[{"data":1,"prerenderedAt":217},["ShallowReactive",2],{"guide:zh:admin/authorization":3},{"id":4,"title":5,"body":6,"description":209,"extension":210,"meta":211,"navigation":212,"path":213,"seo":214,"stem":215,"__hash__":216},"guide_zh/zh/user/admin/authorization.md","授权设置",{"type":7,"value":8,"toc":201},"minimark",[9,13,22,25,35,39,46,60,82,85,106,109,116,119,153,156,159,162,173,176,183,190,193],[10,11,12],"h1",{"id":12},"授权",[14,15,16,17,21],"p",{},"授权定义了用户在访问应用程序后能够或不能执行哪些操作（参见 ",[18,19,20],"code",{},"./authentication","）。",[14,23,24],{},"Aptli 的授权模型融合了宽松与严格的双重特性，从而实现了极高的灵活性：",[26,27,28,32],"ol",{},[29,30,31],"li",{},"管理员权限——可通过用户设置查看（截图待添加）",[29,33,34],{},"通过成员资格实现的严格角色限制模型（截图待添加）",[36,37,38],"h2",{"id":38},"管理员权限",[14,40,41,42,45],{},"管理员权限采用许可制。这意味着必须向用户授予权限，但仅限于修改信息或变更状态。例如，拥有 ",[18,43,44],{},"usersUpdate"," 权限的用户可修改其他用户的某些个人资料详情，包括姓名、职位、部门等，但不包括电子邮件、密码、SSO 及验证日期等信息的变更。若未授予此权限，用户仅能编辑自身资料。",[14,47,48,51,52,55,56,59],{},[18,49,50],{},"usersLogout"," 用于强制锁定或注销用户，",[18,53,54],{},"usersDelete"," 用于删除用户账户。",[18,57,58],{},"usersCreate"," 可恢复已删除账户或按上述字段限制创建全新账户。",[14,61,62,63,66,67,70,71,70,74,77,78,81],{},"工单权限使用 ",[18,64,65],{},"workOrders"," 前缀：",[18,68,69],{},"workOrdersCreate","、",[18,72,73],{},"workOrdersUpdate",[18,75,76],{},"workOrdersDelete","。（注：",[18,79,80],{},"orders"," 是另一个独立的数据模型——请勿混淆两者。）",[14,83,84],{},"几乎所有数据模型都遵循此行为模式，仅有 3 项管理权限可覆盖所有数据模型：",[86,87,88,94,100],"ul",{},[29,89,90,93],{},[18,91,92],{},"appSettingSchemasModify","：允许修改应用程序级设置，如允许的域名、超时设置及服务器信息",[29,95,96,99],{},[18,97,98],{},"adminRightsModify","：允许用户共享管理权限并将其扩展至其他用户",[29,101,102,105],{},[18,103,104],{},"viewDeleted","：允许用户查看已删除记录。此权限几乎无处不在，但可通过角色限制部分覆盖",[36,107,108],{"id":108},"角色限制",[14,110,111,112,115],{},"角色具有限制性。这意味着被分配到某个角色后，将无法查看或修改具有特定特征的记录。角色是由\"角色限制\"组成的集合，并包含\"成员\"。只有角色的\"所有者\"或拥有 ",[18,113,114],{},"RoleUpdate"," 管理权限的人员才能更改成员。",[14,117,118],{},"角色限制包含基础配置：模型、字段、比较条件、筛选值以及读取/编辑/创建/删除权限。例如，假设有某些资产不应被竞争承包商 A 和 B 查看。为防止 B 方访问其信息，请执行以下操作：",[86,120,121,128,131,138,144,150],{},[29,122,123,124,127],{},"创建名为 ",[18,125,126],{},"承包商 A"," 的角色，并添加角色限制，详细信息如下：",[29,129,130],{},"将模型设置为 Point 以表示点要素",[29,132,133,134,137],{},"设置包含所有者等信息的字段（如 ",[18,135,136],{},"owner","）",[29,139,140,141],{},"设置比较条件为 ",[18,142,143],{},"=",[29,145,146,147],{},"将过滤值设为 ",[18,148,149],{},"承包商 B",[29,151,152],{},"将读取、编辑、创建、删除权限设为 true，表示用户无法查看或修改该内容",[14,154,155],{},"完成后，将承包商 A 的成员添加到该角色中，承包商 A 的成员将无法查看任何由承包商 B 作为所有者的内容。",[36,157,158],{"id":158},"管理员权限与角色限制的协同使用",[14,160,161],{},"默认情况下，除管理员外的所有用户均可查看全部内容，但无权修改全部内容。广泛授予的写入权限可通过记录进行限制，从而定义严格的流程控制机制，实现以下有用的权限分离：",[86,163,164,167,170],{},[29,165,166],{},"按工作阶段划分（即防止提交工作报告的人员后续查看质量保证报告）",[29,168,169],{},"按资产类型划分（例如：杆塔、管道等基础设施与活动设备、电力电缆等由不同人员管理）",[29,171,172],{},"按物理与逻辑概念划分（例如：不同办公场所间的容量与消耗等关联关系，与办公场所本身的地理位置及特征属性）",[36,174,175],{"id":175},"为新用户自定义身份验证与授权",[14,177,178,179,182],{},"修改任何这些设置都需要用户配置文件中拥有\"AppSettingSchemasModify\"权限。该权限默认授予超级管理员，但也可由其他管理员共享。要查看用户拥有的管理权限，请在用户页面（",[18,180,181],{},"http://[您的主机]/admin/users","）查看其配置文件中的\"管理权限\"部分。",[14,184,185],{},[186,187,189],"a",{"href":188},"./admin-rights.png","检查管理员权限",[14,191,192],{},"以下内容可进行自定义以覆盖默认设置：",[86,194,195,198],{},[29,196,197],{},"新用户角色",[29,199,200],{},"新用户管理员权限",{"title":202,"searchDepth":203,"depth":203,"links":204},"",2,[205,206,207,208],{"id":38,"depth":203,"text":38},{"id":108,"depth":203,"text":108},{"id":158,"depth":203,"text":158},{"id":175,"depth":203,"text":175},"为新用户配置默认角色和管理员权限，了解管理员权限与角色限制如何结合以控制访问。","md",{},true,"/zh/user/admin/authorization",{"title":5,"description":209},"zh/user/admin/authorization","v87j7NhRHaBMQOjhUHzhuUR47DZ5PqOaDrELbFnSOc0",1780539281313]