Description

The parital evaluation mechanism does not consider subgroups when evaluating the permissions for parent groups.

As a result, administrators must specify permissions for subgroups if they want to grant view access or view-member access, if filtering users.

However, evaluating subgroups has some drawbacks:

• You cannot cache the subgroups of groups during partial evaluation. Doing so will potentially make the group cache inconsistency by not reflecting the subgroups of a group.
• Groups might have a considerable amount of subgroups as well as a deep hierarchy. That will add additional overhead to queries when filtering the allowed or denied groups based on the permission set to parent groups.

The first drawback above can be addressed by skipping caching groups if queries are running in the scope of the partial evaluation.

However, the second one might introduce a huge overhead, depending on the groups hierarchy. One solution for this can be to add limits to how many levels the partial evaluator should take into account. For instance, only consider the first 3 levels of subgroups, therefore, giving some flexibility for use cases with a reasonable group hierarchy while still allowing to add permissions to groups so that they can enforce access to more levels, when needed.

Discussion

No response

Motivation

No response

Details

No response