Detailed graphic explanation of RBAC user rights management database design in thinkphp-Mysql Tutorial-php.cn

Home

Database

Mysql Tutorial

Detailed graphic explanation of RBAC user rights management database design in thinkphp

黄舟

May 18, 2017 am 10:26 AM

RBAC (Role-Based Access Control, role-based Access Control) means that users are associated with permissions through roles. Simply put, a user has several roles, and each role has several permissions. In this way, the authorization model of "user-role-permission" is constructed. In this model, there is generally a many-to-many relationship between users and roles, and between roles and permissions. (As shown below)

What is the role? It can be understood as a collection of a certain number of permissions and a carrier of permissions. For example: in a forum system, "super administrator" and "moderator" are roles. Moderators can manage posts in the forum, manage users in the forum, etc. These are permissions. To grant these permissions to a user, you do not need to grant permissions directly to the user. You can give the user the "moderator" role.

When the number of users is very large, it is very cumbersome to authorize (grant roles) to each user of the system one by one. At this time, you need to group users, and each user group has multiple users. In addition to authorizing users, you can also authorize user groups. In this way, all the permissions a user has are the sum of the permissions owned by the user personally and the permissions owned by the user group to which the user belongs. (The figure below shows the relationship between user groups, users and roles)

In the application system, permissions are expressed What? Operations on functional modules, deletion and modification of uploaded files, access to menus, and even visibility control of a button and a picture on the page are all Can fall within the scope of authority. Some permission designs will treat functional operations as one category, and files, menus, page elements, etc. as another category, thus forming a "user-role-permission-resource" authorization model. When doing data table modeling, functional operations and resources can be managed in a unified manner, that is, they are directly associated with the permission table, which may be more convenient and scalable. (See the picture below)

Please note that there is a column "Permission Type" in the permission table, we will take the value according to its value To distinguish which type of permission it is, for example, "MENU" means the access permission of the menu, "OPERATION" means the operation permission of the function module, "FILE" means the modification permission of the file, and "ELEMENT" means the permission of the page element. Visibility control etc.

There are two advantages to this design. First, there is no need to distinguish which are permission operations and which are resources (in fact, sometimes it is not easy to distinguish, such as the menu, should it be understood as a resource or a function module permission?). Second, it is convenient for expansion. When the system wants to control permissions on new things, I only need to create a new association table "Permission XX Association Table" and determine the permission type of such permissionsString .

It should be noted here that the permission table and the permission menu association table, the permission menu association table and the menu table are all in a one-to-one relationship. (The same applies to files, page permissions, functional operations, etc.). That is to say, every time a menu is added, a record must be inserted into each of these three tables at the same time. In this way, the permission menu association table is not needed and the permission table is directly associated with the menu table. At this time, a new column must be added to the permission table to save the ID of the menu. The permission table passes the "permission type" Use this ID to distinguish which record it is under.
Here, the complete design diagram of the extended model of the RBAC permission model is as follows:

As the system becomes larger and larger, in order to facilitate management, role groups can be introduced to classify and manage roles. Unlike user groups, role groups do not participate in authorization. For example: In the Permission Management module of a certain power grid system, roles are hung under the district bureau, and the district bureau can be used as a role group here, and it does not participate in permission distribution. In addition, in order to facilitate the management and search of each main table above, a tree structure can be used, such as menu tree, function tree, etc. Of course, these do not need to participate in permission allocation.

The above is expanded from the basic RBAC model, and the specific design must be adjusted according to the needs of the project business.

The above is the detailed content of Detailed graphic explanation of RBAC user rights management database design in thinkphp. For more information, please follow other related articles on the PHP Chinese website!

Statement

The content of this article is voluntarily contributed by netizens, and the copyright belongs to the original author. This site does not assume corresponding legal responsibility. If you find any content suspected of plagiarism or infringement, please contact admin@php.cn

How does MySQL's licensing compare to other database systems?Apr 25, 2025 am 12:26 AM

MySQL uses a GPL license. 1) The GPL license allows the free use, modification and distribution of MySQL, but the modified distribution must comply with GPL. 2) Commercial licenses can avoid public modifications and are suitable for commercial applications that require confidentiality.

When would you choose InnoDB over MyISAM, and vice versa?Apr 25, 2025 am 12:22 AM

The situations when choosing InnoDB instead of MyISAM include: 1) transaction support, 2) high concurrency environment, 3) high data consistency; conversely, the situation when choosing MyISAM includes: 1) mainly read operations, 2) no transaction support is required. InnoDB is suitable for applications that require high data consistency and transaction processing, such as e-commerce platforms, while MyISAM is suitable for read-intensive and transaction-free applications such as blog systems.

Explain the purpose of foreign keys in MySQL.Apr 25, 2025 am 12:17 AM

In MySQL, the function of foreign keys is to establish the relationship between tables and ensure the consistency and integrity of the data. Foreign keys maintain the effectiveness of data through reference integrity checks and cascading operations. Pay attention to performance optimization and avoid common errors when using them.

What are the different types of indexes in MySQL?Apr 25, 2025 am 12:12 AM

There are four main index types in MySQL: B-Tree index, hash index, full-text index and spatial index. 1.B-Tree index is suitable for range query, sorting and grouping, and is suitable for creation on the name column of the employees table. 2. Hash index is suitable for equivalent queries and is suitable for creation on the id column of the hash_table table of the MEMORY storage engine. 3. Full text index is used for text search, suitable for creation on the content column of the articles table. 4. Spatial index is used for geospatial query, suitable for creation on geom columns of locations table.

How do you create an index in MySQL?Apr 25, 2025 am 12:06 AM

TocreateanindexinMySQL,usetheCREATEINDEXstatement.1)Forasinglecolumn,use"CREATEINDEXidx_lastnameONemployees(lastname);"2)Foracompositeindex,use"CREATEINDEXidx_nameONemployees(lastname,firstname);"3)Forauniqueindex,use"CREATEU

How does MySQL differ from SQLite?Apr 24, 2025 am 12:12 AM

The main difference between MySQL and SQLite is the design concept and usage scenarios: 1. MySQL is suitable for large applications and enterprise-level solutions, supporting high performance and high concurrency; 2. SQLite is suitable for mobile applications and desktop software, lightweight and easy to embed.

What are indexes in MySQL, and how do they improve performance?Apr 24, 2025 am 12:09 AM

Indexes in MySQL are an ordered structure of one or more columns in a database table, used to speed up data retrieval. 1) Indexes improve query speed by reducing the amount of scanned data. 2) B-Tree index uses a balanced tree structure, which is suitable for range query and sorting. 3) Use CREATEINDEX statements to create indexes, such as CREATEINDEXidx_customer_idONorders(customer_id). 4) Composite indexes can optimize multi-column queries, such as CREATEINDEXidx_customer_orderONorders(customer_id,order_date). 5) Use EXPLAIN to analyze query plans and avoid

Explain how to use transactions in MySQL to ensure data consistency.Apr 24, 2025 am 12:09 AM

Using transactions in MySQL ensures data consistency. 1) Start the transaction through STARTTRANSACTION, and then execute SQL operations and submit it with COMMIT or ROLLBACK. 2) Use SAVEPOINT to set a save point to allow partial rollback. 3) Performance optimization suggestions include shortening transaction time, avoiding large-scale queries and using isolation levels reasonably.

See all articles