## Role System The role system of CabloyJS is based on the popular `RBAC` model on the Internet, and the following enhancements are made: 1. `Tree structure`: the role is expanded into a `tree structure`, and the concepts of `department`, `position` and `level` are also integrated into the role tree, so as to facilitate more flexible data authorization 2. `Wider application scopes`: the role system can be applied to more `resource authorization`. `Menu` are just one type of resource 3. `Data scope authorization`: Support data scope authorization in enterprise business development. For example, `Mike` is an employee of the software department, who can only view his own data; `Jone` is the manager of the software department, who can view the data of his department; `Jimmy` is the person in charge of the enterprise, who can view the data of the whole enterprise ## Concept Discrimination When it comes to role system, there are often such concepts as `user`, `user group`, `role`, `department`, `position`, `authorized object`, etc. While the role system designed by CabloyJS only has the concepts of `user`, `role` and `authorized object`. The concept is simple, clear, flexible and efficient, easy to understand and easy to maintain ### Department as Role In essence, a `department` is a `role`, such as `software department`, `finance department`, etc. ### Position as Role In essence, a `position` is also a `role`, such as `manager of software department`, `designer of software department`, `developer of software department`, etc. ### Data Scope as Role `Data scope` is also a `role`. For example: `Jone` is the manager of the software department, and can view the data of the `software department`. the `software department` is the `data scope` ## Role Tree CabloyJS refines a set of `built-in` roles and forms a standardized `role tree` according to the requirements of various business development. In the actual development, we can expand and adjust the `role tree` to meet the needs of various roles * root * anonymous * authenticated * template * system * registered * activated * superuser * organization * internal * external | 名称 | 说明 | |----|----| | root | root role: including all roles | | anonymous | anonymous role: users who donot login will automatically belong to the anonymous role | | authenticated | authenticated role | | template | template role: You can configure some basic and general permissions for the template role | | system | system template role | | registered | registered role | | activated | activated role | | superuser | superuser role: the user `root` belongs to the role of `superuser` | | organization | organization role | | internal | internal organization role: software department, finance department, etc. | | external | external organization role: available for partners | > The role `superuser` aggregates the role `system`. Therefore, we often authorize some basic permissions to the role `system`. In this way, the role `superuser` also has the corresponding authorization. ## Terminology Specification `Role` is one of the core concepts of business oriented system development. CabloyJS provides a simple and flexible role system. To facilitate communication and development, CabloyJS uses the following terms: ### Catalog Role * Catalog Role:the role which contains other child roles * Not allowed to add user to the catalog role directly ### Leaf Role * Leaf Role: the leaf of the role tree * Only leaf roles are allowed to add users ### Child Role * Child Role:either catalog role or leaf role ### Aggregate Role * `Aggregate role` is not a role name, but a relationship between roles. In general, the role tree reflects the vertical inheritance relationship from top to bottom. While CabloyJS implements a new mechanism to enable one role aggregate another horizontally, which is called as `aggregate role` * Through the mechanism of `aggregate role`, it is easy to realize the feature of `role template` ### Data Scope * It refers to the role scope limited by the authority during the role authorization ## Rebuild Role Tree In order to improve the running performance, CabloyJS optimizes the role tree. Therefore, if the `role tree` structure changes, it is necessary to perform the action of `Build` in order to re-optimize the `role tree` ### Role Tree Status ``` javascript const dirty=await this.ctx.meta.role.getDirty(); ``` ### Build by Code ``` javascript await this.ctx.meta.role.build(); ``` ### Build by Admin Page Enter the page `Role Management`. When the `role tree` changes, the button `+` will appear automatically in the lower right corner of the page. Click this button to complete the reconstruction ![roledirty](https://portal.cabloy.com/api/a/file/file/download/1597d9fe4f6548199e1005dcfd4b3c75.png)