Hi, My scenario has a large number of rapidly changing permissions based on the data in my domain model. We also have a large and growing set of rules/policies for determining user permissions. The set of data objects and number of permissions is in the order of tens of millions. In some cases we need permissions down to the field level. The domain model changes at a high enough velocity (100's of thousands of updates / day at a minimum) that pre-calculating and storing the permissions doesn't seem very feasible. What I want to do to solve this is the following:
Store in a in memory cache my identity database (the elements for my domain objects needed for permission determination) Encode my security policies/rules in business rules (i.e. Drools) When a user requests access to an entity I want to: * Load my object identity from my database * Execute my security ruleset to generate the applicable permissions for that user for the object being requested * Allow the client system use the "isPermitted" methods to see if the user has permission and react accordingly. A concrete example: The domain model is railcars. A limited example would be something like: Car ID - UP-123456 Current Owner - GATX Current Handling Carrier - BNSF Current Repair Shop - NULL Current Shipper - DOWX Current Consignee - ECF Damaged/Defect Flag - N Component Recall Flag - N WILD Alert Flag - Y ... and so on The total data size is roughly 1.8 million railcars. There are other domain objects I'll be adding to this as well that have even larger data sets. Some example policies: If user is owner can see everything for car If user is handling carrier can see certain health records on the car If car is damaged and user is handling carrier can see everything on car and can update disposition on car ... Now to my problem. The dynamic permission generation requires both the user (PrincipalCollection) and the object being requested so that the doGetAuthorizationInfo of my realm can populate the rule engine with the objects it needs. My first thought is to add the object being requested to the principal collection, but I'm not sure what would be the best part of the API to extend to do this. Does anyone have experience with a similar scenario they can share with me? Thanks in advance John -- View this message in context: http://shiro-user.582556.n2.nabble.com/Handling-a-large-number-of-dynamic-permissions-tp7578918.html Sent from the Shiro User mailing list archive at Nabble.com.
