RBAC权限系统
wiki上的定义:
In computer systems security, role-based access control (RBAC) is an approach to restricting system access to authorized users. It is used by the majority of enterprises with more than 500 employees, and can implement mandatory access control (MAC) or discretionary access control (DAC). RBAC is sometimes referred to as role-based security.
Role-based-access-control (RBAC) is a policy neutral access control mechanism defined around roles and privileges. The components of RBAC such as role-permissions, user-role and role-role relationships make it simple to perform user assignments. A study by NIST has demonstrated that RBAC addresses many needs of commercial and government organizations. RBAC can be used to facilitate administration of security in large organizations with hundreds of users and thousands of permissions.
什么是MAC与DAC呢?简单理解,discretionary这个词是“任意的”,与mandatory这个“强制的”相对应,DAC允许有权限的用户把自己的用户在授权给其他人,而MAC必须是系统统一管理。
“It is used by the majority of enterprises with more than 500 employees”,也就是说RBAC适用场景是用户(subject)非常多的场景,权限多余不多倒不是很重要。因为核心的概念就是role,举个例子如果只有两个用户,那就直接给两个用户授权就可以了,没有必要再搞出个role了。
基本原则:
When defining an RBAC model, the following conventions are useful:
S = Subject = A person or automated agent
R = Role = Job function or title which defines an authority level
P = Permissions = An approval of a mode of access to a resource
SE = Session = A mapping involving S, R and/or P
SA = Subject Assignment
PA = Permission Assignment
RH = Partially ordered Role Hierarchy. RH can also be written: ≥ (The notation: x ≥ y means that x inherits the permissions of y.)
- A subject can have multiple roles.
- A role can have multiple subjects.
- A role can have many permissions.
- A permission can be assigned to many roles.
- An operation can be assigned many permissions.
- A permission can be assigned to many operations.
这里多了个operation,把permission这个概念给复杂化了,具体场景待分析。
然后就是这个RBAC的由简单到复杂的场景了。具体分析可以参考RBAC权限系统设计之我见 这个文章,文章中举的例子是开发平台这类偏互联网应用的场景,具体场景是用户特别多,权限比较少的场景。
RBAC中最核心概念三个用户、角色与权限,核心概念是角色,是对用户的一种抽象。角色这个概念与真实世界中的角色概念非常接近。比如,工作中一个人其实可以担当一个角色,比如说一般的IT工程师,角色很简单Java开发,但是一个项目经理,担当的角色就比较多了,各种吃喝拉撒、各种扯皮协调,对于项目来说是责任人又是协调人。
角色是一种纵向的抽象,可以理解成为一种职责(OOP中的职责,单一功能的对象),用户组可以有多个角色,更像一种功能(OOP中的模块),可以说一个项目经理属于一个项目经理用户组,而一旦属于一个指定的用户组,项目经理有该用户组下的所有的权责(担当各种角色)。
而在安防的场景中,这类客户是政府部门的场景中,一般是用户不多(几个到几十个),但是权限(资源/设备)很多。这个时候,其实角色这个概念的重要性反而不是那么强,同样的,用户组的概念更不是很关键了,反而是权限组这个概念更加核心,因为设备(权限)会比较多上万个,所以分组是很正常的思路(与用户多就给 用户抽象个角色、分个组很像),属于一个特定区域下的设备的权限可以组成一个权限组,甚至权限组也可以有继承关系(角色也有继承关系)。