Forum OpenACS Development: Other Use-Cases for Permissions

Collapse
Posted by Frank Bergmann on
Hi All,

we already had some discussons around this subject, and as a result P/O uses OpenACS permission them in several ways (http://www.projop.com/doc/intranet-core/permissions.html). However we are facing some additional use case.

For example with projects I frequently have to ask: "Who is allowed to see this project" in order to show the list of authorized users. According to the permissions documentation (tediously explained) I shouldn't ask this question due to performance reasons, is that right?

The other problem appears in the context of our HP project, where we have to deal with some 20.000 users and 20.000.000 documents/folders. Permissions on folders are set by means of certain user groups. The task is to filter the result set of an Oracle Intermedia search query to show only the documents that a user is allowed to see. I think we all agree that the current permission system can't handle this because the size of the permission table due to the denormalization triggers, right?

The solution to the first issue was to use a custom relationship between projects and users, avoiding to use the permission system.

The solution for the second issue is to store the explicit grants (user group - folders) and to create a "denormalized cache" between user (because we know the user of the search query) and projects. An entry in this cache says: "There is atleast one file in this project which the user can read."
This way Oracle can rapidly discard all files from the result where the user has no access permissions at all. The remaining files have to check one-by-one using hierarchical queris, but that's a relatively small number of objects to check.

Finally, with respect to Daves "news-administrators": This is exactly the standard case at Project/Open, for example with the "Accounting" role (manages all finalcial objects) etc. or a "Sourcing Manager" who can add and modify "Freelancers" and "Provider" and their business objects.

The solution that we have chosen (see link above) consists of special groups "Accountants", "Resource Managers", ... and application specific permission procedures (im_invoice_permissions $user_id $invoice_id view read write admin) that check for the users membership in the specific groups (via acs_rels) or if the user owns system-wide privileges (via the OpenACS permission system).

Bests,
Frank

mailto:frank_bergmann_at_project-open_dot_com
http://www.project-open.com/