I am currently working on an enterprise application HRMS, but there are some issues in permission management that I cannot think through:
1. Permission determination at multiple granularities:
Department-based permissions
Basic module permissions
Personnel module permissions
Administrative module permissions
Recruitment module permissions
Training module permissions
Among the above five modules, the last four depend on the first module, so some private data such as attendance data viewing will be placed in the basic module permissions.
Position-based permissions
Director
Senior Manager
manager
General staff
The basic module also contains the initiation process, but ordinary employees cannot approve the process. Only at the manager level can the process initiated by subordinate employees be opened.
Users are directly linked to permissions
Because in the actual production environment, some people will be assistant directors or hold multiple positions. For this situation, I will let the user directly use the user_permisson table management.
Question 1: Data model design
Would it be more troublesome to verify the design later?
Question 2: The interfaces displayed by different departments and positions are slightly different. How to implement this? (It is best to load in ajax mode)
For example, the personnel department can see the resume library and personnel information based on the basic module. The manager level can approve subordinate employees, team performance and other data.
Waiting online for answers from experienced experts, thank you very much!
This project is based on Laravel 5.2.29. It is currently being worked on by one person and is planned to be open source.
If you are interested, you can develop together.
Have you considered
RBAC
? A department can be a role, a position can be a role, and a user's special permissions can also be divided into an independent role. Your idea is correct. The post-verification trouble you are worried about should refer to the permission association table. Too many will cause query timeout, then store the permissions in NoSQL.Regarding the second question, if the display is different, it is best to combine the display of the menu with the permissions. There are pure permission items + menu items in the permission table