difference between operations and permissions on RBAC

StackOverflow https://stackoverflow.com/questions/13799024

  •  06-12-2021
  •  | 
  •  

I'm developing a generic user management system using role based access control(RBAC) were i couldn't distinguish between the operations table and the permissions table(that is after reading so many articles).

"A subject can have multiple roles. A role can have multiple subjects. A role can have many permissions. A permission can be assigned to many roles. An operation can be assigned many permissions. A permission can be assigned to many operations."

en.wikipedia.org/wiki/Role-based_access_control

can anyone please give a simple example to distinguish between them?

有帮助吗?

解决方案

The RBAC standard doesn't refer to operations, but only deals with users, roles, and permissions. I suppose that the operations you're referring to are part of the specific implementation you're using. They probably are the way resources are implemented in your solution.

A permission is what is needed to execute/access an resource. Permissions are assigned to roles, and resources require a set of permissions.

Let's take, for example, the case of a simple till management system. There are many users (the store's employees), and many roles, including cashier operator. That role gives the users one permission, scan items. Such permission is required by the operation item.scan(), and also by the operation item.cancel().

其他提示

Permission - An approval of a mode of access to a resource.
Resource - System object or operation that requires restricted access.

In RBAC a permission is a mapping between objects and operations.

For example:

customer123 <--- this is an object

read, write, update, delete <--- these are operations

and these are the possible permissions:

customer123.read, customer123.write, customer123.update, customer123.delete

In RBAC, the permissions are then granted to roles. So one role might be:

Users

and have been granted customer123.read

and another role might be:

Admins

which have been granted permissions customer123.write, customer123.update

and so on

许可以下: CC-BY-SA归因
不隶属于 StackOverflow
scroll top