Role System

The role system of CabloyJS is different from the popular RBAC on the internet

RBAC does not solve the problem of resource scope authorization in business development. For example, Mike is an employee of the software department, who can only view his own logs; Jone is the manager of the software department, who can view the logs of his department; Jimmy is the person in charge of the enterprise, who can view the logs of the whole enterprise

The concept of RBAC is complex. In practical application, new concepts (user groups, departments, positions, etc.) are often introduced, which makes the role system difficult to understand and cumbersome to maintain

Concept Discrimination

When it comes to role system, there are often such concepts as user, user group, role, department, position, authorized object, etc.

While the role system designed by CabloyJS only has the concepts of user, role and authorized object. The concept is simple, clear, flexible and efficient, easy to understand and easy to maintain

Department as Role

In essence, a department is a role, such as software department, finance department, etc.

Position as Role

In essence, a position is also a role, such as manager of software department, designer of software department, developer of software department, etc.

Resource Scope as Role

Resource scope is also a role. For example: Jone is the manager of the software department, and can view the logs of the software department. the software department is the resource scope

Role Tree

CabloyJS refines a set of built-in roles and forms a standardized role tree according to the requirements of various business development. In the actual development, we can expand and adjust the role tree to meet the needs of various roles

  • root
    • anonymous
    • authenticated
      • template
        • system
      • registered
      • activated
      • superuser
      • organization
        • internal
        • external
名称 说明
root root role: including all roles
anonymous anonymous role: users who donot login will automatically belong to the anonymous role
authenticated authenticated role
template template role: You can configure some basic and general permissions for the template role
system system template role
registered registered role
activated activated role
superuser superuser role: the user root belongs to the role of superuser
organization organization role
internal internal organization role: software department, finance department, etc.
external external organization role: available for partners

The role superuser aggregates the role system. Therefore, we often authorize some basic permissions to the role system. In this way, the role superuser also has the corresponding authorization.

Terminology Specification

Role is one of the core concepts of business oriented system development. CabloyJS provides a simple and flexible role system. To facilitate communication and development, CabloyJS uses the following terms:

Catalog Role

  • Catalog Role:the role which contains other child roles

  • Not allowed to add user to the catalog role directly

Leaf Role

  • Leaf Role: the leaf of the role tree

  • Only leaf roles are allowed to add users

Child Role

  • Child Role:either catalog role or leaf role

Aggregate Role

  • Aggregate role is not a role name, but a relationship between roles. In general, the role tree reflects the vertical inheritance relationship from top to bottom. While CabloyJS implements a new mechanism to enable one role aggregate another horizontally, which is called as aggregate role

  • Through the mechanism of aggregate role, it is easy to realize the feature of role template

Resource Scope

  • It refers to the role scope limited by the authority during the role authorization

Rebuild Role Tree

In order to improve the running performance, CabloyJS optimizes the role tree. Therefore, if the role tree structure changes, it is necessary to perform the action of Build in order to re-optimize the role tree

Role Tree Status

const dirty=await this.ctx.meta.role.getDirty();

Build by Code

await this.ctx.meta.role.build();

Build by Admin Page

Enter the page Role Management. When the role tree changes, the button + will appear automatically in the lower right corner of the page. Click this button to complete the reconstruction

roledirty