« Voltar para Development

Permission Algorithms

Liferay Portal includes a pretty flexible permission system based on the concepts of roles, permissions and resources. This system provides several different implementations for the algorithm used to check whether a given user has permissions to perform certain action. This article describes each of the available algorithms and how to choose which one is most appropriate for your case.

RBAC based algorithms #

RBAC stands for Role Based Access Control and is a permissions system in which permissions are always assigned through roles.

Liferay's RBAC implementation debuted in Liferay Portal 5.1, as a way to improve the existing system, specially in terms of ease of use and performance. There are two algorithms for this implementation:

  • Algorithm 5: was introduced in Liferay Portal 5.1 and is the default algorithm since then.
  • Algorithm 6: currently http://issues.liferay.com/browse/LPS-2793 in development and will debut in Liferay Portal 6.0. Algorithm 6 is an improved version of Algorithm 5. It provides the exact same functionality, but uses bitwise operations to reduce database size by 66%

Legacy algorithms #

The legacy algorithms were used by all installations prior to Liferay Portal 5.1. They all offer the same functionality and provide more flexibility to assign permissions to users. In particular it's possible to assign permissions not only through roles, but also directly to organizations, communities and individual users.

This flexibility has a cost in performance and UI complexity but is needed in some scenarios. There are four different legacy algorithms:

  • Algorithm 1
  • Algorithm 2
  • Algorithm 3
  • Algorithm 4

These algorithms vary in aspects such as making fewer complex SQL queries vs more simple SQL queries. There is no hard rule for choosing one or the other. The most appropriate will be determined by factors such as the latency of the access to the db, the ability to optimize queries of your database or the number of users, organizations, ... of your installation. It is recommended to perform real load tests to determine which algorithm is best for your case.

Questions & Answers #

Is it possible to switch from one algorithm to another? #

In general the answer is no. But there are some exceptions:

  • You can safely switch algorithms 1 to 4 at any point in time
  • A converter is being developed to change from algorithms 1 to 4 towards algorithm 5.

How do I select the algorithm I want to use? #

Through a configuration property of portal.properties:

0 Anexos
42542 Visualizações
Média (1 Votar)
A média da avaliação é 4.0 estrelas de 5.
Respostas do tópico Autor Data
What happens if am in algorithm 2 and switch to... Daniel Polistchuck 12 de Abril de 2009 18:24
Is the converter REALLY being developed? How... Dana Oredson 16 de Abril de 2009 12:11
Where are the details of algorithm 5... Ralph Goers 26 de Janeiro de 2010 19:37
"A converter is being developed to change from... Richard Kovacs 24 de Agosto de 2010 06:58
does anyone know if the converter was developed... mirko bordigoni 7 de Dezembro de 2011 07:05

What happens if am in algorithm 2 and switch to 5? Will I corrupt something or would it only be a matter of manually applying permissions?
(Great product, btw!)


Postado em 12/04/09 18:24.
Is the converter REALLY being developed? How hard can it be to write? I am more than willing to contribute, either in testing or attempting to write something, if anyone is willing to share what has been developed so far.

It's been quite a while since the RBAC algorithm was introduced, but I haven't seen any upgrade tools so far.

Postado em 16/04/09 12:11.
Where are the details of algorithm 5 documented? The link in LPS-2793 does a good job of documenting how the data is structured, but I haven't seen anything that documents how these algorithms work.
Postado em 26/01/10 19:37.
"A converter is being developed to change from algorithms 1 to 4 towards algorithm 5." maybe when it will be finished, please link here the converter. It's easier to find here.
Postado em 24/08/10 06:58.
does anyone know if the converter was developed and where is?thanks
Postado em 07/12/11 07:05 em resposta a Richard Kovacs.