Design and Implementation of a Unified Permission Management Service (MPS)

In today’s rapidly expanding IT landscape, Baidu’s internal platforms suffered from fragmented and inconsistent permission systems, prompting the Mobile Data Middle Platform to create a Unified Permission Management Service (MPS) that centralizes and standardizes access control across all business platforms.

The requirement analysis identified the need to integrate multiple platforms, define clear permission hierarchies, consider unified authentication, design customizable approval workflows, and expose secure API interfaces for seamless integration.

MPS was built on Baidu’s internal Go Develop Platform (GDP), chosen for its deep infrastructure integration, easy configuration and assembly, robust RPC capabilities, and built‑in Prometheus monitoring support.

The permission model combines Role‑Based Access Control (RBAC), Access Control Lists (ACL), and Discretionary Access Control (DAC) to provide fine‑grained, flexible control, separating business permissions from management permissions and supporting permission packages for batch assignment.

Four core functional modules were implemented: (1) Platform & node management – multi‑platform onboarding, node definition, and organization management; (2) Permission management – historical import, CRUD operations, and authentication services; (3) Application & authorization – online request submission, customizable approval flow, and automatic granting; (4) Audit & recycle – permission data export, operation logs, expiration handling, and email subscription for change notifications.

Implementation details include push/pull node synchronization, generation of primary and secondary OpenAPI keys, creation of permission packages, authorization logic that supports inheritance and priority between node and package permissions, and two online‑application modes (hosted approval page or custom front‑end with MPS API). A generic approval process class with configurable steps enables diverse workflow requirements across platforms.

Since deployment, MPS has been adopted by nearly 40 business platforms, managing over 100,000 permission nodes, processing 2,000–3,000 permission requests daily, handling peak API traffic of 1.3 million calls and 300,000 authentication calls per day, and is positioned for further expansion to provide enterprise‑wide unified permission management.