Hi, In a project I'm working, we have a some personas which represent the kind of operations member of those personas are allowed to do over a given node.
The most trivial idea was to have a synthetic-group-per-persona-per-such-node and add/remove members to these groups. This approach has obvious side-effects: * systems gets flooded with system-generated-groups thus requiring special UI for user/group management * can potentially affect login performance - I haven't checked how OAK-3003 works.. maybe, it's a non-issue * eerie feeling to require additional groups :) The other end of the spectrum is to provide explicit ACLs on the node per principal. It's ok for us to go this way... but we ended up with an open question on the subject the mail. Do we know how ACL evaluation performance behave wrt number-of-ACLs on a node - assuming ACLs-per-principal won't be a big number? I was thinking of writing a benchmark to see but wanted to copy some closely related existing benchmark. It'd great if there are some pointers for this :). Thanks, Vikas
