This model is also related to data permissions roles limited permissions. Model defines several concepts:

Resources: users will want to access data objects (such as users)

Data Object Type: user will be limited to access the data object type (such as departments)

Resource data object types: the above two concept-generated, that is, what types of users to access data objects (such as × × sector users, but at this time × × is common, only the specific data object types of Zhihou × × to appear).

The above examples of resource data object type (that is × × concrete) after the formation of a data object access rule, the rule should be added to a role on the completion of the data on the role of limited access. The model definition is very clear, but the concrete realization of how, in fact, is a more complex problem.

A more intuitive idea is to add a data service layer above the layer of permissions check.

Data object types defined above is in fact the user to access the data object properties, so check when the data object to determine whether the property rights rules to meet the user data can be, for additions and deletions before the change is the operation check, the check will need to filter on the query results. Of course, the simple to the realization of the system need to ensure that all data objects in the Class is inherited from a Class limit is. The idea is relatively simple to achieve them, but there is a limitation and a performance anxiety. Restriction is to ensure the conduct of validation rules, so that all data objects must be defined with the corresponding property rights rules, if the rules change the definition of property is bound to need all the data object generation method change. Performance anxiety is the result of the query filter, in fact, the majority of the general MIS system is a query, but if the filter according to the results of this method, then there may be performance issues.

Therefore, this idea has the tight coupling and performance problems.

Another idea is still unable to avoid the tight coupling, but can avoid performance problems. However, there is no logic above that straightforward. The idea is to transfer the data into a SQL statement permission regulations, embedded in the data access layer to go.

Because resources must be mapped to a particular table, the data object type Ye Hui corresponding to a data table of an attribute column, so they could rule according to data permissions dynamically generated SQL statements. Data rights rules can be defined as follows: 【resource data object type relations break the right value】, right values can be divided into two kinds of static and dynamic: static is a specific value; dynamic is an attribute of the user, which is only associated with the user on to reach a determination. However, because a role can have multiple pieces of data rights rules, they can be with and or after the relationship may exist between the various rules of the conflict must be avoided, such as: when the rules are and the relationship among, if the resource data object types and relationships are the same character, there may be conflicts. Specifically, the role of R is to limit the users can only access A departments and users can only access the B sector, like this is bound to be conflicting.

In the data access layer called a uniform of the SQL generation method, passing in two parameters: without qualification is to access the data Biao name and role of the data Quanxianguize set (Ci Shi's rules focus Yingdang has Juyouzhunque of the right value, that Ru Guo is dynamic properties have also been assigned the user a). Approach is: focus on the rules in turn determine whether the rules to access the data table name, if the generated SQL statement FROM clause and the WHERE clause, the final statement rule set relationship break (AND | OR) generated FROM clause and WHERE clause to return.

Obtain permission to check the data access layer generated FROM clause and WHERE clause embedded in the data access methods to such data access and permissions will be combined with a check. Apparently tightly coupled, but avoid the performance problems.

Therefore, the above two ideas each one of the advantages, but both have the same problem, is not there a better way? Continue to think of ... ...
标签: privileges, service layer, deletions, additions, fly, access data, competence, query results, realization, rbac, functional module, resource data, model definition, intuitive idea, zhihou
分类: Java
时间: 2010-06-01

相关文章

  1. Understanding of MySQL database design, data types to avoid confusion

    This article highlights the support of many important MySQL data types, and describes how to use. Database sto ...
  2. Interface design data validation

    Interface design data validation 1, the interface need to return to verify the success, you can use true and f ...
  3. Scalable design data segmentation Xiangjie

    http://book.51cto.com/art/200906/132406.htm Explain the details, with very great!
  4. java design of user role permissions

    Business system user rights management B / S system permissions than the C / S of the more important, C / S sy ...
  5. J2EE project data persistence layer design

    J2EE project data persistence layer design Data Persistence Layer design goal is to provide a high level throu ...
  6. In the data structure before planning the design of XML messages

    Web services use XML messages to transfer data technology. If you want to design a database structure, you pro ...
  7. Rights Management Design II

    Business system user rights management - design articles    B / S system permissions than the C / S of the mor ...
  8. Universal Data Access Control System (Reprinted)

    http://www.uml.org.cn/yyal/200703144.asp Universal Data Access Control System Analysis: Yi Yun Source: Interne ...
  9. PDM product data management solution

    Design changes in production reflected the longer time period, the price increased, errors increased, more and ...
  10. Comprehensive database design skills to talk about

    Speaking of databases, I think can not but talk about data structures. In 1996, I first entered college to lea ...
  11. ORACLE database to optimize the design of large

    Abstract This paper from a large database ORACLE environment to adjust to four different levels of analysis ar ...
  12. Summary of design

    Abstract: This article is a summary of the design at the practice and study some of the experiences with the s ...
  13. JAVA database design skills

    The following 14 techniques are lot of people at many database analysis and design practice, summed up gradual ...
  14. Overview Summary of the design of how to do that - the design of structured methods and object-oriented design methods

    Overview Summary of the design of how to do that - the design of structured methods and object-oriented design ...
  15. Object-oriented design principles

    Design patterns are all different packaging variability, thus allowing the system to achieve different angles ...
  16. Object-Oriented Database Design

    Source: http://blog.csdn.net/coffeewoo/archive/2010/02/05/5291582.aspx Has recently received a number of User ...
  17. Mixed data into Excel using the OleDbConnection loss of data analysis and solution column

    [Reproduced, the original source http://www.douban.com/note/18510346/] 1 Introduction <br /> in the appl ...
  18. Outline design specification

    Outline design specification 1. Introduction 1. The preparation of purpose Formally entered the stage of devel ...
  19. The preparation of outline design specification document

    The preparation of outline design specification document Reprinted from: wader Original Source: http://blog.51 ...