ESOFT-ACL introduction
1 Introduction
In the process of developing Esoft-XPCMS and Esoft-myOffice 1.0, I have a personalized design of the access control system, that is, every application of the system has its own permission control system, such as Esoft-XPCMS press release, product release Have your own privilege control system, the forum post management, eSoft-MyOffice also has its own permission control system, and it is necessary to design the new application when necessary to join the new application subsystem into Esoft-MyOffice. The authority system, in which one will increase the workload, and on the other hand, it also gives the user's permissions and maintenance. In order to reduce the coupling of the application system and the permissions access control system, improve the scalability of the system, and the ESOFT-ACL came into being. Unified access control for all application systems can be implemented via ESOFT-ACL. In the ESOFT-ACL, the access control system can be decomposed into a combination between rights resources, permission control types, and role three.
2 ?????? Noun explanation
Permission resource: Refers to the resource object to be controlled by the permission. If we want to manage the permissions for the forum post, the forum's post is the right resource; if the website information is released, we must control different personnel to maintain the maintenance rights of different columns. The column here is also the right resources. In the ESOFT-ACL, each permission resource is represented by a unique identifier. Permission resources can be divided into two kinds according to whether there is a sub-classification, one is a license resource with no subclass, one is a license resource with sub-classification. Without sub-classification resources such as "Suggestions", those with sub-classification, such as "website column", "website column" resources such as tree structure, different users can enjoy different permissions for different classifications .
?
Permissions Control Type: Refers to the interface type of permission control accesses, which is the type of permission resource, such as adding, deleting, modifying, or other actions. Permission control types have a relationship in a specific permissions resource environment, such as in the "Website Information", "Modify" permission control types should contain "Browse" permissions. In the ESOFT-ACL, each permission control type is represented by a unique identifier.
User: The minimum unit of the rights main body is the role, the basic components of the group, and one user can have a variety of roles.
Role: Users in various occasions will play a role with certain rights and obligations. The role is the most direct body of the permissions, whether the user has access to access resources to see if the role they play is all assigned access to access resources. The role can be divided into three types, one is a superuser type, one is the basic role type, and one is the user-defined type, which is a superuser type, which does not pass the ESOFT-ACL system verification, and directly enjoys all system all rights. The basic role is an indispensable role of the system, the user cannot be deleted; the role of the custom type is freely customized by the user, and can be freely modified or deleted.
Group: Refers to a group of user groups with multiple characters, a group can have a variety of roles, multiple users can form a group, which belongs to the group with all the characters in the group. Equivalent. For example, there are A users, b users, and C users in this group, and the "Development Department" has "Company Members", "Development Department", "Technician" these three characters, then A, B, C Three users have a parallel set of access to application system privileges with "Company Members", "Development Department", "Technician".
Permissions: Refers to the linear relationship between roles, permission resources, permission control types, which is expressed as access or operational permissions on a certain permissions control type in some permission resource environment.
3 ?????? system model
3.1. Permissions
In the ESOFT-ACL, the permissions cross are used and set to process, such as the figure above, assuming that a user has three roles of role A, role B, role C, then the user's permissions are as shown as three characters as shown above. Parallel set. 3.2. Mapping relationship
In the ESOFT-ACL, a group can have a variety of roles, and one role can also be assigned to multiple groups. The two are more-to-many relationships, the same, the group and the user, the role and the user are more For more relationships. The permission resources and permission control types are also multi-to-many relationships.
3.3. Access control model
?
?
The client here is the user. After the user logs in the system, to access the application system Applications or the authority resource, first to authenticate, authentication requires three sets of parameters: Role array, the permission resource code to access, the permission control type code. These three sets of parameters passed the ESOFT-ACL kernel processing by Esoft-ACL, and the authentication is successful, then returns True, allowing access to Applications, failure, returning false, refusing to access Applications. By the supplied WebServices interface, distributed verification across servers can be implemented, and interfaces are provided for enterprise enterprise applications.
3.4. Unified Access Interface
?
?
In order to ensure the maintenance and user operation of the access control system, the permission access interface is unified in the ESOFT-ACL, that is, only the role is permission, the user and the group must be connected to the permissions. Therefore, which privileges are user A. It is to see which roles have the user A, which groups are affiliated, and which roles are available, and then the corresponding permissions are derived according to these roles.
3.5. Relationship model of resource and control type
?
As shown in the figure above, it is assumed that the existing application system: suggestion system, website information distribution system and other application systems. Then we can establish the corresponding two permission resources in the Esoft-ACL - Suggestions, website information release, after establishing the permissions, and establish a related permission control type, add relevant control interface, such as browsing, add, modify , Delete, etc. A mapping relationship is then established between these permission resources and the permission control type, thereby forming a true permission (Privilege). During the establishment of the mapping process, some of the rights resource requirements include relationships between the permission control types. For the suggestion system, to modify suggestions, first, you must have a suggested proposal, so you can set the suggestion, modify the permissions Contains browsing permissions.
3.6. API model
?
?
4 ?????? esoft-ACL screenshot
4.1??? Role management
?
4.2 ??? Menu Access Right Assignment
?
4.3 ??? Role permission assignment
?
4.4 ??? Access resource permission assignment
?
4.5 ??? 无 无 分 分 分 分 分 分 分 分
?
4.6 ??? Permission Control Type and Permission Resource Mapping
Description: Suggestions on the right of the figure à Delete [Browse, Delete yourself, browse yourself] Expressed the removal permission of the suggested rights resource contains browsing, delete yourself, browse yourself. All three permissions.
?
Note: The above content is only for some experience in the development of software, and there is definitely in the system, and the expert is guided. MSN: Misnet @ Hotmail.com, QQ: 19040738, http://www.risensoft.com, http://www.ehero.net
?
