AuthZ
Structured guidance for authorization (RBAC, ABAC, policy enforcement): confirm triggers, propose the stages below, and adapt if the user wants a lighter pass.
When to Offer This Workflow
Trigger conditions:
- - User mentions authorization, authZ, permissions, or closely related work
- They want a structured workflow rather than ad-hoc tips
- They are preparing a review, rollout, or stakeholder communication
Initial offer:
Explain the four stages briefly and ask whether to follow this workflow or work freeform. If they decline, continue in their preferred style.
Workflow Stages
Stage 1: Clarify context & goals
Anchor on model: RBAC/ABAC/ReBAC. Ask what success looks like, constraints, and what must not break. Capture unknowns early.
Stage 2: Design or plan the approach
Translate goals into a concrete plan around policy enforcement points. Compare alternatives and explicit trade-offs; avoid implicit assumptions.
Stage 3: Implement, validate, and harden
Execute with verification loops tied to auditing and admin paths. Prefer small steps, measurable checks, and rollback points where risk is high.
Stage 4: Operate, communicate, and iterate
Close the loop with testing negative cases: monitoring, documentation, stakeholder updates, and lessons learned for the next cycle.
Checklist Before Completion
- - Goals and constraints are explicit for authZ
- Risks and trade-offs are stated, not hand-waved
- Verification steps match the change’s impact (tests, canary, peer review)
- Operational follow-through is covered (monitoring, docs, owners)
Tips for Effective Guidance
- - Be procedural: stage-by-stage, with clear exit criteria
- Ask for missing context (environment, scale, deadlines) before prescribing
- Prefer checklists and concrete examples over generic platitudes
- If the user declines the workflow, switch to freeform help without lecturing
Handling Deviations
- - If the user wants to skip a stage: confirm and continue with what they need.
- If context is missing: ask targeted questions before strong recommendations.
- Prefer concrete examples, trade-offs, and verification steps over generic advice.
Quality Bar
- - Each recommendation should be actionable (what to do next).
- Call out failure modes relevant to authorization (security, scale, UX, or ops).
- Keep tone direct and respectful of the user’s time.
AuthZ
关于授权(RBAC、ABAC、策略执行)的结构化指导:确认触发条件,提出以下阶段建议,若用户希望简化流程则相应调整。
何时提供此工作流
触发条件:
- - 用户提及授权、authZ、权限或密切相关的工作
- 用户需要结构化工作流而非临时建议
- 用户正在准备评审、上线或利益相关方沟通
初始提议:
简要说明四个阶段,询问是否遵循此工作流或自由讨论。若用户拒绝,则按其偏好风格继续。
工作流阶段
阶段一:明确背景与目标
锚定模型:RBAC/ABAC/ReBAC。询问成功的标准、约束条件以及不可破坏的要素。尽早识别未知项。
阶段二:设计或规划方案
将目标转化为围绕策略执行点的具体计划。比较备选方案并明确权衡取舍,避免隐含假设。
阶段三:实施、验证与加固
通过关联审计和管理路径的验证循环执行。在高风险场景中优先采用小步骤、可量化检查及回滚点。
阶段四:运营、沟通与迭代
通过测试负面案例形成闭环:监控、文档、利益相关方更新及下一周期的经验教训。
完成前检查清单
- - authZ的目标和约束已明确
- 风险与权衡已陈述,而非含糊带过
- 验证步骤与变更影响相匹配(测试、灰度、同行评审)
- 运营后续工作已覆盖(监控、文档、负责人)
有效指导技巧
- - 遵循流程:分阶段推进,明确退出标准
- 在给出建议前,先询问缺失的背景信息(环境、规模、截止日期)
- 优先使用检查清单和具体示例,而非泛泛而谈
- 若用户拒绝工作流,切换为自由帮助模式,避免说教
偏差处理
- - 若用户希望跳过某阶段:确认后按需继续。
- 若背景信息缺失:在给出强建议前先提出针对性问题。
- 优先提供具体示例、权衡取舍和验证步骤,而非通用建议。
质量标准
- - 每条建议应可操作(明确下一步行动)。
- 指出与授权相关的故障模式(安全、规模、用户体验或运维)。
- 保持语气直接,尊重用户时间。
