Ask HN: How did you solve the pagination in role based access system?
In a system where user can read and interact with entities based on their role, how did you solve the problem of listing all the entities user has access to in a paginated manner?
3 comments
Disclaimer: I am a founder of Authzed (W21).
Generally, this problem is called ACL-Filtering[0][1] and can be done in two ways: a filter for selecting the entities from your database or as a filter after the entities have been returned from the database. Sometimes you might even have to do both.
If you decide to use a specialized database for permissions, similar to SpiceDB[2], there are often specialized APIs for directly listing the entities a subject has access to in various ways.
[0]: https://docs.authzed.com/reference/glossary#acl-filtering
[1]: https://authzed.com/blog/acl-filtering-in-authzed/
[2]: https://github.com/authzed/spicedb
Generally, this problem is called ACL-Filtering[0][1] and can be done in two ways: a filter for selecting the entities from your database or as a filter after the entities have been returned from the database. Sometimes you might even have to do both.
If you decide to use a specialized database for permissions, similar to SpiceDB[2], there are often specialized APIs for directly listing the entities a subject has access to in various ways.
[0]: https://docs.authzed.com/reference/glossary#acl-filtering
[1]: https://authzed.com/blog/acl-filtering-in-authzed/
[2]: https://github.com/authzed/spicedb
if you use something like OPA, it has partial evaluation [1], which would allow you to read in data, filter it based on your RBAC policy quickly until you have a pageful, then return to the caller together with some next page token that lets you remember where you left off.
[1] https://blog.openpolicyagent.org/partial-evaluation-162750ea...
[1] https://blog.openpolicyagent.org/partial-evaluation-162750ea...
We're working on support for partial evaluation in our system at Aserto https://aserto.com/