RBAC Permission System Design and Implementation for Local Life Services Platform

This article introduces the permission system design for Baidu's Duoli Bear (多利熊), a local life services platform. The article first presents the business overview of Duoli Bear and the pain points in building its permission system, then details the specific solutions and designs from three aspects: permission system model, permission system design, and business application.

The business architecture of Duoli Bear consists of three layers: Ecological Scenario Layer, Platform Support Layer, and Infrastructure Layer. The platform involves numerous roles including merchant platform, operations platform, review platform, editor platform, distribution platform, intervention platform, and quality platform. This creates significant challenges for the permission system: supporting platform isolation for data compliance, enabling efficient configuration for multi-role collaboration, and ensuring easy integration across different development languages.

The article deeply discusses the RBAC (Role-Based Access Control) model, explaining its four core components: Subject (S), Role (R), Session (SE), and Permissions (P). It covers the three main rules of RBAC and the four RBAC models: Flat RBAC, Hierarchical RBAC, Constrained RBAC, and Symmetric RBAC.

Based on the Flat RBAC model, the team designed a customized RBAC model supporting multi-business line access and business line isolation. The permission system uses a tree structure to represent menu permissions, functional group permissions, and button permissions, mapping to the frontend page structure. The core design includes business line tables, user tables, role tables, and permission tables, with prod_id as the key field for business line isolation.

The article also discusses data permissions, distinguishing between row-level permissions (restricting access to certain data rows based on user, department, or organization) and column-level permissions (restricting access to specific data columns). It suggests binding data rules with roles in the RBAC model to implement data permission control.