document-level access control

[Seung Chan Lim]

I'm trying to implement document-level access control. 

My initial instinct is to simply add an attribute to the document (i.e. "access") and make it a list that I can keep appending users to (i.e. ["user1", "user2", "user3"]). 

I can then use the sync gateway to make the document id a channel, then give all the users in the "access" attribute access to the channel.

Is this the best way. I'm just concerned that the "access" list is going to get very big with a lot of users.

Is there a smarter way?

slim

[Jens Alfke]

That's one way to do it. Another way is to create a separate doc for every user membership, looking something like
{type: "membership", "doc": "some_document_id", "member": "jens"}
Then you set up the sync function to recognize this doc type and use it to grant "jens" access to channel "some_document_id".

The tradeoff is between one big document, or lots of small documents. (Or you can have an intermediate, like the above example but you make the "member" property an array so it can grant access to multiple users with one doc.)

If you expect users to be grouped together, you can bring roles into it — have the master doc list the roles it grants access to, and per-user docs stating what roles the user is in.

—Jens

[Seung Chan Lim]

Ah... Membership documents! Indeed. That's a great idea! Thank you.

As per roles. Is the following all the documentation available for roles?
http://developer.couchbase.com/mobile/develop/guides/sync-gateway/administering-sync-gateway/authorizing-users/index.html#roles

Are there more on how to create roles, add/remove users from it, etc?

slim

[Jens Alfke]

On Feb 1, 2015, at 5:04 AM, Seung Chan Lim <djs...@gmail.com> wrote:

Are there more on how to create roles, add/remove users from it, etc?

There's a role() function that the sync function can call, to give a role to a user.

—Jens

[Seung Chan Lim]

How about removing a user from a role? I'm not seeing any mention of that on that page or on google. I assume you can't just manually edit the "roles" attribute of the user account doc?

[Jens Alfke]

On Feb 3, 2015, at 8:16 AM, Seung Chan Lim <djs...@gmail.com> wrote:

How about removing a user from a role? I'm not seeing any mention of that on that page or on google. I assume you can't just manually edit the "roles" attribute of the user account doc?

If the sync function adds a user to a role, that action is associated with that document. If the next edit of the document changes it such that the sync function no longer makes that role() call, then the user won't be added to the role anymore, so they won't have the role (unless something else is still giving to them.)

What's actually going on is that every document has ACL metadata that lists what users should be given which roles, and access to which channels. This metadata is rewritten by the sync function every time the document is updated. The users' role memberships and channel access are computed by merging together the ACLs of all documents.

—Jens