[keycloak-dev] User-managed permissions

Marek Posolda mposolda at redhat.com
Thu Mar 23 11:35:29 EDT 2017

I was wondering about the use-case when users manage permissions to 
their own objects. It seems that proper support for this can be very 
challenging for the amount of DB space.

For example: I have 1000 documents and I have 1000 users. I want to be 
able to define fine-grained permissions and be able to define that user 
"john" is able to see document-1 and document-2, but not document-3 etc. 
So I can end with up to:

count of users * number of documents = 1000 users * 1000 documents = 
1000000 permission records in DB

When authorization scopes (actions) come into play and I want to specify 
that "john" is able just to "read" document-1 when "alice"  is able to 
"read", "update" and "comment" on document-1, I may end up with 5 
million objects in DB (assuming I have 5 actions).

We can do something like divide documents into "groups" and grant the 
permission just per group. But for example Google allows to group things 
(you can put more photos into one photoalbum and share whole photoalbum 
with user "john"), but also define fine-grained permission (share just 
single photo with user "john").

My estimation is, that using for JPA for save such data is likely not 
feasible. And I bet that Google is really using something different :-)

Maybe we need to restore Mongo or some other similar DB type for manage 
this stuff? Or is it something where the "Nearby policy evaluation" can 
help and permissions data would rather need to be saved by the 
application itself?


More information about the keycloak-dev mailing list