As long as your tables are indexed correctly it should be quite performant.  The most important field that should be indexed is the permission target.

Hi,

I'm having a similar question regarding performance, especially with a lot of permissions and targets. I'm looking at 2 different scenarios from the seam-space example.

1) org.jboss.seam.example.seamspace.PictureSearch.loadMemberPictures()

If I understand correctly, what this method does, is retrieve all the pictures of that particular member, and then filter the list according to the permissions for the current user looking at the pictures (Identity.instance().filterByPermission(memberImages, "view")). The filtering is not done using any backend database queries, but using Java code iterating through the entire list returned by the database. Now, if the member has 10.000 pictures uploaded, but the current user only has permission to view 5 of them, we still have to retrieve all the 10.000 images from the database.

2) org.jboss.seam.example.seamspace.ImagePermission.editPermission()

In order to change the permissions for a particular user (recipient) for a particular picture (target), the method first retrieves all the permissions for the target (including those for other recipients / using permissionManager.listPermissions(target)) and then 'manually' filters the ones out that match the recipient we're interested in.

I know that seam-space is just an example application, but on the other side I didn't find an obvious way using the API to do the same more efficiently.

Any ideas?

Thanks a lot,

Georges

1) org.jboss.seam.example.seamspace.PictureSearch.loadMemberPictures()

If I understand correctly, what this method does, is retrieve all the pictures of that particular member, and then filter the list according to the permissions for the current user looking at the pictures (Identity.instance().filterByPermission(memberImages, "view")). The filtering is not done using any backend database queries, but using Java code iterating through the entire list returned by the database. Now, if the member has 10.000 pictures uploaded, but the current user only has permission to view 5 of them, we still have to retrieve all the 10.000 images from the database.

Unfortunately there's no easy way to incorporate permission filters into a database query like this.  Permissions may be granted either directly to a user or indirectly through a user's role membership, and permission actions can either be stored as a concatenated list of string values, or as a bitmasked values, both of which are difficult to express in a parameterized query.

2) org.jboss.seam.example.seamspace.ImagePermission.editPermission()

In order to change the permissions for a particular user (recipient) for a particular picture (target), the method first retrieves all the permissions for the target (including those for other recipients / using permissionManager.listPermissions(target)) and then 'manually' filters the ones out that match the recipient we're interested in.

The problem with having a listPermissions() method that takes the permission recipient as a parameter is once again because permissions can be assigned indirectly via a user's role memberships.  Perhaps an alternative method called listGrantedPermissions() might be more suitable for returning a list of permissions explicitly granted to a specific recipient.  However, my take on this is that since you're already hitting the database anyway, the fact that you're getting a list of all permission recipients isn't that much of a performance hit.  And if you've got permissions for a single object assigned to more than a small set of recipients then possibly a rule-based permission might be more suitable (this of course this depends on the use-case).

In any case, if you think a listGrantedPermissions() method might be useful, please raise a feature request in JIRA.

Hi Shane,

thanks a lot for the comments. I'll try and go figure out how to combine store-based and rule-base permissions in my application.

Cheers,
Georges