Is there anything "better" than Access Control Lists (ACLs)?
Asked Answered
A

4

5

I've spent some time casually mulling over ACLs in my head. I can see the real benefit of ACLs and their flexibility. But I have some serious concerns when it comes to implementing ACLs for a project that could have hundreds of thousands of users , if not millions. All connected someway to hundreds of thousands of resources (such as images, messages, BLOBs).

It seems to me that the overhead in processing and managing the rules applied to millions of resources for hundreds of thousands of users would be obscene.

But then I haven't seen any alternatives. Are there any beyond username, password, user-level?

Adoree answered 14/7, 2009 at 13:49 Comment(1)
Could you define ACL? I'm assuming you are referring to Access Control Lists...Contain
B
1

Have a google for "Role Based Access Control" and "Domain-Based Network Management".

Bertrambertrand answered 14/7, 2009 at 13:56 Comment(0)
R
3

I would not be too scared of any performance impact of ACL.

If it turns out to be slow, profile it and optimise it.

There's nothing in it that is inherently so slow as to make it unsuitable for large projects.

Reasonable answered 14/7, 2009 at 13:55 Comment(0)
S
3

Most companies end up being crushed under the weight of their RBAC and or ACL implementation. Whether they realize it or not. The future is attribute based access control. Simplifies things by going from "Johnny can access X because he is in the admin role." to "Johnny can access X because it is between 8-5 and he has clearance X as well as part of business unit Y."

Google XACML and watch this amusing presentation on Roles http://vimeo.com/2723800 . Zed nails it.

Shel answered 10/8, 2010 at 22:46 Comment(0)
B
1

Have a google for "Role Based Access Control" and "Domain-Based Network Management".

Bertrambertrand answered 14/7, 2009 at 13:56 Comment(0)
M
0

Managing ACLs (or any equivalent) can be a bear if you don't plan ahead. The one thing that makes the biggest difference is to grant access to groups, not individuals, avoiding redundancy. This is particularly relevant when a group contains other groups.

Msg answered 14/7, 2009 at 14:6 Comment(0)

© 2022 - 2024 — McMap. All rights reserved.