The Role-based Access Control (RBAC) model is an easily understood permission system for B2B products. Focusing on the actual technical implementation process of RBAC will allow you to avoid unnecessary detours and facilitate the communication between B2B product managers and developers.
1. Introduction to permission systems
The permission system includes six components: business organizations, roles, users, permissions, interfaces and views. Users gain permission according to the roles they play in the business organization. When roles differ, the permissions differ, and the interfaces and views presented to them will also be different.
Specifically, organizations, roles, and users are real-time adjustable based on business changes. Permissions are fundamental attributes developed and implemented based on business requirements. There are functional permissions (including menu permissions), organizational permissions and data permissions. Interface and visualization are contents presented by the system to corresponding users according to the system configuration.
2. Deep understanding of the RBAC model
At the core of the RBAC model is the introduction of roles between users and permissions. It eliminates the direct relationship between users and permissions. Instead, it gives users permissions indirectly through user-role correspondence in which each role corresponds to a customed set of permissions (as shown in the figure below). Such a model decouples users and permissions.
RBAC model emphasizes the relationship between users, roles, and permissions. Applying the RBAC model in the B2B sector requires an additional component for business departments. Together, these four components establish a new relationship. The back-end office needs to record the relationships of users, business departments and roles, as shown in the figure below:
The permission systems of mature Enterprise Resource Planning (ERP) and Customer Relationship Management (CRM) platforms are stringent, and the same applies to requirements for business records. Each business record must contain its owner and the owner's business department. In general, business records must fulfil seven primary fields: the creator, creation date, last modifier, last modified time, the owner, the owner's business department, and corresponding status (enabled/deactivated). When the owner changes, his business department will update simultaneously.
According to the data scope of the current user’s organization and role, the system will retrieve relative data from their owner's organization and then set the front-end permission button (highlighted/greyed) for the current user according to his role and permission.
4. The configuration and implementation of a permission system
Permission configuration is part of the basic settings. Generally, it is the assigned manager who sets the permissions of different roles. Take the image below for reference.
Here are three questions for you to ponder:
- Are organizational permissions handled the same way at the individual and headquarter levels and levels below the headquarter?
- What can be done if someone has multiple roles with different levels of organization permission?
- Will functional permissions always allow access to business records?
In real estate sales, there will be business organization, project organization and project-related data. Let us take the example of a real estate project – the leads generated belong to the project, but the customers and developed company channels belong to the entire system. An employee can take up business roles and project roles. A more complex case would be when an employee takes up multiple business and project roles simultaneously. To have a better understanding, see the example below for Tom’s roles and the corresponding list of leads he has access to.
6. Extension knowledge: organizations in platforms
Administrative organization: used by Human Resource (HR), Office Automation (OA) and other administrative organizations with a clear organizational structure.
Financial organization: organization for financial budget and financial statements. While the administrative organization has five levels, the financial organization only has three levels. The third level of financial organization will respond to the fourth and fifth level of administrative organizations.
Business organization: the organizational structure of business operations is similar yet different from the administrative and financial organizations. For example: in a typical business structure, the Chief Executive Officer (CEO) reports to the director, while the Chief Marketing Officer (CMO) and Chief Financial Officer (CFO) reports to the CEO. However, in the system, business organizations will place the chairman, CEO, CMO and CFO in the top-level organization of the company, which includes even the financial accountant and Business Partners (BP).
Virtual organization: often used in regional management organizations or functional organizations. For example, in the South China virtual organization, there will be financial, HR and other functions with sharing organizations, together with procurement specialists who are responsible for the centralized procurement of market materials. The same financial organization is in charge of supervising two regions, which are virtual organizations. Its data scope corresponds to the permission of business organization in the South China region.
RBAC introduces the concept of role as a general permission model, which facilitates permission allocation and the separation between authority and responsibility. In addition, it is flexible to changes in the enterprise business and security policies. However, the RBAC model does not provide an operational sequence control mechanism, making it unusable for physical systems with similar requirements, such as shopping control systems.