一套完整的系统权限需要支持功能权限和数据权限,前面介绍了系统通过RBAC的权限模型来实现功能的权限控制,这里我们来介绍,通过扩展Mybatis-Plus的插件DataPermissionInterceptor实现数据权限控制。
简单地说,所谓功能权限,顾名思义,是指对用户在系统中拥有哪些功能的权限控制,而数据权限是指对用户在系统中可以访问哪些数据的访问控制。数据权限分为行级数据权限和列级数据权限。
[En]
In a brief introduction, the so-called functional permissions, as the name implies, refers to the permission control of which functions the user has in the system, while the data permissions refer to the access control of which data the user can access in the system. Data permissions are divided into row-level data permissions and column-level data permissions.
数据权限基本概念:
- 行级数据权限:以表结构为描述对象,拥有数据库中整行都有数据的权限。例如,按部门划分,一行数据属于某个部门。如果用户只有该部门的数据权限,则该用户有此行的数据权限。
[En]
Row-level data permissions: taking the table structure as the description object, a user has permissions on which data is available for the entire row of a table in the database. For example, by department, a row of data belongs to a certain department. If a user only has permission for the data of this department, then the user has the data permission for this row.*
- 列级数据权限:以表结构为描述对象,用户可能只对表中的某些字段有权限。例如,只有高级用户才能查询表中的银行卡、手机号等重要信息,而普通用户可以查询一些基本信息。不同的用户角色具有不同的数据权限。
[En]
column-level data permissions: taking the table structure as the description object, a user may only have permissions for some fields in a table. For example, only advanced users can query important information such as bank cards and mobile phone numbers in the table, while ordinary users can query some basic information. Different user roles have different data permissions.*
实现方式:
- 行级数据权限:
对行级数据权限进行细分,以角色为标识的数据权限,分为:
1、只能查看本人数据;
2、只能查看本部门数据;
3、只能查看本部门及子部门数据;
4、可以查看所有部门数据;
以用户为标识的数据权限,分为:
5、同一功能角色权限拥有不同部门的数据权限;
6、不同角色权限拥有不同部门的数据权限。