Monday, 28 December 2015

Lightning-Fast Access Control Lists in C#

Recently we were asked to review the security model in a large legacy system and improve its performance.

The database was big: more than 10,000 users assigned to multiple nested roles with permissions granted (or denied) on more than 120 discrete access-controlled containers holding some 13 million entity records. The permission matrix alone contained more than 1.2 million data points.

As you know, data structure and algorithm design can become surprisingly important when you have user interface code and business logic cruising through a million data points regularly and repeatedly for thousands of concurrent users.

The database schema (along with the data model and the object model) was complex, and the code used to implement role-based permissions was... shall we say... less than optimal.
To make matters worse, application permission-checks were generating an enormous volume of traffic between the web server and the database server, which compounded performance issues in the UI.

And (just to make things interesting) there was a constraint on our project: we could not modify the database schema in any way, due to external dependencies outside our control. We could modify the code in the data access layer and the user interface layer, but we could not make any schema changes (or data changes).

We developed a simple, lightweight, and (as it turns out) lightning-fast solution for role-based access control. We thought we'd share the code here, in case others find it useful in their own solutions to similar problems.

For details about our solution, check out the article posted on the Code Project community web site by one of our developers.

Lightning-Fast Access Control Lists in C#

No comments:

Post a Comment