To my rather basic knowledge in that area, the basic actors of an RBAC are:

根据我在该领域的基本知识，RBAC 的基本参与者是：

• Resources.
• Permissions.
• Users.
• Roles (i.e. Groups).

• 资源。
• 权限。
• 用户。
• 角色（即组）。

Resources<- require -> (one or many) Permissions.

资源<-需要->（一个或多个）权限。

Roles<- are collections of -> (one or many) Permissions.

角色<- 是 ->（一个或多个）权限的集合。

Users<- can have -> (one or many) Roles.

用户<-可以有->（一个或多个）角色。

The tables for such a model would be:

这种模型的表将是：

• permission
• role
• user
• role_permission
• user_role

• 允许
• 角色
• 用户
• role_permission
• 用户角色

Now you might want to include resources here as well if you want users of your application to be able to configure which permissions a resource need. But I never needed that. Hope that helps.

现在，如果您希望应用程序的用户能够配置资源需要哪些权限，您可能还希望在此处包含资源。但我从来不需要那个。希望有帮助。

Here is a simple diagram to illustrate Amr Mostafa's excellent answer

这是一个简单的图表来说明Amr Mostafa 的出色回答

I happen to be working on the RBAC sub-system here at work at them moment... what a coincidence.

我碰巧在他们这里工作的 RBAC 子系统上工作......真是巧合。

My model is based on the building blocks of the different entitiesin the system that require permissions, be they attributes to view/update or actions to perform. There are also, of course, different rolesin the system (which can be given to users), and the glue that holds the whole thing together is the access rule, which connects a specific role, a specific permission-needing entity and the permissiongranted. An access rule might look like these:

我的模型基于系统中需要权限的不同实体的构建块，无论是查看/更新的属性还是要执行的操作。当然，系统中也有不同的角色（可以赋予用户），将整个事物联系在一起的粘合剂是访问规则，它将特定角色、特定需要权限的实体和权限连接起来的确。访问规则可能如下所示：

rule 14: guest role + page name + read permission
rule 46: approver role + add column + execute permission

and so on. I'll leave the ERD as an exercise to the reader ;-) if you have questions, leave a comment.

等等。我会将 ERD 作为练习留给读者 ;-) 如果您有任何问题，请发表评论。

Yuval =8-)

尤瓦尔 =8-)

You can use Restful ACL Rails plugin.

您可以使用Restful ACL Rails 插件。

I think the answer to your question goes as deep as you wish to go. If you happen to think about putting roles into groups and then associating groups with users wouldn't be enough. Eventually you'll need to give specific permissions to a user on a specific object (a forum, a video etc).

我认为您的问题的答案与您希望的深度一样。如果您碰巧考虑将角色分组，然后将组与用户相关联是不够的。最终，您需要向用户授予特定对象（论坛、视频等）的特定权限。

I'm more close to Yuval's answer, all we need is to associate project-wide objects + actions + users. To provide this; a base object (Entity) makes perfect sense. Any object inheriting from Entity can be easily associated with a user + action this way.

我更接近 Yuval 的回答，我们需要的只是关联项目范围的对象 + 操作 + 用户。提供这个；基础对象（实体）非常有意义。任何从 Entity 继承的对象都可以通过这种方式轻松地与用户 + 操作相关联。

As you also wish to keep things simple; my suggestion would be;

因为您也希望保持简单；我的建议是；

• Any object due to rbac restrictions should derive from a base Entity.
• There should be a list of roles, which are one-to-one related with an Entity.
• There should be a list of relations between users and roles.

• 由于 rbac 限制的任何对象都应该从基础实体派生。
• 应该有一个角色列表，这些角色与实体一对一相关。
• 应该有用户和角色之间的关系列表。

To take things one step further, I would also reccomend the following (for an automated rbac)

为了更进一步，我还推荐以下内容（对于自动 rbac）

• I use service-based access to my objects. That is; I create respositories of objects (which do the db-access for me) and I access repositories via service functions.
• I use a custom attribute at the beginning of every service function. This defines the required role to access that function.
• I use the User parameter to access to all my service functions, and each service function does a role check before executing itself. Reflection helps me to understand which function I call, and what kind of role it has (via custom attributes)
• I also run an initializer on my application startup, and it checks for all the functions (and their attributes) and sees if I added a new required role. If there's a role I just added and doesn't appear to be on the db, it creates it on db.

• 我对我的对象使用基于服务的访问。那是; 我创建对象的存储库（为我执行数据库访问）并通过服务功能访问存储库。
• 我在每个服务功能的开头使用自定义属性。这定义了访问该功能所需的角色。
• 我使用 User 参数来访问我所有的服务功能，每个服务功能在执行之前都会进行角色检查。反射帮助我了解我调用了哪个函数，以及它具有什么样的角色（通​​过自定义属性）
• 我还在我的应用程序启动时运行一个初始化程序，它检查所有函数（及其属性）并查看我是否添加了新的必需角色。如果我刚刚添加了一个角色并且似乎不在 db 上，它会在 db 上创建它。

But alas, that's just available for .NET, as far as I know Java doesn't have custom attributes so that's not yet likely to be available for Java.

但可惜，这仅适用于 .NET，据我所知，Java 没有自定义属性，因此还不太可能适用于 Java。

I'd like to come up with some code examples but I'm too lazy to do that. Still if you have questions about my way of rbac; you can ask here and I'll surely reply.

我想提出一些代码示例，但我懒得这样做。如果您对我的 rbac 方式有疑问；你可以在这里问，我一定会回复的。

Role Requirementworks with Restful Authentication very well to provide role-based auth functions and is well-maintained.

Role Requirement与 Restful Authentication 很好地配合以提供基于角色的身份验证功能并且维护良好。

Introduction to RBAC -

RBAC 简介 -

Role based access control system is a method of restricting access to 'some sources or applications or some features of applications' based on the roles of users of organization.

基于角色的访问控制系统是一种基于组织用户角色限制对“某些来源或应用程序或应用程序的某些功能”的访问的方法。

Here, restrictions can be by means of multiple permissions, those are created by administrator to restrict access, and these permissions collectively represents a role, which will be assigned to user.

这里的限制可以是多个权限，由管理员创建来限制访问，这些权限共同代表一个角色，分配给用户。

And if we go slight deeper in RBAC, it basically contains 3 features.

如果我们稍微深入研究 RBAC，它基本上包含 3 个特征。

1) Authentication - It confirms the user's identity. Usually it is done via user accounts and passwords or credentials.

1) 身份验证 - 它确认用户的身份。通常它是通过用户帐户和密码或凭据完成的。

2) Authorization - It defines what user can do and cannot do in an application. Ex. ‘Modifying order' is allowed but ‘creating new order' is not allowed.

2) 授权 - 它定义了用户在应用程序中可以做什么和不能做什么。前任。允许“修改订单”，但不允许“创建新订单”。

3) Auditing of user actions on applications. - It keeps track of user's actions on applications, as well as who has granted which access to which users?

3) 审计用户对应用程序的操作。- 它跟踪用户对应用程序的操作，以及谁授予了哪些用户访问权限？

This was very basic top view picture of RBAC system.

这是 RBAC 系统的非常基本的俯视图。

Basic Structure of RBAC system can contain following components: Users, Roles, Permissions or restrictions, resources.

RBAC 系统的基本结构可以包含以下组件：用户、角色、权限或限制、资源。

• Permissions or restrictions – permissions represents an access to application's resource.
• Role – It contains collection of permissions
• User – Single or multiple roles assigned to user, so eventually user contains permissions via means of role.

• 权限或限制——权限代表对应用程序资源的访问。
• 角色 - 它包含权限集合
• 用户 - 分配给用户的单个或多个角色，因此最终用户通过角色包含权限。

In addition to this, you can also have collection of users – called – groups, and role can be assigned to groups, if you want to support complex scenarios. So, This was very basic information about RBAC structure.

除此之外，如果您想支持复杂的场景，您还可以拥有用户集合 - 称为 - 组，并且可以将角色分配给组。所以，这是关于 RBAC 结构的非常基本的信息。

Try https://github.com/ThoughtWorksStudios/piece, it is a rule engine for you to manage user role based access control:

试试https://github.com/ThoughtWorksStudios/piece，它是一个规则引擎，用于管理基于用户角色的访问控制：

1. Define access control rules
2. Combine rules to construct new rules

1. 定义访问控制规则
2. 组合规则以构建新规则

You can find full Rails application example here: https://github.com/xli/piece-blog

您可以在此处找到完整的 Rails 应用程序示例：https: //github.com/xli/piece-blog

For .net applications you should look at something like Visual Guard http://www.visual-guard.com/to avoid having to handle permissions and roles from scratch.

对于 .net 应用程序，您应该查看类似 Visual Guard http://www.visual-guard.com/ 的内容，以避免必须从头开始处理权限和角色。

Also for .net, you have the membership and role providers and authorisation handled with configuration. http://www.odetocode.com/Articles/427.aspx

同样对于 .net，您可以通过配置处理成员资格和角色提供者以及授权。http://www.odetocode.com/Articles/427.aspx

I really like this blog post: https://content.pivotal.io/blog/access-control-permissions-in-rails

我真的很喜欢这篇博文：https: //content.pivotal.io/blog/access-control-permissions-in-rails

EDIT:

编辑：

It seems that ryanb of railscasts thought along the same lines and created a gem called cancan https://github.com/ryanb/cancanusing a basic technique similar to the pivotollabs post.

似乎 railscasts 的 ryanb 沿着相同的思路思考并使用类似于 pivotollabs 帖子的基本技术创建了一个名为 cancan https://github.com/ryanb/cancan的 gem 。