Collect Filters Based on Resolution
Let's assume there are resources like files. Who, when, where is access to an individual file is not a problem. Suppose there is a resource, such as a directory, that has its own attributes and contains other files, directories and / or some other elements. There is now a user who has access to the directory but does not have access (even to see the name / title) for some files or subdialects.
How to filter a directory containing only files that a user can access when policy decision is decoupled from business logic. Do I have to check each file separately?
If so, if the directory contains 10M files, and the user only has access to a few files, how to identify those files?
source to share
First of all, you need to decide what the resource is: is it a folder, a file? A file from an abstract sense (which means both a folder and a file)? Is it possible to view a file if you can view its ancestors? In other words, there is a hierarchy.
These questions aside, there are two approaches you can take when it comes to controlling access on a large dataset:
- Use Multiple Decision Profile to create an authorization request for multiple items. A Multiple Permission Request (MDP) would look like Can Alice view files A and B and C and ... Z? The PDP will answer as many solutions as there are items in the original question. MDP works well for items in the thousands or less.
- In the case when you have a lot of items or an unknown number of items, you can start a reverse process with a reverse query (ARQ), in which instead of asking for a Yes / No question, you ask an open-ended question, for example Tell me what files Alice can view ... The PDP will respond with a filter expression, eg. Allow if docStatus == draft AND docDept = Sales. Then you would have to PEP translate the filter into a suitable filter, for example. file filter.
source to share