We have a rather complicated system of permission handling in our (ASP.NET web) application. Users can have specific permissions on different kinds of objects, some permissions are even packed into groups / roles that are assigned to users. All in all this ends up in a pretty complicated mess where for determining whether a user can do / see something you have to evaluate many different sources of permissions and this is done somehow on-demand and based on specific situations.
My question is (from a high level point of view) whether there are some suggestions / common design patterns to deal with permission concept in general and probably also what is your experience with handling them in your architecture.
Users and Groups with the ability to test
bool UserHasPermission( SOME_PERMISSION )for an atomic permission associated with a Group is the standard approach for authorization, however things are changing to Claims-based:http://msdn.microsoft.com/en-us/magazine/ee335707.aspx
http://msdn.microsoft.com/en-us/magazine/cc163366.aspx
http://www.infoq.com/news/2009/10/Guide-Claim-Based-Identity
It however, is not ideal for all situations.
For the old model, I find that performance can be gained by using memoization during permissions checks. That way I’m not going to the database n times per session to check access control. Memoization effectively stores in a cache the result of a call with the same parameters, so all calls by a particular user to check XYZ permission would return the same result. Of course, you’d make sure you stored the memoized permissions for the user in the Session so it’s per-user. If you load the permissions at login then you don’t need to cache them, but in large systems with many permissions sometimes it’s best to get them only when needed.
http://www.infoq.com/news/2007/01/CSharp-memory