Table of Contents

 
After having the data objects , the next thing we need to consider is: who can access, edit, and delete which data?
 

Role - Based Access Control

 
Many management systems adopt the industry - common "Role - Based Access Control (RBAC)" model, that is, indirect authorization is carried out through "role → permission". In this way, administrators do not need to set permissions for each user individually. They only need to define "roles" and assign users to corresponding roles to uniformly control access rules.
 
For example:
- We can set up roles such as "salesperson" and "supervisor".
- Then set the following permissions:
- The salesperson role can create and view customer records, but cannot delete them.
- The supervisor role can view all sales data.
- Finally, assign the corresponding personnel to their respective roles.
 

Different Levels of Permissions:

 

Module - level Permissions

When defining the application access permissions of roles, a relatively rough level is module - level permissions, such as the access permission to a certain form or page.
 
For example:
The salesperson role can access the "Customer Table", but cannot access the "Contract Table" or "Finance Table".
 

Record - level Permissions

Even if a user has the permission to access a certain table, it is still possible to further control so that the user can only access the data belonging to themselves. The most common strategy is to achieve this by setting the data owner field.
 
For example:
Each record in the customer table has a "Customer Responsible Person" field. Although all salespersons can access the "Customer Table", each salesperson can only see "the customers they are in charge of", while the supervisor can view all customers.