Rules of Authorization

  1. At present, only two types of resource authorization are provided: Atom and Function, which can fully meet the needs of actual business development
  2. Only leaf role can add user. Users naturally have all the authorizations of their roles
  3. Leaf role and user are many to many relationships
  4. With the whitelist policy, the authorization of all roles must be set explicitly (superuser is no exception)

Authorization Inheritance Mechanism

There are two inheritance mechanisms for role authorization in CabloyJS:

1. Inheritance Vertically

Child roles automatically inherit the authorization of all parent roles

2. Aggregate Horizontally

A role can aggregate another role to have authorization for that role. For example, if the role superuser aggregates the role system, then the role superuser will automatically have the authorization of the role system

Role Template:The feature of role template also called as predefined role can be realized through the aggregation mechanism. A set of permissions can be assigned to the predefined roles, so that other roles can be authorized quickly in actual use

Authorization Ways

There are three ways of authorization:

Artificial Authorization

If certain permissions can only be determined at actual deployment or runtime, authorization operations can be performed through the management pages

Initial Authorization

If need to initialize permissions while the system is starting, can assign permissions through the backend API route version/init. For example, assign permissions to the template role of system

The initial authorization is valid in the test environment, development environment and production environment

Test Authorization

In order to facilitate testing and development, permissions can also be initialized through the backend API route version/test in the development stage. For example, assign permissions to certain test roles

The initial authorization is only valid in the test environment and development environment