10 comments

[ 0.22 ms ] story [ 31.1 ms ] thread
If you're using Postgres then using the ltree module is great for permission systems. Available in RDS too
(comment deleted)
>We added a point of failure, as the permissions table can get out of sync with the actual data.

>The main risk with pre-computed permissions is data getting out of sync.

It would make sense to have permissions be a first class concept for databases and to ensure such a desync could never happen. Data being only read or written from specific users is a very common thing for data so it would be worth having first class support for it.

Strange the article proposes itself for "Enterprise" yet has no mention of Google's Zanzibar and how it compares to the other approaches. AFAIK it doesn't use pre-computed values but just queries really fast (using Spanner so there's that)
Another approach to complex requirements without spending a lot of time querying databases is to use bitmaps. A set of permissions can be expressed through a bitmap and all you need to do in code is to "decode" that to what you actually let the user do.

The downside to this approach is that it requires some planning and to maintain in code what mask retrieves what permission(s).

Isn’t Open Policy Agent (OPA) and Zanzibar not good enough to be in the article or author talking about specific permission controls?
My understanding is that Zanzibar is not usable as is for enterprises to use in their software?

And that it is an internal google system?

Permit.io

Scales both on the tech, and on the human side - e.g. your product manager can add roles (with CI approval) without requiring engineering involvement.

(I'm biased but still true)

Interesting article, but it mixes up two concerns, I would say. One is retrieving trees from the DB and storing them - which can be annoying but has nothing to do with permissions. Another one is "hiding" unpermitted nodes/branches from the viewer (if that is what applying permissions is about - it can also handle read-only things, for instance). If these two concepts get separated and it is not a big deal to "overfetch" for the current user before doing the filtering - things become way easier. When the tree is reconstructed, you can do breadth-first traversal and compute permissions for every item in there - or retrieve the permissions for items at that level, if you are doing ACL stuff. From there - if there is no permission for the current viewer on that node - you exclude it from further scans and you do not add its' children to further traversals as you go down. Max. number of scans = tree depth. With some PG prowess you could even fold this into sophisticated SQL stuff.

Trees with RDBMSes do stay a pain, though :-)