Permission schemes can get complicated, fast

IWETHEY v. 0.3.0 | TODO

1,095 registered users | 0 active users | 0 LpH | Statistics
Login | Create New User

Welcome to IWETHEY!

Post #230,016

10/18/05 9:22:53 PM

Permission schemes can get complicated, fast

The single worst-performing SQL query that I've ever written was one whose job was to propagate permission rules to figure out exactly who could do what, when. It scaled like O(n^5). I broke it into several pieces and it improved to O(n^4). It got slow again and we moved it to a better machine.

It was a lot more flexible than the one you describe, was simple to use, and was very fine-grained. But the logic behind the scenes to make it work was a bear. But it did work well for a few thousand users with hundreds of permissions each.

The reason that I needed a complex scheme was that I needed to grant access to a lot of people based on the kind of data they were accessing, the kind of company they were associated with, the terms of their subscription (when your term expires, so does your permission), and our decisions about when to change specific parts of our site between being premium and standard. And I had to keep it simple enough for our sales reps to be able to use the system. "Why don't I give you a 30 day free trial..."

Cheers,
Ben

I have come to believe that idealism without discipline is a quick road to disaster, while discipline without idealism is pointless. -- Aaron Ward (my brother)

Is this a good idea? - (drewk) - (14) - Oct. 18, 2005, 01:02:00 PM EDT

Re: Is this a good idea? - (admin) - Oct. 18, 2005, 01:28:46 PM EDT

That's a definite maybe... - (ben_tilly) - (3) - Oct. 18, 2005, 01:31:01 PM EDT

You missed a line - (drewk) - Oct. 18, 2005, 02:25:45 PM EDT

Admin, we need another WeeCode... - (CRConrad) - (1) - Oct. 18, 2005, 02:32:51 PM EDT

Why not just have another checkbox on the New Comment page - (Meerkat) - Oct. 20, 2005, 08:26:42 AM EDT

ICLRPD (new thread) - (Steve Lowe) - Oct. 18, 2005, 03:18:56 PM EDT

Hard to say - (JayMehaffey) - (5) - Oct. 18, 2005, 05:06:51 PM EDT

My main issue with it - (drewk) - (4) - Oct. 18, 2005, 05:18:13 PM EDT

If that is all you have then it is a problem - (JayMehaffey) - (3) - Oct. 18, 2005, 06:32:56 PM EDT

That's an interesting idea. - (static) - Oct. 18, 2005, 08:03:15 PM EDT

What you describe is what I favor - (drewk) - Oct. 18, 2005, 08:39:30 PM EDT

Permission schemes can get complicated, fast - (ben_tilly) - Oct. 18, 2005, 09:22:53 PM EDT

Sounds like someone doesn't trust your application's - (Simon_Jester) - (1) - Oct. 20, 2005, 12:13:41 PM EDT

Yup, the same people wrote both -NT - (drewk) - Oct. 20, 2005, 12:36:59 PM EDT

Oh good, just go the wrong way why don't you!
82 ms