[keycloak-dev] User-managed permissions

Bill Burke bburke at redhat.com
Thu Mar 23 14:22:20 EDT 2017


Are you sure this is too hard for an RDBMS to manage?   Prove first that 
an RDBMS can't handle it.


On 3/23/17 11:35 AM, Marek Posolda wrote:
> I was wondering about the use-case when users manage permissions to
> their own objects. It seems that proper support for this can be very
> challenging for the amount of DB space.
>
> For example: I have 1000 documents and I have 1000 users. I want to be
> able to define fine-grained permissions and be able to define that user
> "john" is able to see document-1 and document-2, but not document-3 etc.
> So I can end with up to:
>
> count of users * number of documents = 1000 users * 1000 documents =
> 1000000 permission records in DB
>
> When authorization scopes (actions) come into play and I want to specify
> that "john" is able just to "read" document-1 when "alice"  is able to
> "read", "update" and "comment" on document-1, I may end up with 5
> million objects in DB (assuming I have 5 actions).
>
> We can do something like divide documents into "groups" and grant the
> permission just per group. But for example Google allows to group things
> (you can put more photos into one photoalbum and share whole photoalbum
> with user "john"), but also define fine-grained permission (share just
> single photo with user "john").
>
> My estimation is, that using for JPA for save such data is likely not
> feasible. And I bet that Google is really using something different :-)
>
> Maybe we need to restore Mongo or some other similar DB type for manage
> this stuff? Or is it something where the "Nearby policy evaluation" can
> help and permissions data would rather need to be saved by the
> application itself?
>
> Marek
>
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev



More information about the keycloak-dev mailing list