[{"data":1,"prerenderedAt":788},["ShallowReactive",2],{"guide:zh:authorization":3},{"id":4,"title":5,"body":6,"description":780,"extension":781,"meta":782,"navigation":783,"path":784,"seo":785,"stem":786,"__hash__":787},"guide_zh/zh/user/authorization/index.md","授权 — 管理员权限与角色限制",{"type":7,"value":8,"toc":763},"minimark",[9,13,26,30,33,53,56,59,63,66,71,142,147,167,172,183,187,198,201,206,229,233,242,245,277,281,287,292,320,325,339,342,348,358,361,367,373,376,382,388,391,394,400,405,411,417,421,432,435,440,454,459,473,476,481,501,506,523,528,539,542,550,563,568,573,579,584,590,595,601,604,607,612,626,631,645,648,653,664,669,680,685,696,701,712,717,728,733,744,749],[10,11,12],"h1",{"id":12},"授权",[14,15,16,17,21,22,25],"p",{},"授权机制定义了用户在认证后可执行与不可执行的操作。Aptli 结合了两个独立的层级：宽松的",[18,19,20],"strong",{},"管理员权限","（您可以做什么）和严格的",[18,23,24],{},"角色限制","（您不能看到什么）。它们共同为管理员提供对功能和数据可见性的精细控制。",[27,28,29],"h2",{"id":29},"授权模型概述",[14,31,32],{},"Aptli 的完整安全模型有三个层级：",[34,35,36,43,48],"ol",{},[37,38,39,42],"li",{},[18,40,41],{},"身份验证"," — 您是谁（参见身份验证章节）",[37,44,45,47],{},[18,46,20],{}," — 您能修改什么（许可型授权）",[37,49,50,52],{},[18,51,24],{}," — 您不能查看什么（限制型过滤器）",[14,54,55],{},"所有限制均在服务器端执行——未经授权的数据永远不会发送到您的浏览器，无论您通过 UI、API 或导出尝试什么操作。",[14,57,58],{},"该模型在保持安全性的同时提供了极大的灵活性。",[27,60,62],{"id":61},"管理员权限宽松模式","管理员权限（宽松模式）",[14,64,65],{},"管理员权限允许修改信息或变更状态。若无此权限，用户仅能查看数据并编辑个人资料。",[14,67,68],{},[18,69,70],{},"常见管理员权限：",[72,73,74,81,87,93,99,112,124,130,136],"ul",{},[37,75,76,80],{},[77,78,79],"code",{},"usersUpdate"," — 编辑其他用户资料（姓名、职位、部门——不含电子邮件/密码）",[37,82,83,86],{},[77,84,85],{},"usersLogout"," — 强制注销或强制锁定用户",[37,88,89,92],{},[77,90,91],{},"usersDelete"," — 删除用户账户",[37,94,95,98],{},[77,96,97],{},"usersCreate"," — 创建新用户或恢复已删除账户",[37,100,101,104,105,104,108,111],{},[77,102,103],{},"pointsCreate","、",[77,106,107],{},"pointsUpdate",[77,109,110],{},"pointsDelete"," — 修改点要素",[37,113,114,104,117,104,120,123],{},[77,115,116],{},"workOrdersCreate",[77,118,119],{},"workOrdersUpdate",[77,121,122],{},"workOrdersDelete"," — 管理工单",[37,125,126,129],{},[77,127,128],{},"assignmentsCreate"," — 创建工作分配",[37,131,132,135],{},[77,133,134],{},"reportsCreate"," — 提交工作报告",[37,137,138,141],{},[77,139,140],{},"transactionsCreate"," — 创建库存交易",[14,143,144],{},[18,145,146],{},"超级权限（凌驾于所有其他权限之上）：",[72,148,149,155,161],{},[37,150,151,154],{},[77,152,153],{},"appSettingSchemasModify"," — 修改应用程序级设置（域名、超时设置、安全策略）",[37,156,157,160],{},[77,158,159],{},"adminRightsModify"," — 向其他用户授予管理员权限",[37,162,163,166],{},[77,164,165],{},"viewDeleted"," — 查看已删除记录（几乎通用，部分受角色限制覆盖）",[14,168,169],{},[18,170,171],{},"检查用户管理员权限：",[34,173,174,177,180],{},[37,175,176],{},"导航至管理 → 用户",[37,178,179],{},"打开用户资料",[37,181,182],{},"\"管理员权限\"部分列出了所有已授予的权限",[27,184,186],{"id":185},"角色限制限制模式","角色限制（限制模式）",[14,188,189,194],{},[190,191],"img",{"alt":192,"src":193},"角色列表","/guide/authorization/roles-list.png",[195,196,197],"em",{},"角色管理页面显示已配置的角色限制",[14,199,200],{},"角色是一组限制集合，用于阻止查看和修改具有特定特征的记录。角色成员身份将所有限制应用于该用户。",[14,202,203],{},[18,204,205],{},"角色组成部分：",[72,207,208,214,224],{},[37,209,210,213],{},[18,211,212],{},"成员"," — 受这些限制约束的用户",[37,215,216,219,220,223],{},[18,217,218],{},"所有者"," — 控制成员资格的用户（或拥有 ",[77,221,222],{},"rolesUpdate"," 管理权限的用户）",[37,225,226,228],{},[18,227,24],{}," — 隐藏特定数据的字段级过滤器",[230,231,232],"h3",{"id":232},"角色限制结构",[14,234,235,239],{},[190,236],{"alt":237,"src":238},"角色详情","/guide/authorization/role-detail.png",[195,240,241],{},"角色详情页面展示字段级权限配置",[14,243,244],{},"每项限制定义：",[72,246,247,253,259,265,271],{},[37,248,249,252],{},[18,250,251],{},"模型"," — 哪种数据类型（点、多边形、分配等）",[37,254,255,258],{},[18,256,257],{},"字段"," — 按哪个属性过滤（所有者、状态、类别、自定义字段）",[37,260,261,264],{},[18,262,263],{},"比较"," — 匹配方式（=、!=、>、\u003C、包含等）",[37,266,267,270],{},[18,268,269],{},"筛选值"," — 匹配的具体数值",[37,272,273,276],{},[18,274,275],{},"权限"," — 被限制的操作（读取、编辑、创建、删除）",[230,278,280],{"id":279},"示例用例承包商分离","示例用例：承包商分离",[14,282,283,286],{},[18,284,285],{},"场景："," 防止承包商 A 查看承包商 B 的工作内容",[14,288,289],{},[18,290,291],{},"设置：",[34,293,294,297,317],{},[37,295,296],{},"创建角色：\"承包商 A\"",[37,298,299,300],{},"添加角色限制：\n",[72,301,302,305,308,311,314],{},[37,303,304],{},"模型：Point（要素）",[37,306,307],{},"字段：owner",[37,309,310],{},"比较：=",[37,312,313],{},"筛选值：承包商 B",[37,315,316],{},"权限：读取 ✓，编辑 ✓，创建 ✓，删除 ✓（全部为真 = 无法执行任何操作）",[37,318,319],{},"将承包商 A 的用户添加为成员",[14,321,322],{},[18,323,324],{},"结果：",[72,326,327,330,333,336],{},[37,328,329],{},"承包商 A 成员无法查看任何 owner = \"承包商 B\" 的项目",[37,331,332],{},"不仅在 UI 中隐藏——API 返回数据时视同记录不存在",[37,334,335],{},"无法通过截图、API 调用或导出意外查看",[37,337,338],{},"完全由服务器端强制执行",[230,340,341],{"id":341},"其他使用场景",[14,343,344,347],{},[18,345,346],{},"按工作阶段："," 禁止现场工作人员查看质量控制验证报告：",[349,350,355],"pre",{"className":351,"code":353,"language":354},[352],"language-text","角色：\"现场工作人员\"\n限制：\n  模型：Validation\n  字段：status\n  比较：!=\n  筛选值：\"\"（任意值）\n  权限：读取 ✓\n","text",[77,356,353],{"__ignoreMap":357},"",[14,359,360],{},"现场工作人员完全无法查看验证报告。",[14,362,363,366],{},[18,364,365],{},"按资产类型："," 分设基础设施团队（电杆/管道 vs. 活动设备）：",[349,368,371],{"className":369,"code":370,"language":354},[352],"角色：\"土木团队\"\n限制：\n  模型：Point\n  字段：category\n  比较：=\n  筛选值：\"Active Equipment\"\n  权限：读取 ✓，编辑 ✓，创建 ✓，删除 ✓\n",[77,372,370],{"__ignoreMap":357},[14,374,375],{},"土木团队无法查看或修改活动设备点。",[14,377,378,381],{},[18,379,380],{},"按物理/逻辑区分："," 分离办公室数据访问权限（容量关系与办公地点）：",[349,383,386],{"className":384,"code":385,"language":354},[352],"角色：\"容量分析师\"\n限制：\n  模型：Point\n  字段：layer\n  比较：=\n  筛选值：\"Office Locations\"\n  权限：编辑 ✓，创建 ✓，删除 ✓\n",[77,387,385],{"__ignoreMap":357},[14,389,390],{},"分析师可查看办公室信息但不可修改位置（只读权限）。",[27,392,393],{"id":393},"管理员权限与角色限制的结合",[14,395,396,399],{},[18,397,398],{},"默认行为："," 所有用户均可查看所有内容，但无法修改任何内容（除非拥有管理员权限）。",[14,401,402],{},[18,403,404],{},"添加受限写入权限：",[14,406,407,410],{},[18,408,409],{},"示例："," 现场工作人员可编辑自己的工作内容，但不可编辑他人内容",[349,412,415],{"className":413,"code":414,"language":354},[352],"管理员权限：\n  - reportsCreate: true\n  - reportsUpdate: true\n\n角色限制：\n  模型：Report\n  字段：reportedBy\n  比较：!=\n  筛选值：[当前用户 ID]\n  权限：编辑 ✓\n",[77,416,414],{"__ignoreMap":357},[14,418,419],{},[18,420,324],{},[72,422,423,426,429],{},[37,424,425],{},"工作人员可创建报告（已授予管理员权限）",[37,427,428],{},"工作人员仅能编辑自己的报告（角色限制会过滤其他报告）",[37,430,431],{},"无法查看或修改其他工作人员的报告",[27,433,434],{"id":434},"服务器端强制执行",[14,436,437],{},[18,438,439],{},"工作原理：",[72,441,442,445,448,451],{},[37,443,444],{},"所有 API 查询在数据库检索前均经过过滤",[37,446,447],{},"角色限制在服务器端执行（不仅限于 UI 隐藏）",[37,449,450],{},"用户无法通过直接 API 调用、浏览器工具或导出功能绕过限制",[37,452,453],{},"未授权用户面前数据真实不存在",[14,455,456],{},[18,457,458],{},"安全影响：",[72,460,461,464,467,470],{},[37,462,463],{},"截取他人屏幕截图无效（数据不会为您加载）",[37,465,466],{},"无法导出受限数据（服务器强制执行过滤规则）",[37,468,469],{},"无法\"猜测\"记录 ID（ID 查询前已过滤）",[37,471,472],{},"权限范围之外的记录即使知道 ID 也会返回\"未找到\"",[27,474,475],{"id":475},"管理角色",[14,477,478],{},[18,479,480],{},"创建角色：",[34,482,483,486,489,492,495,498],{},[37,484,485],{},"导航至管理 → 角色",[37,487,488],{},"点击\"创建角色\"",[37,490,491],{},"输入角色名称和描述",[37,493,494],{},"添加成员（将用户拖入成员字段）",[37,496,497],{},"添加角色限制（可设置多个）",[37,499,500],{},"保存",[14,502,503],{},[18,504,505],{},"编辑角色：",[72,507,508,514,517,520],{},[37,509,510,511,513],{},"仅限角色所有者或拥有 ",[77,512,222],{}," 管理权限的用户",[37,515,516],{},"可添加/移除成员",[37,518,519],{},"可修改限制条件",[37,521,522],{},"可删除角色（解除成员限制）",[14,524,525],{},[18,526,527],{},"角色成员资格：",[72,529,530,533,536],{},[37,531,532],{},"用户可同时拥有多个角色（限制叠加）",[37,534,535],{},"离开组织时：删除账户前先从所有角色中移除",[37,537,538],{},"批量成员管理：可同时拖拽多个用户",[27,540,541],{"id":541},"为新用户自定义授权",[14,543,544],{},[18,545,546,547,549],{},"应用程序设置配置（需 ",[77,548,153],{}," 权限）：",[34,551,552,555,558,561],{},[37,553,554],{},"导航至应用程序设置 → 身份验证",[37,556,557],{},"\"新用户角色\" — 自动为新账户分配角色",[37,559,560],{},"\"新用户管理员权限\" — 授予默认权限",[37,562,500],{},[14,564,565],{},[18,566,567],{},"典型配置：",[14,569,570],{},[18,571,572],{},"现场工作人员默认设置：",[349,574,577],{"className":575,"code":576,"language":354},[352],"角色：[\"现场工作人员\"]\n管理员权限：{\n  reportsCreate: true,\n  assignmentsRead: true\n}\n",[77,578,576],{"__ignoreMap":357},[14,580,581],{},[18,582,583],{},"办公室协调员默认设置：",[349,585,588],{"className":586,"code":587,"language":354},[352],"角色：[]\n管理员权限：{\n  assignmentsCreate: true,\n  ordersCreate: true,\n  stockItemsView: true\n}\n",[77,589,587],{"__ignoreMap":357},[14,591,592],{},[18,593,594],{},"不自动授予（人工审核）：",[349,596,599],{"className":597,"code":598,"language":354},[352],"角色：[]\n管理员权限：{}（无）\n",[77,600,598],{"__ignoreMap":357},[14,602,603],{},"管理员在账户审核后手动分配。",[27,605,606],{"id":606},"查看有效权限",[14,608,609],{},[18,610,611],{},"针对特定用户：",[34,613,614,617,620,623],{},[37,615,616],{},"导航至用户个人资料",[37,618,619],{},"\"管理员权限\"部分 — 用户可执行的操作",[37,621,622],{},"\"角色\"部分 — 用户不能查看的内容（通过限制实现）",[37,624,625],{},"组合视图显示实际生效的权限",[14,627,628],{},[18,629,630],{},"测试权限：",[34,632,633,636,639,642],{},[37,634,635],{},"以用户身份登录（或使用管理员权限模拟登录）",[37,637,638],{},"正常浏览页面",[37,640,641],{},"受限数据直接不显示",[37,643,644],{},"无管理员权限的操作被禁用/隐藏",[27,646,647],{"id":647},"最佳实践",[14,649,650],{},[18,651,652],{},"从限制开始，按需授予：",[72,654,655,658,661],{},[37,656,657],{},"新用户仅获得最低权限",[37,659,660],{},"根据角色需求逐步添加管理员权限",[37,662,663],{},"授予权限比撤销更容易（避免权限膨胀）",[14,665,666],{},[18,667,668],{},"使用角色控制数据可见性：",[72,670,671,674,677],{},[37,672,673],{},"分隔承包商（防止竞争情报泄露）",[37,675,676],{},"分隔工作阶段（质量控制与现场工作人员）",[37,678,679],{},"分隔资产类型（基础设施与活动设备）",[14,681,682],{},[18,683,684],{},"使用管理员权限管理功能：",[72,686,687,690,693],{},[37,688,689],{},"谁可以创建分配",[37,691,692],{},"谁可以修改库存",[37,694,695],{},"谁可以授予权限",[14,697,698],{},[18,699,700],{},"记录角色用途：",[72,702,703,706,709],{},[37,704,705],{},"角色名称清晰（\"承包商 A\"优于\"角色 1\"）",[37,707,708],{},"描述说明限制条件",[37,710,711],{},"帮助未来管理员理解意图",[14,713,714],{},[18,715,716],{},"定期权限审核：",[72,718,719,722,725],{},[37,720,721],{},"每季度审查用户管理员权限",[37,723,724],{},"移除未使用的权限（用户角色变更）",[37,726,727],{},"检查角色成员资格（用户已离开组织）",[14,729,730],{},[18,731,732],{},"监控访问尝试：",[72,734,735,738,741],{},[37,736,737],{},"记录失败的授权尝试",[37,739,740],{},"拒绝模式表明用户尝试未经授权的访问",[37,742,743],{},"调查并调整权限或对用户进行培训",[14,745,746],{},[18,747,748],{},"最小权限原则：",[72,750,751,754,757],{},[37,752,753],{},"仅授予工作职能所需的最低权限",[37,755,756],{},"项目临时提升访问权限（结束后撤销）",[37,758,759,760,762],{},"超级权限（",[77,761,159],{},"）仅授予可信管理员",{"title":357,"searchDepth":764,"depth":764,"links":765},2,[766,767,768,774,775,776,777,778,779],{"id":29,"depth":764,"text":29},{"id":61,"depth":764,"text":62},{"id":185,"depth":764,"text":186,"children":769},[770,772,773],{"id":232,"depth":771,"text":232},3,{"id":279,"depth":771,"text":280},{"id":341,"depth":771,"text":341},{"id":393,"depth":764,"text":393},{"id":434,"depth":764,"text":434},{"id":475,"depth":764,"text":475},{"id":541,"depth":764,"text":541},{"id":606,"depth":764,"text":606},{"id":647,"depth":764,"text":647},"控制用户可以做什么以及可以看到什么。Aptli 将宽松的管理员权限（谁可以创建、更新、删除）与严格的角色限制（服务器端的字段级过滤器，完全隐藏数据）相结合。","md",{},true,"/zh/user/authorization",{"title":5,"description":780},"zh/user/authorization/index","QFKh09qGIdq2qlL29MqWtxI5-1O-ahk-TYfgQ3X5INk",1780539281497]