Liferay Portal includes a pretty flexible permission system based on the concepts of roles, permissions and resources. This system provides several different implementations for the algorithm used to check whether a given user has permissions to perform certain action. This article describes each of the available algorithms and how to choose which one is most appropriate for your case.
RBAC based algorithms #
RBAC stands for Role Based Access Control and is a permissions system in which permissions are always assigned through roles.
Liferay's RBAC implementation debuted in Liferay Portal 5.1, as a way to improve the existing system, specially in terms of ease of use and performance. There are two algorithms for this implementation:
- Algorithm 5: was introduced in Liferay Portal 5.1 and is the default algorithm since then.
- Algorithm 6: currently http://issues.liferay.com/browse/LPS-2793 in development and will debut in Liferay Portal 6.0. Algorithm 6 is an improved version of Algorithm 5. It provides the exact same functionality, but uses bitwise operations to reduce database size by 66%
Legacy algorithms #
The legacy algorithms were used by all installations prior to Liferay Portal 5.1. They all offer the same functionality and provide more flexibility to assign permissions to users. In particular it's possible to assign permissions not only through roles, but also directly to organizations, communities and individual users.
This flexibility has a cost in performance and UI complexity but is needed in some scenarios. There are four different legacy algorithms:
- Algorithm 1
- Algorithm 2
- Algorithm 3
- Algorithm 4
These algorithms vary in aspects such as making fewer complex SQL queries vs more simple SQL queries. There is no hard rule for choosing one or the other. The most appropriate will be determined by factors such as the latency of the access to the db, the ability to optimize queries of your database or the number of users, organizations, ... of your installation. It is recommended to perform real load tests to determine which algorithm is best for your case.
Questions & Answers #
Is it possible to switch from one algorithm to another? #
In general the answer is no. But there are some exceptions:
- You can safely switch algorithms 1 to 4 at any point in time
- A converter is being developed to change from algorithms 1 to 4 towards algorithm 5.
How do I select the algorithm I want to use? #
Through a configuration property of portal.properties: