RBAC中 permission , role, rule 的理解

Role Based Access Control (RBAC)——基于角色的权限控制

 

permission

e.g. creating posts, updating posts

role

A role represents a collection of permissions (e.g. creating posts, updating posts). A role may be assigned to one or multiple users.

rule

A rule represents a piece of code that will be executed during access check to determine if the corresponding role or permission applies to the current user. For example, the "update post" permission may have a rule that checks if the current user is the post creator. During access checking, if the user is NOT the post creator, he/she will be considered not having the "update post" permission.

 

Both roles and permissions can be organized in a hierarchy. In particular, a role may consist of other roles or permissions; and a permission may consist of other permissions.

图例1：

图例2：