简体繁体 English

为用户选择哪个角色

[英]Which Role to choose for an User

原文 2016-05-19 17:51:58 9 1 python/ authorization/ access-control/ rbac

In an RBAC an User can have multiple roles. 在RBAC中，用户可以具有多个角色。 Say, an User named Abe is part of couple of Roles, Driver and Mechanic. 假设一个名为Abe的用户是角色，驱动程序和机修工夫妇的一部分。 Abe wants to check whether the truck needs an OilChange (an operation only Mechanics can do) 安倍想检查卡车是否需要换油（只有机械师才能执行的操作）

Option A) When Abe logs in to the application (mobile app or webpage), the backend authenticates Abe and determines that he has two roles. 选项A）当安倍晋三登录应用程序（移动应用程序或网页）时，后端将对安倍晋三进行身份验证并确定他具有两个角色。 The application iteratively checks each of the Roles and see which Role has the permission to do that operation. 应用程序迭代检查每个角色，并查看哪个角色有权执行该操作。

Option B) When Abe logs in to the application (mobile app or webpage), he choose the Role along with it. 选项B）安倍晋三登录到应用程序（移动应用程序或网页）时，他会选择角色。 And backend authenticates Abe and uses the Role sent by Abe to check whether he has the permission to do that operation. 后端对Abe进行身份验证，并使用Abe发送的角色来检查他是否有权执行该操作。

Or is there a better way to chose a Role for an action performed by the User? 还是有更好的方法为用户执行的操作选择角色？

Thanks. 谢谢。

1 个解决方案

From a UX stand point, Option A is better. 从UX的角度来看，选项A更好。 If Abe has to perform a variety of tasks, then he may have to log out and log in multiple times under different roles, increasing his cognitive load and potentially delay between accomplishing his task. 如果安倍必须执行各种任务，那么他可能不得不注销并以不同的角色多次登录，这增加了他的认知负担，并可能延迟完成任务之间的时间。

From a development standpoint, Option B may be slightly easier, if for the the only reason that you must now perform track the users permissions in a slightly more complex way on the backend, but I'd largely consider this negligible. 从开发的角度来看，如果由于现在必须在后端以稍微复杂的方式执行跟踪用户权限的唯一原因，那么选项B可能会稍微容易一些，但是我认为这可以忽略不计。

I personally would go with Option A for these reasons. 由于这些原因，我个人会选择选项A。