0

We have an object Root, which references many other objects. Which eventually is translated into FKs on the DB level. We came up with an ACL scheme where there's a separate permissions table with the user,resource,access_level. And so we change our logic to look at this table before returning the data to the user.

Problem is, objects that are nested should also have the same permissions. And so there are 2 solutions that I could think of:

  1. Each nested object is written into permissions. Every time we update Root object, we cascade the changes to all nested ones.
  2. We add root_id to all relevant tables (even if they are referenced through some other intermediate object). And keep checking permissions using this root_id.

Both approaches aren't easy to implement. So I wonder maybe there are other approaches that I'm missing.

Improve this question
4
  • Can you clarify two things: 1) what does ACL mean to you? 2) What is the use case? Commented May 28, 2023 at 11:41
  • ACL is a list of permissions (READ/WRITE) that are granted to a list of users (SID) on some objects (OID). So the use case is: user creates an object and then he wants to list what other users can see/modify that object. Commented May 28, 2023 at 17:02
  • Perhaps it's worth looking into (the principles of) OpenFGA. I just stumbled on to it myself but it seems a powerful method/tool that might fit your needs. Commented May 31, 2023 at 11:26
  • @Sil, OpenFGA eventually references this paper: research.google/pubs/pub48190 which seems to be quite relevant. Will read it soon, thanks! Commented Jun 3, 2023 at 14:31

0

Reset to default

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.