Tell me more ×
Stack Overflow is a question and answer site for professional and enthusiast programmers. It's 100% free, no registration required.
up vote 5 down vote favorite
4

An important part of any platform (PaaS) authentication's security is to be able to limit and/or define a particular application or user's "rights" or permissions on either a user/app basis or a per-authentication basis.

The common permission model found in modern platform or product API’s is based on an idea of "Scopes". In my research, GitHub, Facebook, Instagram, Etsy (and more) all use this style of permission modeling in their OAuth implementations. However, this “scopes” model seems to be only concerned with how external (ie. third party) applications access an authenticated user’s data.

Internally, permission models seem to be either more focused on a "role" based model (admin, moderator, user, etc) or a number of other custom implementations.

My question is this: "What permission model would best fit a modern PaaS that would like to both limit its users from certain actions AND limit 3rd party applications from accessing a user’s data, and how could that be architected in a performance conscious way?"

My initial research led me to an internal and external usage of a scope-based permission model. Unfortunately, architecting such a system isn’t trivial. I’ve seen multiple methods of creating such an architecture:

  1. The AR-friendly relational DB way:

    • Creating multiple tables with join tables for a many-to-many relationship between a list of permissions, a user’s available permissions, a user’s token, and a user token’s active permissions.

    • A user may authenticate with a token and specify as many permissions to be available on that token up to the permissions originally set for that user

  2. The clever Bit-masking way:

    • Using a simple integer column in a data set to store an integer value

    • The integer value is accessed in a binary way, using bitwise operators to set, get, toggle (etc) the permissions of a user or their token by representing a permission as a single bit

Their seems to be some pros and cons to each. The AR-friendly way seems like its a very flexible solution, but also seems like it could be a serious performance hit, since multiple joins/queries would have to be run and ORM model instances would have to be created on every authenticated call. The Bit-masking method seems like it would be very fast and efficient, but would be less intuitive to develop and would be more prone to error. Also, bit-masking seems like it would be a limiting solution in that it would only easily allow a very "binary" permission model (can or cannot do) with no middle-ground/happy-medium and that it would limit the permissions to a hard 64-bit limit based on hardware limitations.

Is there another method of permission modeling or architecting that I’m missing/not thinking of? Or am I on the right track and the performance consideration is not as huge a concern (as far as the relational method goes) as I’m making it out to be?

Thank you so much!

tl;dr:

What permission model would best fit a modern PaaS that would like to both limit its users from certain actions AND limit 3rd party applications from accessing a user’s data, and how could that be architected in a performance conscious way?

share|improve this question
1  
As far as performance is concerned, have you thought of using a key/value store such as Redis to store the permission data? – David Allen 19 hours ago
Yea, we thought of that. But thanks @DavidAllen, that's definitely a good idea. We're thinking of mixing two of the patterns for a happy medium. I'll do a write up once we have the idea more "baked". :D – Rican7 17 hours ago

Know someone who can answer? Share a link to this question via email, Google+, Twitter, or Facebook.

Your Answer

 
discard

By posting your answer, you agree to the privacy policy and terms of service.

Browse other questions tagged or ask your own question.