<p>Hi everybody, I am trying to develop a IT device info management system for a large company which has lots of branch offices in different locations. Each branch office has some IT devices whose information like purchase date, price, current user should be managed via this system.
This system should has a supper user which can manage everything. And the super user can create device managers for a specific branch office or for a group of branch offices grouped by their locations. The device manager can login into the system like super user. Device manager can manage devices of the single branch office or offices he/she has been assigned to . And device manager has two different permissions, read and write. It means some one could just list and read the devices information, and someone can edit.
So my question is what is the best pattern to deal with such kind of authorization request? User has different permissions to different resources.
My current idea is something like this: Each device belongs to a branch office. Each branch office has an ID. There is a many to many relationship table for user to branch office. This table has three columns like user_id, branch_id and read_only. With such table, when a user want to list all his manageable devices, I would fetch all the branch office ids firstly , and then query the device table joint with the branch office table using sql clause like 'where branch_office_id in (branch_office_ids for this user)'.
Seems current method will work. But I think there must be many standard design pattern to deal such kind of request. I tried to find some package or middleware for Go and failed.
Would you please give me some ideas or just some useful links? Thanks!</p>
<hr/>**评论:**<br/><br/>jimijiim: <pre><p>Active Directory, ACL , RBAC , ... there are plenty of standards when it comes to resource authorization. </p></pre>Redundancy_: <pre><p><a href="https://github.com/ory/ladon" rel="nofollow">https://github.com/ory/ladon</a> ?</p></pre>
