0

I am currently designing a role based authentication system for resources where many users have different access rights to it.

A role may be a single user, or a group of roles (so a role is a tree of roles). (see graphic below)

The other image here

A resource can have multiple authentication properties (like read, write, delete), where each of this is a list of roles allowed to do access the operation. (see graphic below)

Image goes here

The problem is if I want to check if a user has the right to access a property, i have to traverse n trees in worst case (where n is the number of roles assigned to an property).

So for example to check if 'Max' may read the property I might have to check the Marketing, Management and Administration trees if they contain 'Max'.

Do you know of any algorithm or alternative approach which removes the quite expensive tree searches while maintaining the role system or something equally powerful.

The perfect case would be some lookup like O(log(n)) for n roles.

Thanks, Fionn

Community
  • 1
  • 1
Fionn
  • 10,975
  • 11
  • 54
  • 84
  • So far as I can see, your description of the Functional Requirements / Specification includes trees. So either you need to change the specification, or find a way to prevent tree searches being "quite expensive". – ChrisW May 26 '09 at 02:36

3 Answers3

2

Have you measured this and determined that this traversal is a performance bottleneck?

I've never seen a system with so many roles / levels that the cost of traversing this kind of structure would become an issue. And if the tree really is that large, I'd be more concerned that administrators would have difficulty in understanding who is authorized to do what.

Regarding scalability, I would typically use the ASP.NET cache to cache the complete tree that maps between resources and roles, with a suitable cache timeout. And separately cache the mapping from Users to Roles (e.g. in Session or with a user-specific key in the ASP.NET cache).

Accessing the information from the cache will typically be blindingly fast compared with going to the database each time.

Joe
  • 122,218
  • 32
  • 205
  • 338
0

If you put your roles in a SQL database, lookups will perform substantially as you describe. I can help you with the database structure, if you're interested.

Robert Harvey
  • 178,213
  • 47
  • 333
  • 501
  • The SQL database would not really remove the complexity of the Tree traversal, on the contrary in my opinion trees in SQL are quite a pain. The depth of the roles is not really limited. – Fionn May 25 '09 at 20:18
  • The 'nested set' model is a way to do very fast selection of subtrees in SQL. – ChrisW May 25 '09 at 20:19
  • There is a good change that this will run on a Database System like Bigtable - there are no joins just plain tables. And even if nested set is fast, i guess it will not scale as very good since it is far form a standard table lookup. – Fionn May 25 '09 at 20:22
  • No, the nested set method uses standard SQL. It uses a schema that makes insertions slow but selects very quick: it doesn't even require a join, let alone a recursive join. – ChrisW May 26 '09 at 02:04
0

You need to reverse your pointers.

"Harry" is a member of "Site2 Admins" which has "Administrators" access to "Site2", so he can thus "Delete," "Write" and "Read that content.

Why "Administration" should be a common thing between "Harry" and "Joe" I'm not clear. Harry is an administrator on one site, but just a user on another, and Joe vice versa.

cjs
  • 25,752
  • 9
  • 89
  • 101
  • There is no rule that says an administrator may do anything, it could just have been named SomeUsers role, if someone may read, write or whatever is entirely dependent whether a role containing that user is added to the property. – Fionn May 25 '09 at 20:20