In our actual business, permissions are particularly important one link,

The permissions solution is also has a lot of,

But recently in the actual business development, some problems are as follows:

1. The default management role with all data


2. In some data of status value (for example, the process node XXX) is specified, certain roles to manipulate data can see, data is not visible after operation,

Comment to discuss, in 400

CodePudding user response:

Now all is in the code written to death,

Want to 2 more flexible processing, therefore a stick, hope comment

CodePudding user response:

Is this the problem, a data filtering is difficult?

CodePudding user response:

Write death to death, that is, save the configuration, not difficult also

CodePudding user response:

To design the permissions based only on "data", is actually the most pedant, idealized a way to "read" the premise is that the whole data apis are you programming control cases, such as you develop a SQLHelper and yourself, compile SQL statements,

And rights management based on workflow nodes, rights management is based on the "document", is based on a higher level of "business data access management", it is not visible based on the concept of the low level of general database data, but based on the analysis to consider the business field,

Further you can see, with the deepening of business analysis, permissions in many "a", in fact, a business domain object are involved, and is associated with the business of "nature", for example, the workflow nodes, is configured on the workflow diagram designer, specify node in workflow document data objects to produce the "sender, recipient, cc people", this is, of course, with the workflow, instant messaging business related,

Can say that "the whole data can literally set permissions" actually is a childish idea, the more advanced the idea of it is the actual - each business service module API their judgment if the caller have permission to access data, first to the detailed design of business area, only for about a 1, 2 kinds of business objects to adaptation permissions system, rather than think about the concept of "all data" this empty adaptation rights concept,

CodePudding user response:

For example, if a system has a workflow diagram designer, the designer on workflow node configuration "business process", to illustrate the generation of node data source (not generate data access itself, but the powers of the configuration data to generate rules, such as the configuration of a node can only be transmitted to the originator process, the current node receiving department of a job, etc.), assuming that in the system and some assets, then you need to configure the asset custody, assets, head of the review, and some assumptions system code and development issues, you need to configure the r&d group, receiver, assess the participants, task allocation, the bottom work, testers, the person in charge of online, testers, and so on,

Assuming that arises in a small business systems and there are 500 species database Table, then you may need to be in 10 different database for each "line" data specified in the Table you said the so-called "certain roles to manipulate data can see" this sort of thing, that is the real system control permissions on the high-level business object, rather than the low-level control permissions on "general data", some people assume that the highest level of system development is get a backend database query client Table to add and delete data, this is the most pedant, the most simple, most low idea, look tall, actually this work with just three months of students out there's a difference, far away from the business system architecture, the real system is to use the API will all client and background database to separation, the client simply can not use a so-called database tables to add and delete Table interface to change at random data, real system can bring a few business API to open to each client system and increasing the service efficiency of the whole system, use value is good, need on the API interface control "permissions" respectively, also entangled with low-level to "literally" to add and delete all data?

CodePudding user response:

reference 1/f, geeky poet response:

now all is written in the code to death,

Want to 2 more flexible processing, therefore a stick, hope comment

This is a business architecture, business API specific design problems of the level of abstraction, is a question of in-depth understanding of the business process, is an issue for business not familiar with, and do not suit with "universal database tables to add and delete" concept,