基于角色的访问控制 - 我应该在数据库中也有权限列表还是只在代码中(例如枚举)?
通常,在实现某种基于角色的访问控制时,我们有以下众所周知的概念:
- 角色
- 用户
- 权限
用户将被分配给每个角色,每个角色都有一组权限(执行操作/访问资源等)。 因此,用户通过被分配到一个或多个角色(已被分配一组权限)来获得执行操作的权限。
在任何给定的应用程序中,权限是在编译时定义的,因为代码实际上在访问资源的各个位置强制执行权限。
我的想法是,如果可能的权限/操作集发生变化 - 它需要以任何方式更改代码并重新编译,因此数据库中的查找/引用表不会真正提供任何价值,除了数据库管理员可以提供的事实之外执行快速 SQL 查询以列出应用程序使用的所有权限。
然而,我见过的大多数应用程序都会为权限创建一个查找表,并将其映射到代码中的枚举。
鉴于此,是否有任何理由实际上有一个代表可能权限列表的数据库表(除了事实之外,对于某些人来说,查看数据库可能比深入代码查找列表/枚举更容易)权限)?
Generally when implementing some sort of role based access control, we have the following well-known concepts:
- Role
- User
- Permission
And users would be assigned to roles each of which have a set of permissions (to perform an operation / access a resource etc).
So users gain permissions to perform operations by being assigned to one or more roles (which have been assigned a set of permissions).
In any given application, permissions are defined at compile time since the code actually enforces the permissions at various places where access to resources .
My thinking is that if the set of possible permissions/operations changes – it requires changes to the code and recompilation any way, so having a lookup/reference table in the database won’t really provide any value beyond the fact that a db admin could do a quick sql query to list all permissions used by an app.
Yet most applications I’ve seen create a lookup table for the permissions and -also- map it to a enum in the code.
Given this, is there any reason to actually have a database table representing the list of possible permissions (other than the fact that it is probably easier for some to look in the db as opposed to digging into the code to find the list/enum of permissions)?
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
清单:
1) 您是否需要在网站在线且不停机的情况下进行更改?
2) 您会使用内置角色/会员资格提供程序吗?
3)你想使用属性(如mvc [Authorize])等?
4) 您希望允许用户以编程方式更改权限/角色?
上述任何一个都意味着你必须将信息存储在数据库上。
对于较小规模的应用程序,我更喜欢只创建一些也使用某种继承的静态方法,即:
以及一个具有每个用户伪类权限的表。
更新:特定访问的数据库架构:(* 是键,& 是外键)
因此,每当您想查看“用户名”是否能够“CanDelete”时,您都必须检查用户是否“ username' 链接到任何链接到访问“CanDelete”的类,这些链接当然可以在运行时更改
Checklist:
1) Do you need to make changes while the website is online, without downtime?
2) Will you be using built-in role/membership provider?
3) You want to use attributes (like mvc [Authorize]) etc?
4) You want to allow users to programatically change permissions/roles?
Any of the above means you have to store the info on DB.
For smaller scale apps I prefer to just create some static methods that also use some kind of inheritance, ie:
And a table with permissions for each user pseudo-class.
Update: DB schema for specific access: (* is key, & is foreign key)
So anytime you want to see if 'username' is able to 'CanDelete' you have to check if the User 'username' is linked to any classes that are linked to the access 'CanDelete', and these links can of course change during runtime