Rights management model, ACL, RBAC and ABAC (steps)

Foreword

In the management system, there will be many user rights related issues, and the rights management models used by different platforms are also diverse.

ACL user-based rights management model

The user-based concept means that the user is directly assigned and managed. The advantage is that the model construction is simple, and it is only necessary to grant or cancel the corresponding permissions to the user.But in contrast, if the number of users is huge, this model is very impractical.Because the corresponding permissions of each user need to be maintained, the maintenance cost is too high.

The structure of the ACL model table is very simple, only the user user table and the permission node node and the many-to-many relationship table user_node between user and node are needed.At the same time, it is only necessary to maintain the relationship between user and node in the user_node table.

ACL is suitable for management systems with a small number of users, for example: Class 2112 has 10 students, Zhang San has the authority of the monitor, Li Si has the authority of the school committee, Wang Wu has the authority of the Disciplinary Committee, and other students only have ordinary authority.

RBAC role-based rights management model

The concept of roles is an upgrade to users, and managers do not need to consider the relationship between users and permissions.You just need to give the user a certain role, and then grant or revoke the corresponding permissions to the role.Model building is relatively complex, but in the case of a large number of users, it is still necessary to maintain the relationship between roles and permissions, as well as the relationship between users and roles.

The table structure of RBAC includes user user table, role role table, permission node node table, user_role table of many-to-many relationship between user user and role role, and role_node table of many-to-many relationship between role role and node, a total of 5 sheetssurface.

ABAC attribute-based rights management model

ABAC identifies the attributes of the user itself, and judges user permissions through the identification.Such a design makes ABAC very flexible and scalable.

Generally speaking, ABAC is used together with ACL or RBAC, and will not form a system alone.In the design, only the corresponding fields need to be added to the user table. For example, if a platform only allows users between the ages of 15 and 50 to register, then the age field needs to be added to the user table.

Analysis

These three rights management models can also be said to be design concepts; in the development of the web backend, the user is the main body, and the construction is relatively simple.Of course, they each have their own advantages and disadvantages, but it is difficult to choose the lesser of the two. In the specific development process, it is necessary to weigh the development cost and choose.

Utilize binary optimization

Use the characteristics of binary numbers and binary bit operations to match the rights management model.

0 and 1 in binary can represent two states of having permission (True) and not having permission (False) respectively.

Bit AND operation: Add two binary numbers to get a new number, which is represented by & in python.For example: 0b101 & 0b010 The result is 0 0b110 & 0b101 The result is 0b100, that is, the new number obtained, if the value of the number in the same position is also the same, the result is 1, otherwise it is 0.

Bit OR operation: It is the OR of two binary digits to get a new number, which is represented by | in python.For example: 0b101 | 0b010 results in 0b111, 0b110 | 0b100 results in 0b110.That is, the new number obtained, if the value of the number in the same position is 0, the value of the same position of the new number is 0, otherwise it is 1.

So, we can use the bit AND operation to determine whether a user has a certain permission: permission 1 is represented as 0b001, permission 2 is represented as 0b010, then a user with permission 0b110 can be interpreted as, the user has permission 2 andPermission three.At the same time, if the binary number corresponding to the permission owned by the user and the permission 1 are added together, if the result is not 0, it means that the user has permission 1, and the same is true for others.

Bit-OR operation can be used to grant a certain permission to a user/role: permission 1 is represented as 0b001, permission 2 is represented as 0b010, if the user has no permission in the initial state, it is 0b000.However, the result of 0b000 | 0b001 is 0b001, and the result of 0b001 | 0b010 is 0b011, then the user has permissions one and two.

Summary

The advantage of using binary optimization is that the relationship table between users and permissions can be omitted, and only a field needs to be added to the user table. Similarly, if it is RBAC, the relationship between roles and permissions, and the relationship between users and roles can be used in this way..At the same time, the advantage of doing this is that the binary operation is fast, the performance is high, and it can also reduce the number of connected table queries.But again, without a perfect design, doing so will undoubtedly lead to poor readability and make maintenance more difficult.