22F-PERM-A

权限引擎现状盘点

本页面用于校准权限引擎真实进度：当前权限引擎不是从零开始，已有页面原型、权限表、角色主体、页面权限、数据范围、字段权限、操作权限和审计基础。

返回 HRMS Portal 权限引擎工作台原型字段权限 Demo 数据范围 Demo

一、核心盘点指标

权限相关页面

61

权限相关代码文件

267

权限相关/相邻表

21

page rules

105

field rules

91

action rules

130

audit logs

4723

roles / subjects

7 / 9

二、/api/employees 当前权限执行

当前员工列表已经实际执行 page_permission + data_scope，不是纯静态页面权限。

字段	当前值
current_user_id	`E100`
visible_count / hidden_count	11 / 0
permission_enforced	`dependency:page_permission+data_scope`
page_permission_allowed	True
page rule	`PAGE_RULE_0086`
data scope rule	`DATA_SCOPE_BOSS_GLOBAL`
data scope type	`global`

三、核心权限表

表	行数	核心字段	状态	样例
`permission_subjects`	9	id, subject_id, subject_type, user_id, employee_id, role_id, department_id, team_id, hrbp_scope_ids, reviewer_scope_ids	已存在	5 sample
`permission_roles`	7	id, role_id, role_name, role_type, role_description, role_status, default_scope_type, sensitivity_level_allowed, created_at, updated_at	已存在	5 sample
`page_permission_rules`	105	id, rule_id, rule_version_id, page_key, page_name, subject_type, subject_id, role_id, allow_access, access_mode	已存在	5 sample
`data_scope_rules`	4	id, rule_id, rule_version_id, subject_id, role_id, data_object_type, scope_type, scope_ids, include_subordinates, include_indirect_reports	已存在	4 sample
`field_permission_rules`	91	id, rule_id, rule_version_id, subject_id, role_id, data_object_type, field_key, field_name, sensitivity_level, permission_result	已存在	5 sample
`action_permission_rules`	130	id, rule_id, rule_version_id, subject_id, role_id, action_type, target_object_type, allowed, action_mode, require_approval	已存在	5 sample
`permission_audit_logs`	4723	id, audit_id, user_id, employee_id, role_id, accessed_page, accessed_object_type, accessed_object_id, accessed_field_key, action_type	已存在	5 sample
`audit_logs`	4723	id, audit_id, user_id, employee_id, role_id, action_type, object_type, object_id, field_key, permission_result	已存在	5 sample
`employees`	11	id, employee_id, employee_name, employee_no, email, mobile, feishu_open_id, feishu_union_id, department_id, team_id	已存在	5 sample
`user_sessions`	8	id, session_id, user_id, employee_id, login_source, access_token_hash, refresh_token_hash, login_at, expires_at, last_seen_at	已存在	5 sample

四、已发现权限页面

页面

数据范围权限 Demo - Talent Review OS

/outputs/data_scope_permission_demo_v1.html

data_scope, field_permission, page_permission, permission, permissions, role, roles, scope, 字段, 数据范围, 权限, 角色

页面

字段级权限 Demo - Talent Review OS

/outputs/field_permission_demo_v1.html

data_scope, field_permission, page_permission, permission, permissions, role, roles, scope, 字段, 审计, 数据范围, 权限, 角色

页面

页面权限 Demo - Talent Review OS

/outputs/page_permission_demo_v1.html

data_scope, field_permission, page_permission, permission, permissions, role, roles, scope, 字段, 审计, 数据范围, 权限, 角色, 访问

页面

权限引擎工作台 - Talent Review OS

/outputs/permission_engine_workbench_v1.html

data_scope, field_permission, page_permission, permission, role, roles, scope, scopes, 字段, 审计, 数据范围, 权限, 角色

页面

权限范围说明页 - Talent Review OS

/outputs/permission_scope_explainer_v1.html

permission, permissions, scope, scopes, 权限

页面

Feishu Minimal Open Check

/feishu-minimal-open-check.html

scope

页面

飞书岗位映射准备度 - HRMS

/feishu-position-mapping-readiness.html

role, 字段

页面

22F-36 阶段总结 - HRMS

/hrms-22f36-stage-summary.html

访问

页面

HRMS 登录入口 - Talent Review OS

/hrms-auth-entry.html

role, scope, 权限, 角色

页面

HRMS 飞书入口验收

/hrms-entry-acceptance.html

权限

页面

HRMS 与飞书能力边界

/hrms-feishu-capability-boundary.html

字段, 审计, 数据范围, 权限

页面

HRMS Portal - Talent Review OS

/hrms-portal-old-22f-ui-a-20260513_143800.html

权限

五、已发现权限代码

代码

backend/README.md

current_user, permission, permissions

- Provides FastAPI endpoints for health, import plan, employees, and permission checks

代码

backend/main.py

permission, permissions

from backend.routers.permissions import router as permissions_router

代码

backend/middleware/auth_context.py

current_user

resolve_current_user_from_user_id,

代码

backend/middleware/employee_title_enrichment.py

role

"role_family",

代码

backend/routers/algorithm.py

DATA_SCOPE, data_scope, field_permission, matched_rule, page_permission, permission, permissions

from backend.security.dependencies import require_page_permission, require_action_permission

代码

backend/routers/algorithm_inputs.py

DATA_SCOPE, data_scope, page_permission, permission

from backend.security.dependencies import require_page_permission, require_action_permission

代码

backend/routers/algorithm_insights.py

DATA_SCOPE, data_scope, field_permission, page_permission, permission, permissions

from backend.security.dependencies import require_page_permission

代码

backend/routers/algorithm_report.py

DATA_SCOPE, data_scope, field_permission, page_permission, permission, permissions

from backend.security.dependencies import require_page_permission

代码

backend/routers/assessments.py

DATA_SCOPE, current_user, data_scope, page_permission, permission

from backend.security.dependencies import require_page_permission, require_action_permission

代码

backend/routers/audit_logs.py

page_permission, permission, role

from backend.security.dependencies import require_page_permission

六、当前判断与下一步

结论权限引擎当前应定义为“已有 P0/P1 基础，尚未产品化”，不是未来从零开始。

已具备：页面权限、数据范围、字段权限规则、操作权限规则、角色、权限主体、审计表、员工列表实际权限执行。
待产品化：权限工作台精选化、FDEP 组织范围联动、操作权限接入员工导入/岗位/测评、人事动作权限、字段级展示控制、权限影响预览、版本与回滚。
下一步：22F-PERM-B 权限引擎工作台精选化 / 去噪。