turn:
Resource concept resources are the final substances you want, we can define a permission for each resource, or define a certain type of resource. Concept permission is a protection access to resources. Users want to access A resource premise It is the user must have access to A resource. The role concept does not directly give the permissions to the user, but through the role to give the user because the user has a certain role because the user plays a certain role. A is a manager, he manages B, he has the permissions of B, C, D. Actually, A has this permission, but because ABO is a manager. Because the manager has B, C, D permissions, it is clearly on the authority division, we will give the permissions to a role instead of giving to an individual. The advantage of this is that if the company changed the manager, then as long as you hire a person to do a manager, it is possible, not because the permissions are in the personal hand, the group concept is only a role, and it is not enough. B has found that A financial issues have set up a financial survey group, and then we give this group of financial surveyors (note that all the characters of this group have financial surveys. You don't need everyone to give this role (actually already have it), the group concept is also suitable for the department, because any department is playing a pan-role in the company or society. The last concept determines whether the user has access to resources to see this user has access to this resource, that is, the packet, division, and the score character are ultimately permission to implement access control for resources.
Http://blog.9cbs.net/foreverkissing/archive/2005/04/11/342758.aspx
