Collection filtering based on permission

Question

Lets say there are resources like the files. Who, when, where have an access to the individual file is not a problem. Assume that there is a resource like a directory which has its own attributes and contain other files, directories and/or some other items. Now there is a user which have an access to a directory but does not have access (even to see the name/title) to some of the files or sub-diectories.

How to filter the directory to contain only the files which a user may access, if the policy decision is separated from a business logic. Should I check each file individually?

If yes then if the directory contains 10M files and user has access only to a couple of files how to identify that files?

Answer 1

First of all, you have to decide what the resource is: is it the folder, the file? The file from an abstract sense (meaning both folder and file)? Is it the case that you can view a file if and only if you can view its ancestors? In other words there is a hierarchy.

Putting these questions aside, there are two approaches you can take when it comes to access control on a large set of data:

1. Use the Multiple Decision Profile to create an authorization request for multiple items. A Multiple Decision Profile (MDP) request would look like Can Alice view files A and B and C and ... Z? The PDP would respond with as many decisions as there were items in the original question. MDP works well for items ranging in the thousands or less.
2. In the case where you have a very large number of items or an unknown number of items, you can run a reverse process called reverse query (ARQ) whereby instead of asking a Yes/No question, you ask an open-ended question e.g. Tell me which files Alice can view. The PDP would respond with a filter expression e.g. Permit if docStatus==draft AND docDept=Sales. You would then have the PEP translate the filter into an adequate filter e.g. a File filter.