Skip to main content

基于角色的访问控制 (RBAC)

¥Role-Based Access Control (RBAC)

Page summary:

Role-Based Access Control (RBAC) manages administrator roles and granular permissions in the admin panel. This documentation covers creating roles, assigning rights, and securing administrative workflows.

基于角色的访问控制 (RBAC) 功能允许管理管理员,他们是管理面板的用户。更具体地说,RBAC 管理管理员的账户和角色。

¥The Role-Based Access Control (RBAC) feature allows the management of the administrators, who are the users of the admin panel. More specifically, RBAC manages the administrators' accounts and roles.

IDENTITY CARD
Plan
Free feature
Role & permission
CRUD permissions in Roles > Settings - Users & Roles
Activation
Available and activated by default
Environment
Available in both Development & Production environment

配置

¥Configuration

配置功能的路径: 设置 > 管理面板 > 角色

¥Path to configure the feature: Settings > Administration panel > Roles

角色界面显示为 Strapi 应用的管理员创建的所有角色。

¥The Roles interface displays all created roles for the administrators of your Strapi application.

通过该界面,可以:

¥From this interface, it is possible to:

默认情况下,为任何 Strapi 应用定义了 3 个管理员角色:

¥By default, 3 administrator roles are defined for any Strapi application:

  • 作者:能够创建和管理自己的内容。

    ¥Author: to be able to create and manage their own content.

  • 编辑:能够创建内容以及管理和发布任何内容。

    ¥Editor: to be able to create content, and manage and publish any content.

  • 超级管理员:能够访问所有功能和设置。这是创建 Strapi 应用时默认归属于第一位管理员的角色。

    ¥Super Admin: to be able to access all features and settings. This is the role attributed by default to the first administrator at the creation of the Strapi application.

创建新角色

¥Creating a new role

在“管理”面板 >“角色”界面的右上角,会显示“添加新角色”按钮。单击“添加新角色”按钮,为 Strapi 应用的管理员创建新角色。

¥On the top right side of the Administration panel > Roles interface, an Add new role button is displayed. Click on that Add new role button to create a new role for administrators of your Strapi application.

你将被重定向到角色编辑界面,在那里你将能够编辑角色的详细信息并配置其权限(参见 编辑角色)。

¥You will be redirected to the roles edition interface, where you will be able to edit the role's details and configure its permissions (see Editing a role).

New role with RBACNew role with RBAC
提示

在角色界面中,从表中,你可以点击复制按钮通过复制现有角色来创建新角色。

¥In the Roles interface, from the table, you can click on the duplicate button to create a new role by duplicating an existing one.

删除角色

¥Deleting a role

可以从管理面板 > 角色界面删除管理员角色。但是,只有当它们不再属于 Strapi 应用的任何管理员时,才能将其删除。

¥Administrator roles can be deleted from the Administration panel > Roles interface. However, they can only be deleted once they are no more attributed to any administrator of the Strapi application.

  1. 确保你要删除的角色不再归属于任何管理员。

    ¥Make sure the role you wish to delete is not attributed to any administrator anymore.

  2. 点击角色记录右侧的删除按钮

    ¥Click on the delete button on the right side of the role's record.

  3. 在删除窗口中,点击确认按钮确认删除。

    ¥In the deletion window, click on the Confirm button to confirm the deletion.

编辑角色

¥Editing a role

Administrator roles edition interfaceAdministrator roles edition interface

角色编辑界面允许编辑管理员角色的详细信息,以及详细配置 Strapi 应用所有部分的权限。

¥The role edition interface allows to edit the details of an administrator role as well as configure in detail the permissions to all sections of your Strapi application.

可通过管理面板 > 角色访问,方法是单击角色记录右侧的编辑按钮 ,或单击添加新角色按钮(参见 创建新角色)。

¥It is accessible from Administration panel > Roles either after clicking on the edit button on the right side of a role's record, or after clicking on the Add new role button (see Creating a new role).

提醒

无法编辑超级管理员角色的权限。所有配置均处于只读模式。

¥It isn't possible to edit the permissions of the Super Admin role. All configurations are in read-only mode.

编辑角色详细信息

¥Editing role's details

管理员角色编辑界面的详细信息区域允许定义角色的名称,并为其提供描述,以帮助其他管理员了解该角色可以访问的内容。

¥The details area of an administrator role editing interface allow to define the name of the role, and to give it a description that should help other administrators understand what the role gives access to.

角色详情指示
名称在文本框中写入角色的新名称。
描述在文本框中写下角色的描述。
提示

在右上角,你可以看到一个计数器,指示有多少管理员被赋予了该角色。

¥In the top right corner, you can see a counter indicating how many administrators have been attributed the role.

配置角色的权限

¥Configuring role's permissions

管理员角色编辑界面的权限区域允许详细配置管理员可以对 Strapi 应用的任何部分执行哪些操作。

¥The permissions area of an administrator role editing interface allows to configure in detail what actions an administrator can do for any part of the Strapi application.

它显示为表格,分为 4 类:集合类型单一类型插件设置

¥It is displayed as a table, split into 4 categories: Collection types, Single types, Plugins and Settings.

集合型和单品型

¥Collection and Single types

集合类型和单一类型类别分别列出了 Strapi 应用的所有可用集合和单一类型。

¥The Collection types and Single types categories respectively list all available collection and single types for the Strapi application.

对于每种内容类型,管理员可以有权执行以下操作:创建、读取、更新、删除和发布。

¥For each content-type, the administrators can have the permission to perform the following actions: create, read, update, delete and publish.

  1. 转到权限表的集合类型或单一类型类别。

    ¥Go to the Collection types or Single types category of the permissions table.

  2. 勾选要授予访问权限的内容类型名称左侧的框。默认情况下,可以对内容类型的所有字段执行所有操作。

    ¥Tick the box on the left of the name of the content-type to give access to. By default, all actions can be performed for all fields of the content-type.

  3. (可选)取消选中与操作相关的框以阻止你选择的操作。

    ¥(optional) Untick the action-related boxes to prevent actions of your choice.

  4. (可选)单击内容类型的名称可显示其完整字段列表。取消选中与字段和操作相关的框以阻止对你选择的字段进行访问和/或操作。如果安装了 国际化功能,还定义应为每个可用区域设置授予哪些权限。

    ¥(optional) Click the name of the content-type to display its full list of fields. Untick the field and action-related boxes to prevent access and/or action for the fields of your choice. If the Internationalization feature is installed, define also what permissions should be granted for each available locale.

  5. 对角色应授予访问权限的每个可用内容类型重复步骤 2 至 4。

    ¥Repeat steps 2 to 4 for each content-type available to which the role should give access.

  6. 单击右上角的“保存”按钮。

    ¥Click on the Save button on the top right corner.

插件和设置

¥Plugins and Settings

插件和设置类别均显示 Strapi 应用的每个可用插件或设置的子类别。每个子类别都包含其自己特定的权限集。

¥The Plugins and Settings categories both display a sub-category per available plugin or setting of the Strapi application. Each sub-category contains its own specific set of permissions.

  1. 转到权限表的插件或设置类别。

    ¥Go to the Plugins or Settings category of the permissions table.

  2. 单击要配置权限的子类别名称,可显示所有可用权限。

    ¥Click on the name of the sub-category which permissions to configure, to display all available permissions.

  3. 勾选角色应授予访问权限的权限框。你可以参考下表了解更多信息和说明。

    ¥Tick the boxes of the permissions the role should give access to. You can refer to the table below for more information and instructions.

默认情况下,可以为 内容类型生成器上传(即媒体库)内容管理者用户和权限 配置包权限(即允许管理终端用户的用户和权限功能)。每个包都有自己特定的权限集。

¥By default, packages permissions can be configured for the Content-type Builder, Upload (i.e. Media Library), the Content Manager, and Users & Permissions (i.e. the Users & Permissions feature allowing to manage end users). Each package has its own specific set of permissions.

包名称权限
内容发布
(发布)
内容管理者
内容类型构建器
上传
(媒体库)
用户权限

  1. 单击右上角的“保存”按钮。

    ¥Click on the Save button on the top right corner.

设置权限的自定义条件

¥Setting custom conditions for permissions

对于每个类别的每个权限,都会显示一个 设置按钮。它允许通过定义授予管理员权限的附加条件来进一步推动权限配置。

¥For each permission of each category, a Settings button is displayed. It allows to push the permission configuration further by defining additional conditions for the administrators to be granted the permission.

有 2 个默认附加条件:

¥There are 2 default additional conditions:

  • 管理员必须是创建者,

    ¥the administrator must be the creator,

  • 管理员必须具有与创建者相同的角色。

    ¥the administrator must have the same role as the creator.

Custom conditionsCustom conditions

  1. 单击已授予该角色权限的 设置按钮。

    ¥Click on the Settings button of the permission already granted for the role.

  2. 在定义条件窗口中,可以使用特定条件自定义每个可用权限。单击与你要自定义的权限相关的下拉列表。

    ¥In the Define conditions window, each available permission can be customized with a specific condition. Click on the drop-down list related to the permission you want to customize.

  3. 为所选权限定义自定义条件。你可以:

    ¥Define the custom condition for the chosen permission. You can either:

    • 勾选默认选项以应用所有可用的附加条件。

      ¥Tick the Default option for all available additional conditions to be applied.

    • 单击箭头按钮 查看可用的附加条件并仅勾选所选的条件。

      ¥Click on the arrow button to see the available additional conditions and tick only the chosen one(s).

  4. 单击应用按钮。

    ¥Click on the Apply button.

提示

为权限设置自定义条件后,权限名称和 设置按钮旁边会显示一个点。

¥Once a custom condition is set for a permission, a dot is displayed next to the permission's name and the Settings button.

提醒

只能为已勾选授予角色的权限设置自定义条件。如果不是,则在单击 设置按钮时,打开的窗口将保持空白,因为没有可用的自定义条件选项。

¥Custom conditions can only be set for permissions that have been ticked to be granted for the role. If not, when clicking the Settings button, the window that opens will remain empty, as no custom condition option will be available.

如果已为你的 Strapi 应用预先创建了其他自定义条件,则可以使用它们。以下专用指南可帮助你创建其他自定义条件:

¥Other custom conditions can be available if they have been created beforehand for your Strapi application. The following dedicated guide helps you create additional custom conditions:

用法

¥Usage

使用功能的路径: 设置 > 管理面板 > 用户

¥Path to use the feature: Settings > Administration panel > Users

用户界面显示一个表格,列出了 Strapi 应用的所有管理员。更具体地说,对于表中列出的每个管理员,都会显示他们的主要账户信息,包括名称、电子邮件和归属角色。还显示了他们账户的状态:活动或非活动,取决于管理员是否已登录激活账户。

¥The Users interface displays a table listing all the administrators of your Strapi application. More specifically, for each administrator listed in the table, their main account information are displayed, including name, email and attributed role. The status of their account is also indicated: active or inactive, depending on whether the administrator has already logged in to activate the account or not.

Users interfaceUsers interface

通过该界面,可以:

¥From this interface, it is possible to:

  • 进行文本搜索 1 以查找特定管理员,

    ¥make a textual search 1 to find specific administrators,

  • 设置过滤器 2 以查找特定管理员,

    ¥set filters 2 to find specific administrators,

  • 创建一个新的管理员账户(参见 创建新账户3,

    ¥create a new administrator account (see Creating a new account) 3,

  • 删除管理员账户 4(参见 删除账户),

    ¥delete an administrator account 4 (see Deleting an account),

  • 或访问有关管理员账户的信息,并对其进行编辑 5(参见 编辑账户)。

    ¥or access information regarding an administrator account, and edit it 5 (see Editing an account).

提示

可以为表中显示的大多数字段启用排序。单击表标题中的字段名称可对该字段进行排序。

¥Sorting can be enabled for most fields displayed in the table. Click on a field name, in the header of the table, to sort on that field.

创建新账户

¥Creating a new account

User invitationUser invitation

  1. 单击 邀请新用户按钮。

    ¥Click on the Invite new user button.

  2. 在邀请新用户窗口中,填写有关新管理员的详细信息:

    ¥In the Invite new user window, fill in the Details information about the new administrator:

用户信息指示
(强制的)在文本框中写下管理员的名字。
(强制的)在文本框中写入管理员的姓氏。
电子邮件(强制的)在文本框中写入管理员的完整电子邮件地址。

  1. 填写新管理员的登录设置:

    ¥Fill in the Login settings about the new administrator:

环境指示
用户的角色(强制的)从下拉列表中选择要归属于新管理员的角色。
使用 SSO 连接(可选)单击 TRUE 或 FALSE 将新管理员账户与 SSO 连接。

  1. 单击添加新用户窗口右下角的邀请用户按钮。

    ¥Click on the Invite user button in the bottom right corner of the Add new user window.

  2. URL 将出现在窗口顶部:这是向新管理员发送的 URL,以便他们首次登录你的 Strapi 应用。单击复制按钮 复制 URL。

    ¥A URL appears at the top of the window: it is the URL to send the new administrator for them to log in for the first time to your Strapi application. Click the copy button to copy the URL.

  3. 单击右下角的“完成”按钮以完成新管理员账户的创建。新管理员现在应列在表中。

    ¥Click on the Finish button in the bottom right corner to finish the new administrator account creation. The new administrator should now be listed in the table.

注意

管理员邀请 URL 可从管理员账户访问,直至激活。

¥The administrator invitation URL is accessible from the administrator's account until it has been activated.

删除账户

¥Deleting an account

可以同时删除一个或多个管理员账户。

¥It is possible to delete one or several administrator accounts at the same time.

  1. 点击账户记录右侧的删除按钮 ,或通过勾选账户记录左侧的框来选择一个或多个账户,然后单击表格上方的 删除按钮。

    ¥Click on the delete button on the right side of the account's record, or select one or more accounts by ticking the boxes on the left side of the accounts' records then click on the Delete button above the table.

  2. 在删除窗口中,点击确认按钮确认删除。

    ¥In the deletion window, click on the Confirm button to confirm the deletion.

编辑账户

¥Editing an account

Edit an administrator accountEdit an administrator account

  1. 单击要编辑其账户的管理员的名称。

    ¥Click on the name of the administrator whose account you want to edit.

  2. 在详细信息区域中,编辑你选择的账户详细信息:

    ¥In the Details area, edit your chosen account details:

用户信息指示
在文本框中写下管理员的名字。
在文本框中写入管理员的姓氏。
电子邮件在文本框中写入管理员的完整电子邮件地址。
用户名在文本框中写入管理员的用户名。
密码在文本框中写入新管理员账户的密码。
确认密码在文本框中写入新密码以进行确认。
积极的单击 TRUE 激活管理员账户。

  1. (可选)在“角色”区域中,编辑管理员的角色:

    ¥(optional) In the Roles area, edit the role of the administrator:

  • 单击下拉列表选择一个新角色,和/或将其添加到已归属的角色中。

    ¥Click on the drop-down list to choose a new role, and/or add it to the already attributed one.

  • 单击删除按钮 删除已分配的角色。

    ¥Click on the delete button to delete an already attributed role.

  1. 单击右上角的“保存”按钮。

    ¥Click on the Save button in the top right corner.