Permission tree recalculation
To ensure fast access to permissions, a permission tree for each tenant is pre-calculated and cached. This permission tree gets updated automatically when permissions are changed. Depending on the size of the tenant, it can take a few moments until the permission tree is updated and the changes are propagated to the entire system. In the meantime, the old permission tree is still used.
What is a permission tree?
In a permission tree, we store the calculated explicit permissions for each subject and resource. Relations are often declared implicitly, by a role assignment or by adding a subject to a group. This usually implies that this subject has certain permissions on specific resources and sub-resources. These implicit permissions are calculated out into explicit permissions which are stored in the permission tree.
The permission tree gets updated automatically when permissions change. The permission tree is used to quickly determine whether a user has a certain permission. When asking the system for a permission, the permission tree is consulted.
Trigger recalculation
The recalculations are triggered automatically when permissions or assignments are changed. This includes:
- Update a resource
- Update resource members
- Create a tenant
- Patch tenant members
- Upsert tenant members
- Delete tenant members
- Update a role (Public API)
- Update a role (Management API)
- Update a static role
- Delete a role (Public API)
- Delete a role (Management API)
- Delete a static role
Recalculation duration
The duration it takes to recalculate the permission tree depends on the size of the tenant. The more resources a tenant has, the longer it will take to recalculate the permission tree. With extremely large tenants, the recalculation can take up to 15 minutes, but usually it takes only a few seconds.
The duration can be reduced by removing unnecessary resources and not tracking any resources that your system might have but that don't have perimissions on them.