Have Geek Brain

Role-based scalable authentication

I am currently developing a role-based authentication system for resources where many users have different access rights to it.

A role can be a single user or a group of roles (so a role is a tree of roles). (see picture below)

The other image here

A resource can have several authentication properties (for example, read, write, delete), where each of them is a list of roles allowed to access the operation. (see picture below)

Image goes here

The problem is that if I want to check if a user has permission to access a property, I have to traverse n trees in the worst case (where n is the number of roles assigned to the property).

So, for example, to check if "Max" can read a property, I can check the marketing, management and administration trees if they contain "Max".

Do you know of any algorithm or alternative approach that removes rather expensive tree lookups while maintaining the role system or something equally powerful.

Ideal case is some kind of search like O (log (n)) for n roles.

Thanks Finn

0


a source to share


3 answers


Have you measured this and determined that this workaround is a performance bottleneck?

I've never seen a system with so many roles / levels that the cost of traversing such a structure would be an issue. And if the tree is really that big, I'll be more concerned that administrators are having a hard time figuring out who is allowed to do what.



In terms of scalability, I would typically use ASP.NET cache to cache a full tree that maps resources and roles to an appropriate cache timeout. And cache the mapping separately from users to roles (for example, in session or using a custom key in the ASP.NET cache).

Accessing information from the cache will generally be blindingly fast compared to visiting the database every time.

+2


a source


If you place your roles in a SQL database, searches will run as you describe. I can help you with the structure of the database if you are interested.



0


a source


You need to reverse the pointers.

"Harry" is a member of "Site2 Admins" who has "Administrators" access to "Site2", so he can "Delete", "Write" and "Read this content" this way.

Why "administration" should be commonplace between "Harry" and "Joe" I don't know. Harry is an administrator on one site, but just a user on another, and Joe is the other way around.

0


a source






More articles:


All Articles