The directory structure is displayed in Tree, according to RBAC specification, I will use the directory as a resource, then define permissions in Permission = Resource Operation, Operation includes View, Edit, Check IN / OUT, define a permission The approximate process is: Select a directory node on the directory tree, then select an operation type, which defines a permissions permission to this node. To authorize: permission1-> role1-> Group1, the user belonging to group group1 has inheritance characteristics of the operation permission of the node. If the permissions are defined in this way, the permissions will be more and more with the growth of the directory structure. Another way is to define operational permissions, such as View Permission, Edit Permission, Check IN Permission, Check Out Permission, the concept of role and privilege, etc., that is, pre-defining basic fixed roles View Role, Edit Role, Check In role, Check Out Role. The security policy of the directory structure is: the tree node authorizes to a role role1 (edit role), and the Group has permission to perform EDIT for the node and the child node, if the node is authorized to Role2 (CHECK) In role), you can also perform EDIT and CHECK IN permissions on the node and child nodes at the same time. This mode is a crude granularity authorization for the tree node, and does not conform to the specification of Permission = Resource Operation in RBAC. I don't know what kind of experience and suggestions for directory structure certification?
