涉及ER图和RBAC知识。
我们要考虑的是角色和认证的ER图(实体关系图)
an application has functions
functions may be performed by roles
identities are given roles
individuals are provisioned with identities
bringing that together a little bit, we can say: + an individual (who has an online identity), performing a role is given permission to perform functions in applications。
So:
the permission is the ER link between the role, function and application, i.e. permissions are given to roles
the privilege is the ER link between an individual and the application, i.e. privileges are given to people.
HOWEVER, many designers don't bother separating individual and role or don't separate function and application and so the difference between privilege and permission is missed. In my experience, you often see this when someone says "use AD groups to store RBAC" - this is a serious anti-pattern.
In a world where there are requirements to report on toxic combinations and granular permissioning is more common place then it the data model for storing RBAC is very much more important.
网友评论