Forum OpenACS Development: Response to ACS 4.x won't scale (I hope I am wrong)

Collapse
Posted by Tom Jackson on

It seems to me that the aD design goal for the permissioning system was to be able to reach into one table or view and pull out a yes or no answer: permission to read, or not, or 'Can object A perform action B on object C'. Essentially this is done by counting at least one row in acs_object_party_privilege_map. This view is a join of two other views (acs_object_grantee_priv_map and group_member_map) unioned with one of the views (acs_object_grantee_priv_map). acs_object_grantee_priv_map is a join of two other views, etc...

Permissioning is either a difficult problem, or one that isn't solved very well in ACS. Although many times aD points out the state of the art for certain problems, I haven't seen a real discussion on this one.

The other day I setup an OpenLDAP server to work with the Netscape Roaming profile schema. I had to set one permission record in the startup file. This one record serves to configure access for all clients!

I don't really know if ldap is an answer, certainly not a simple answer. I just wonder how permissioning is done so easily in this application, and so painfully in the RDBMS world.