Complex permission scheme beyond channels

[Christoph Berlin]

Hi everyone,

We are currently evaluating to implement a relatively complex permission scheme in Sync Gateway and I was wondering if anyone might have some thoughts/input regarding the requirements. Think of it as a micro social network. Requirements:

• Solution will have thousands if not millions (hopefully) of users
• User A is not aware of User B and vice versa - complete isolation initially
• User A can share his data with select other users (lets say User B and User C) and then both User B and User C see User A's content
• Now the tricky part - we need finer grained permission control within channels meaning user A can assign different permission levels to different invited users
• User A invites User B to edit User A's data
• User A also invites User C but User C can only read User A's data

A real world scenario would the be the Couchbase Labs ToDo app - I can share my lists with others but I can also decide whether invited users can readwrite or only read.

While just looking at the requirements it doesn't seem that complex but I get stuck within the details. I would think that channels are the correct path but should have manage finer grained permission control within the app logic? If so, what would be the best approach? Add another field to documents like document.members_readwrite? But then its get relatively cumbersome to share as I need to add a user to members AND members_readwrite and they can get easily out of sync.

Does any one have any suggestions how to implement this?

Second topic

On a related note I would also have another question which I couldn't find any documentation for:

1. Do child objects (documents) of parent documents inherit permissions automatically or do I have to assign channels individual and if so how?

Real world example based on the todo app:

1. User A has 100 tasks with related objects (documents):
   
1. List *myList contains of
   
1. NSDate *created_at
2. NSString *name
3. NSArray *members
2. Task *task contains
1. List *list
2. NSString *name
3. bool checked
4. NSArray *members
3. File *file contains of
1. Task *task
2. NSString name
3. NSDate crated_at
4. NSArray *members

My question would be whether I need iterate through all document manually and change the members (when new user is added)?

OR 

Do child objects inherit permissions?

OR 

I shouldn't care because users cannot access the parent (list) object and therefore won't get the reference id?

Questions over questions :) but thanks so much for your help.

Christoph

[Jens Alfke]

On Oct 13, 2014, at 3:59 PM, Christoph Berlin <hoptoawe...@gmail.com> wrote:

But then its get relatively cumbersome to share as I need to add a user to members AND members_readwrite and they can get easily out of sync.

Adding an entry to two arrays in a single document shouldn't be too cumbersome. If you're worried about inconsistency, write the client code so there's only one function/method that updates these properties.

1. Do child objects (documents) of parent documents inherit permissions automatically or do I have to assign channels individual and if so how?

There's no inherent relationship between any two documents. You can have one document refer to another by incorporating its ID as a property, but that's just a convention. Strong relationships (like foreign keys in relational DBs) aren't practical in distributed systems because there's no practical way to enforce multi-document transactions.

I don't think this should be a problem for your model, though. Or do you really need every one of a user's documents to have its own independent set of access privileges?

—Jens

[Christoph Berlin]

Hi Jens,

Thanks much for your quick reply. I will try the two array approach for RO/RW however I am not quite sure if I understand your comment regarding the need for individual permissions. Without going into detail of our solution lets use the task manager sample again.

If I have list objects and tasks objects (with a list reference for ownership) how I would implemented implement security and permissions? I want to share the list with other users (hence adding them to the list member list) but how do I need manage my tasks that I want people to access as well? Wouldn't I have to add the newly added user (I share with) to the member array of each of my tasks?

As a matter of fact I was wondering about that in the sample in general - Tasks don't have members assigned. Does that mean that they are accessible by anyone except that I use the list object as a "filter"?

Thanks

[Jens Alfke]

On Oct 13, 2014, at 5:23 PM, Christoph Berlin <hoptoawe...@gmail.com> wrote:

As a matter of fact I was wondering about that in the sample in general - Tasks don't have members assigned. Does that mean that they are accessible by anyone except that I use the list object as a "filter"?

No, each task is assigned to a per-list channel (which has the same name as its list), and the list document controls who has access to that channel.

—Jens

[Christoph Berlin]

Ok great – and I just realized by reading my own question that I must have had a brain freeze. Obviously it sufficient to have them assign to one channel and done.

Thanks again

--
You received this message because you are subscribed to a topic in the Google Groups "Couchbase Mobile" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/mobile-couchbase/jMusJopFBr0/unsubscribe.
To unsubscribe from this group and all its topics, send an email to mobile-couchba...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/mobile-couchbase/D05498C4-7018-439B-A0B3-59FC195B8FC4%40couchbase.com.
For more options, visit https://groups.google.com/d/optout.

[Christoph Berlin]

Just to close the loop on this - I came up with a concept that fits our requirements and yet doesn't require us to manage different arrays for different permissions.

Within the member array we create strings like "administrator:user...@google.com" and "viewer:user...@google.com" and use the first substring (:) for internal app logic to determine the permission level while using the second substring for channel creation. Works great...

Thanks again

On Monday, October 13, 2014 6:42:25 PM UTC-7, Christoph Berlin wrote:

Ok great – and I just realized by reading my own question that I must have had a brain freeze. Obviously it sufficient to have them assign to one channel and done.

Thanks again

From: Jens Alfke <je...@couchbase.com>
Reply-To: "mobile-couchbase@googlegroups.com" <mobile-couchbase@googlegroups.com>
Date: Monday, October 13, 2014 at 6:08 PM
To: "mobile-couchbase@googlegroups.com" <mobile-couchbase@googlegroups.com>
Subject: Re: Complex permission scheme beyond channels

On Oct 13, 2014, at 5:23 PM, Christoph Berlin <hoptoawe...@gmail.com> wrote:

As a matter of fact I was wondering about that in the sample in general - Tasks don't have members assigned. Does that mean that they are accessible by anyone except that I use the list object as a "filter"?

No, each task is assigned to a per-list channel (which has the same name as its list), and the list document controls who has access to that channel.

—Jens

--
You received this message because you are subscribed to a topic in the Google Groups "Couchbase Mobile" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/mobile-couchbase/jMusJopFBr0/unsubscribe.

To unsubscribe from this group and all its topics, send an email to mobile-couchbase+unsubscribe@googlegroups.com.