Recently we were asked to review the security model in a large legacy system and improve its performance.
The database was big: more than 10,000 users assigned to multiple
nested roles with permissions granted (or denied) on more than 120
discrete access-controlled containers holding some 13 million entity
records. The permission matrix alone contained more than 1.2 million
As you know, data structure and algorithm design can become
surprisingly important when you have user interface code and business
logic cruising through a million data points regularly and repeatedly
for thousands of concurrent users.
The database schema (along with the data model and the object model)
was complex, and the code used to implement role-based
permissions was... shall we say... less than optimal.
To make matters worse, application permission-checks were generating an
enormous volume of traffic between the web server and the database
server, which compounded performance issues in the UI.
And (just to make things interesting) there was a constraint on our project: we could not modify the database schema in any way, due to
external dependencies outside our control. We could modify the code in the
data access layer and the user interface layer, but we could not make any schema changes (or data changes).
We developed a simple, lightweight, and (as it turns out)
lightning-fast solution for role-based access control. We thought we'd
share the code here, in case others find it useful in their own
solutions to similar problems.
For details about our solution, check out the article posted on the Code Project community web site by one of our developers.
Lightning-Fast Access Control Lists in C#