So I have a case where data structure looks more like a graph so lets say (object)->(another one)->(yes, antoher)->(even more). And this is stored in graph DB but there's "piled" data which is stored in different engine as pile of things referenced by some filed to vertex/node in graph one.
My problem is that I need security "user per object" where each user can have different access rights, and no role will help in this case as most of the users have different access rights even when they work at same position. So this is what I would call access grant per record or per object.
Now if someone has access to particular object he automatically has access to parent objects. But for example lets say I have (A)->(B) and (A)->(C). If I can access B I should be able to get A but not necessarily C.
I do plan to integrate something like HashiCorp Consul or if there's another similar thing which is easy to use but I don't think this can help at all. I also do have SSO but as any other it mainly relies on roles and such.
BTW, system is multi tenant so adding a new record to a specific user should be visible only for that particular client users, and Admin should decide who get's to see what.
So couple of ways to do it:
- Have enormous amount of custom queries which filter out data - slow, hard to maintain and possible to leak data when new features are added or changes are introduced.
- Middleware that handles access per object only - also slow due to a lot of network calls like Client -> load balancer -> API -> DB -> API -> middleware -> DB of the middleware -> middleware -> API -> load balancer -> Client. This could be used with some form of in memory cache which would speed up thing to some extent.
- Have in-memory filter where each record stored and modified by admin has it's access towards each user cached - extra expensive to have huge amounts of RAM for such a cache
- Have SSO deal with it through roles - now I have no idea how would I automate adding roles for each new object inserted to the system, and why would I have so much roles. Users have single access for SSO, so the actual roles would have to spill all over place as there's things like user from one tenant can be added to access some of the data of another tenant...
Anyone have ideas on how to deal with this in optimal way? I really do need help, maybe some software for this I didn't know exits or using SSO or Consul properly somehow for this?