views:

86

answers:

0

Where should I best manage a hierarchy of ACLs?

I see three possibilities to manage a hierarchy of ACLs:

1) The ACLs themselves manage the hierarchy:

class Acl {
  Acl parent;
  // ...
}

2) Constructing a separate tree structure to manage the hierarchy.

3) Using an already existing hierarchy as the implicit hierarchy for ACLs (like a filesystem already has a hierarchy).

The following code would be one possibility to use an existing hierarchy:

interface AclHolder {
    Acl getAcl();
}

public class Folder implements AclHolder {
    private AclHolder parent;
    private Acl acl;

    @Override
    public Acl getAcl(){
        return acl==null ? parent.getAcl() : acl;
    }
}

Another approach could be to use rules to define what is hierarchical to what else.

I think it could be problematic to create an explicit ACL hierarchy like in 1) and 2) because this hierarchy usually has to reflect the system structure and is a form of duplication.

What is the best way?

Provisional Solution: I decided against dynamic inheritance for performance reasons. Inheritance will be only a convenience feature for users but it won't be implemented in the ACL directly. Changes are propagated to child ACLs, but child ACLs don't know their parents. I'll use the existing hierarchy (like the hierarchy in a file system) to do this.