应该程序权限设计Program permissions should be designed.docx
- 文档编号:1455393
- 上传时间:2022-10-22
- 格式:DOCX
- 页数:8
- 大小:21.39KB
应该程序权限设计Program permissions should be designed.docx
《应该程序权限设计Program permissions should be designed.docx》由会员分享,可在线阅读,更多相关《应该程序权限设计Program permissions should be designed.docx(8页珍藏版)》请在冰豆网上搜索。
应该程序权限设计Programpermissionsshouldbedesigned
应该程序权限设计(Programpermissionsshouldbedesigned)
Preface:
Permissionsareoftenaverycomplexproblem,buttheycanalsobesimplyexpressedaslogicalexpressions:
todeterminewhetherthelogicalexpressionof"Who'soperationonWhat(Which)How"istrue.Fordifferentapplications,accordingtotheactualsituationoftheprojectandthespecificframework,intermsofmaintainability,flexibility,integrityandotherNmultipletrade-offsbetweenoptions,selecttheappropriateprogram.
Target:
Intuitively,becausethesystemwillendbytheendusertomaintainthedistributionofcompetenceintuitiveandeasytounderstand,ismoreimportant,thesystemrealizesthegrouptakeleaveofinheritance,besidesthefunctionmustbemoreimportant,becauseitisintuitiveenough.
Simple,includingthesimplicityofconcepts,thesimplicityofmeaning,andthesimplicityoffunction.Itisunrealistictowanttouseapermissionsystemtosolveallpermissionsissues.Inthedesign,thefrequentlychanging"custom"featureisjudgedasbusinesslogic,andthesame"general"featureisjudgedasauthoritylogic,whichisbasedonthisidea.
Extensionsthatadoptinheritableextensions.TheGroupconcepteffectivelyavoidstheredefinitionwhenthesupportpermissionsaredefinedingroups
Presentsituation:
Therearegenerallythreekindsofaccesscontrolmethodsinanenterpriseenvironment:
1.autonomousaccesscontrolmethod.Atpresent,theaccesscontrolmoduleinmostinformationsystemsinourcountrybasicallyreliesontheaccesscontrollist(ACLs)intheautonomicaccesscontrolmethod.
2.mandatoryaccesscontrolmethod.Militaryapplicationsformulti-levelsecuritylevels.
3.rolebasedaccesscontrol(RBAC).Itisaneffectivemethodtosolvetheunifiedresourceaccesscontroloflargeenterprises.Thetwonotablefeaturesare:
1.reducethecomplexityofauthorizationmanagementandreducemanagementoverhead.2.,flexiblesupportforenterprisesecuritypolicy,andenterprisechangeshavegreatflexibility.
Noun:
Coarsegranularity:
representsclasslevel,thatis,onlyobjecttype(theof)isconsidered,regardlessofaparticularobject
Definiteinstance.Forexample,usermanagementcreates,deletes,treatsallusersalike,anddoesnotdistinguishbetweenspecificobjectinstancesofoperations.
Finegranularity:
representinginstancelevel,thatis,youneedtoconsiderinstancesofspecificobjects(the,instance,of,object),ofcourse,fine
Granularityistheconsiderationofaparticularinstanceafteracoarse-grainedclassofobjectsisconsidered.Forexample,incontractmanagement,listinganddeletionneedtodistinguishwhetherthecontractinstanceiscreatedbythecurrentuser.
Principle:
Privilegelogiccoordinationservicelogic.Thatis,thepermissionsystemprovidestheserviceforthebusinesslogicasthetarget.Quiteanumberoffine-grainedpermissionsarenotuniversalbecausetheyareextremelyunique,andtheycanalsobeunderstoodaspartofthebusinesslogic.Forexample,requires:
"thecontractresourcescanonlybedeletedbyitscreator,andthesamegroupofuserswiththecreatorcanbemodified,alluserscanbrowse."".Thiscanbeconsideredeitherasafine-grainedauthorityproblemorasabusinesslogicproblem.Here,itisabusinesslogicproblem,notmuchconsideredinthearchitecturedesignoftheentireauthoritysystem.Ofcourse,thearchitectureoftheprivilegesystemmustalsosupportsuchcontroldecisions.Or,
Thesystemprovidessufficientbutnotcompletecontrolcapability.Thatis,thedesignprincipleboilsdownto:
"thesystemprovidesonlycoarse-grainedpermissions,andfine-grainedpermissionsareconsideredtheresponsibilitiesofthebusinesslogic."".
Again,thepermissionsystemdescribedhereisonlya"incomplete"permissionsystem,thatis,itdoesnotprovideallthesolutiontotheproblemofpermissions.Itprovidesafoundationandaddressesthosethatare"generic"(orcoarse-grained)parts.Onthisbasis,accordingtotheuniquerequirementsofthebusinesslogic,thecodeimplementstheremaining(orfine-grained)partofthecodetobecomplete.Backtotheproblemofpermissions,thegeneraldesignonlysolvestheWho+What+Howproblem,andtheotherpermissionsarelefttothebusinesslogic.
Concept:
Who:
theauthorityorprincipalofpermissions(Principal,User,Group,Role,Actor,etc.)
What:
objectsorresourcestargetedbypermissions(Resource,Class).
How:
specificpermissions(Privilege,forwardandnegativeauthorization).
Role:
therole,withacertainamountofauthority.
Operator:
operation.IndicatestheHowoperationonWhat.
Explain:
User:
Rolerelated,theuserisonlyapureuser,permissionsareseparatedout.UserisnotdirectlyrelatedtoPrivilege,andUsermusthaveaccesstoaresourcebyassociationwithR
- 配套讲稿:
如PPT文件的首页显示word图标,表示该PPT已包含配套word讲稿。双击word图标可打开word文档。
- 特殊限制:
部分文档作品中含有的国旗、国徽等图片,仅作为作品整体效果示例展示,禁止商用。设计者仅对作品中独创性部分享有著作权。
- 关 键 词:
- 应该程序权限设计Program permissions should be designed 应该 程序 权限 设计 Program
链接地址:https://www.bdocx.com/doc/1455393.html