Architecting a platform authorization permission model

Question

An important part of any platform (PaaS) authentication's security is to be able to limit and/or define a particular application or user's "rights" or permissions on either a user/app basis or a per-authentication basis.

The common permission model found in modern platform or product API’s is based on an idea of "Scopes". In my research, GitHub, Facebook, Instagram, Etsy (and more) all use this style of permission modeling in their OAuth implementations. However, this “scopes” model seems to be only concerned with how external (ie. third party) applications access an authenticated user’s data.

Internally, permission models seem to be either more focused on a "role" based model (admin, moderator, user, etc) or a number of other custom implementations.

My question is this: "What permission model would best fit a modern PaaS that would like to both limit its users from certain actions AND limit 3rd party applications from accessing a user’s data, and how could that be architected in a performance conscious way?"

My initial research led me to an internal and external usage of a scope-based permission model. Unfortunately, architecting such a system isn’t trivial. I’ve seen multiple methods of creating such an architecture:

1. The AR-friendly relational DB way:

   • Creating multiple tables with join tables for a many-to-many relationship between a list of permissions, a user’s available permissions, a user’s token, and a user token’s active permissions.

   • A user may authenticate with a token and specify as many permissions to be available on that token up to the permissions originally set for that user

2. The clever Bit-masking way:

   • Using a simple integer column in a data set to store an integer value

   • The integer value is accessed in a binary way, using bitwise operators to set, get, toggle (etc) the permissions of a user or their token by representing a permission as a single bit

Their seems to be some pros and cons to each. The AR-friendly way seems like its a very flexible solution, but also seems like it could be a serious performance hit, since multiple joins/queries would have to be run and ORM model instances would have to be created on every authenticated call. The Bit-masking method seems like it would be very fast and efficient, but would be less intuitive to develop and would be more prone to error. Also, bit-masking seems like it would be a limiting solution in that it would only easily allow a very "binary" permission model (can or cannot do) with no middle-ground/happy-medium and that it would limit the permissions to a hard 64-bit limit based on hardware limitations.

Is there another method of permission modeling or architecting that I’m missing/not thinking of? Or am I on the right track and the performance consideration is not as huge a concern (as far as the relational method goes) as I’m making it out to be?

Thank you so much!

tl;dr:

What permission model would best fit a modern PaaS that would like to both limit its users from certain actions AND limit 3rd party applications from accessing a user’s data, and how could that be architected in a performance conscious way?

Answer 1

I would start with a look at Spring Security ACL. They use bit masks, and can be (relatively) easily integrated with a cache like ehcache. If you use JPA for data access, you can use JPA's cache too.

http://static.springsource.org/spring-security/site/docs/current/reference/springsecurity.html

The schema:

http://static.springsource.org/spring-security/site/docs/3.0.x/reference/appendix-schema.html

OAuth:

http://static.springsource.org/spring-security/oauth/