Dynamic generation of RBAC roles and permissions

2019-04-29 19:26发布

问题:

I’m looking for a methodology for generating new RBAC roles on demand. I am developing a RBAC system that will have two primary parameters. Rather than simply having a user associated with a role, and that role associated with a group of permissions; a user can be associated with a role “for a specific project,” and the user can then have the permissions of that role for that project only (or for other projects that the user holds that role for). A user can have a specific role on one project, and a different role on another project; the permissions granted to a role are consistent for every project; and a user’s permissions for a project are based on what role that user has on the project.

In response to RBAC system with two parameters, lmontrieux suggested using different roles for different projects. For example, if the role "admin" is used in projects "P1" and "P2", then create a role "P1:admin" and another role "P2:admin". This seems like the way to go, but I don’t want to create a static set of roles. First of all, there will be several projects and I shouldn’t write several sets of permissions that are identical in every way except for the project id. Second, and more importantly, projects “P3,” “P4” and “P5” don’t exist yet, and when they do exist they will be created by a user. Since I can’t create static role-based permissions for an unpredictable number of future projects, I need to develop a method for generating project-specific roles based upon a generic standard.

I assume this is a good application for the use of objects and classes, but I’m not sure how to structure it.