This article highlights performance concerns for large networks. It provides a low-level description of how access controls work in relation to groups and explains the benefits of using low visibility access controls.
A user can have access to thousands of objects (library items, sequences, screens, users, groups, and clouds). The objects a user can view and update in the admin interface are controlled by access controls.
An access control is a link between an actor (user or group) and an object.
For example, if a user has created a library item, an access control links the user to the library item.
To find all the directly linked objects, access controls are selected where the actor is the user.
Groups add another layer of complexity.
In many ways groups are similar to users. Like a user, a group has access to objects. We may more commonly say it contains objects, is assigned objects or objects are members of the group. However, as far as the system is concerned, a group has access to objects.
For example, if a user has assigned a library item to a group, an access control links the group to the library item.
The powerful thing about groups is that a user can have access to them. If a user has access to a group, they also have access to all the objects the group has access to.
This relationship can be hierarchical. So, a user may have access to a group that has access to another child group that has access to objects.
This can become complicated quickly and this can be demonstrated by understanding how the system obtains a list of objects to display in the admin interface.
A user clicks the Library tab.
What the server must do:
- Find all the objects (including groups) the user has direct access to.
- #1 For each unseen group:
- Find all the objects (including groups) the group has direct access to.
- Goto #1
This recursive access control evaluation gets demanding if there are many groups and deep hierarchies.
The system has some optimisations to improve performance, but in general, the time taken to find the list of library items is proportional to the number of access controls.
If there are 10,000 library items and each library item is in 10 groups, 100,000 access controls will need to be processed to discover what should be displayed.
To improve performance processing each group can be skipped if the group is linked by a low visibility access control. This avoids recursive evaluation #1.