[Question] If I have millions of resources will my policy have millions of entries?

[AugustDev]

What's your scenario? What do you want to achieve?

I'd like to understand how to use casbin properly in a large project. Most examples are simple "alice, bob, read, write, data". I understand I can group individual users into and assign permission "write" to a role rather than individual user. However I still have to allow a role to "write" to resource. If I have million of resources (say blog posts) it will require me to make a policy with millions of entries. That seems quite inefficient.

I feel I'm missing something here?

[hsluoyz]

@AugustDev see: https://casbin.org/docs/en/performance

[AugustDev]

@AugustDev see: https://casbin.org/docs/en/performance

Thanks for the link! It says "A well-written model and policy will abstract out the duplicated logic for each user/tenant and reduce the number of rules to a very small level (< 100)".

Perhaps I'm not understanding how to use casbin correctly then.

If I have 100 USERS each having owning 50 ITEMS, then there are already 5000 policies per permission I have to write for users to be able towrite their items. Much more if I allow users to write other people's items.

Am I thinking about this the right way?

[hsluoyz]

@AugustDev if the 5000 rules cannot be grouped via RBAC, then you have to use sharding. Or is there anything else on your mind that we can improve?

[hsluoyz]

Closed as resolved.