CRUD-level locking on objects - design patterns

Question

Hi

Do you know any design patterns for implementing a CRUD-level locking on objects, meaning, for one instance of an object, I should be able to specify different access control level for each of the operations (Create, Read, Update, Delete). For example, person A may read and update object Z, but may not delete it. Person B can read, update and delete object X, Y and Z.

My concern is what happens when there are large data quantities. In other words, I'm looking for something efficient.

I've once implemented this kind of access control for objects and I know how it can be done, I'm just wondering if there actually is some sort of a design pattern for this.

Answer 1

There's a whole host of information available. This is a reasonable starting point. For large datasets, it can be hard to make things efficient - to maximise performance at run-time will mean expending more developer time during design. There's no silver bullet, sadly.

One example of good object-level control is found in Lotus Notes, which offers finely granular access to objects in the way you describe. (Notes is not known for its stellar performance, but is pretty secure as such systems go.)

Answer 2

I view this as a special case of authorisation of any "service".

It requires that you have some way of knowing the credentials of the caller. If you are to avoid passing such information explictly on every method then you need some implicit "context" available when authorization is determined. Administering such capabilities on a person-by-person basis tends to become very unweildy, so you tend to need role-based access control and ways allocating groups of users to roles.

All of this implies not so much a design pattern as a framework to exploit. Frameworks such as Spring and JEE have such capabilities built-in, they in turn may well exploit directories using LDAP.

So my "pattern" is don't reinvent the wheel, find a suitable framework and use it.