Domino Upgrade

VersionSupport end
5.0
6.0
6.5
7.0
Upgrade to 8.5x now!
(see the full Lotus lifcyle) To make your upgrade a success use the Upgrade Cheat Sheet. Contemplating to replace Notes? You have to read this!

Search

Reference

1. Learn XPages online
2. Communicate with IBMers and Lotus Experts using Sametime

About Me

I am the "IBM Collaboration & Productivity Advisor" for IBM Asia Pacific. I'm based in Singapore.
Reach out to me via:
Follow notessensei on Twitter
(posts)
Skype
Sametime
IBM
Facebook
LinkedIn
XING
Amazon Store
Amazon Kindle

Mobile tag

Twitter

Category

Languages

Other languages on request.

Archive

Visitors

The country of your IP access Visitors to wissel.net

Useful Tools

Get Firefox
Use OpenDNS
The support for Windows XP is coming to an end and has . Time to consider an alternative to move on. sounds like a lot of time, but, like an object in a mirror, it is closer than you think.

« The multi-faced nature of the NSF | Main| Running xPages in a R7/R8.0 environment »

Access protected Notes documents - RDBMS style

QuickImage An interesting discussion happened today around Notes performance. In a rather large database (> 500k records) all documents are protected with Author and Reader fields. The access is rather narrow, so any user might see just about 1000 of the 500000 documents. Opening a view in the Notes client is rather slow and the old "rah. rah Notes is bad" song is performed. Notes performance is discussed in great length at other places, so this isn't what this post is about. I was wondering how one would implement access control on a record level in a relational database. This would be the specifications:
  • Design a view that restricts access to a subset of table data (we simplify here by excluding multi-value data fields)
  • A record can have zero or many readers, who are allowed to see the record
  • A record can have zero or many authors, who are allowed to see the record and later update them (eventually)
  • If a record has no readers any user with access to the database can see the record
  • If one or more readers are present only the sum of readers and authors can see the document
  • A reader or author can be of type: Person, Group, Role
  • A role can be assigned to one or more Persons or Groups
  • A group can contain Groups and People (we simplify here and omit the * operator)
  • A group can have zero or more roles
  • A person can have zero or more roles
  • A person can be member in zero or more groups
Graphically it would look somehow like this:
RelationalAccessControl400.png
Now how would an SQL statement look like? I'm not an SQL expert, so I might get quite some stuff wrong. But here is my go:

SELECT * FROM maintable
   WHERE maintable.id IN (SELECT readertable.maintableid FROM readertable
   WHERE readertable.entry = @CurrentUser
   OR readertable.entry IN (SELECT roletable.roleid FROM roletable WHERE roletable.entry = @CurrentUser)
   OR readertable.entry IN (SELECT grouptable.groupid FROM grouptable WHERE grouptable.entry = @CurrentUser)
   OR readertable.entry IN (SELECT roletable.roleid FROM roletable WHERE roletable.entry IN
   (SELECT grouptable.groupid FROM  grouptable WHERE grouptable.entry = @CurrentUser)
   )
   OR maintable.id NOT IN (SELECT readertable.maintableid FROM readertable)
   OR maintable.id IN (SELECT authortable.maintableid FROM authortable
   WHERE authortable.entry = @CurrentUser
   OR authortable.entry IN (SELECT roletable.roleid FROM roletable WHERE roletable.entry = @CurrentUser)
   OR authortable.entry IN (SELECT grouptable.groupid FROM grouptable WHERE grouptable.entry = @CurrentUser)
   OR authortable.entry IN (SELECT roletable.roleid FROM roletable WHERE roletable.entry IN
   (SELECT grouptable.groupid FROM  grouptable WHERE grouptable.entry = @CurrentUser)
   )
And that's without taking into account that a group could contain a group. Looks like a performance pig to me. Luckily in Domino we can use categorized views to make access fast. Of course I'm happy to learn that there are smarter SQL queries around.

Posted by Stephan H Wissel On 16/10/2008, Category | | Clip to Evernote Share

Comments

Gravatar Image1 - @Patric: Use single category views with the Readers Field(s) as category. Then Notes only checks document the current user can actually see.

Posted by Stephan H. Wissel At 01:52:56 On 11/11/2008 | - Website - |


Gravatar Image2 - I am still curious which steps you would take to make the performance in the Notes situation as performance effective as possible. We have similar databases and just wondering if I have taken all the steps that would improve performance.

Thank you in advance,

Patrick

Posted by Patrick Kwinten At 03:01:27 On 11/04/2008 | - Website - |


Gravatar Image3 - Thanks for this great comparison! I am sure I can use it in one of my next performance discussions Emoticon

Posted by Marius Neumann At 22:15:52 On 10/16/2008 | - Website - |


Post A Comment

Please note: Comments without a valid and working eMail address will be removed. This is my site, so I decide what stays here and what goes.

:-D:-o:-p:-x:-(:-):-\:angry::cool::cry::emb::grin::huh::laugh::rolleyes:;-)

Disclaimer

This site is in no way affiliated, endorsed, sanctioned, supported, nor enlightened by Lotus Software nor IBM Corporation. I may be an employee, but the opinions, theories, facts, etc. presented here are my own and are in now way given in any official capacity. In short, these are my words and this is my site, not IBM's - and don't even begin to think otherwise. (Disclaimer shamelessly plugged from Rocky Oliver)
© 2003 - 2012 Stephan H. Wissel - all rights reserved as listed here: Creative Commons License
Unless otherwise labeled by its originating author, the content found on this site is made available under the terms of an Attribution/NonCommercial/ShareAlike Creative Commons License, with the exception that no rights are granted -- since they are not mine to grant -- in any logo, graphic design, trademarks or trade names of any type.