« Back to Development

Permission Algorithms

Liferay Portal includes a pretty flexible permission system based on the concepts of roles, permissions and resources. This system provides several different implementations for the algorithm used to check whether a given user has permissions to perform certain action. This article describes each of the available algorithms and how to choose which one is most appropriate for your case.

RBAC based algorithms #

RBAC stands for Role Based Access Control and is a permissions system in which permissions are always assigned through roles.

Liferay's RBAC implementation debuted in Liferay Portal 5.1, as a way to improve the existing system, specially in terms of ease of use and performance. There are two algorithms for this implementation:

  • Algorithm 5: was introduced in Liferay Portal 5.1 and is the default algorithm since then.
  • Algorithm 6: currently http://issues.liferay.com/browse/LPS-2793 in development and will debut in Liferay Portal 6.0. Algorithm 6 is an improved version of Algorithm 5. It provides the exact same functionality, but uses bitwise operations to reduce database size by 66%

Legacy algorithms #

The legacy algorithms were used by all installations prior to Liferay Portal 5.1. They all offer the same functionality and provide more flexibility to assign permissions to users. In particular it's possible to assign permissions not only through roles, but also directly to organizations, communities and individual users.

This flexibility has a cost in performance and UI complexity but is needed in some scenarios. There are four different legacy algorithms:

  • Algorithm 1
  • Algorithm 2
  • Algorithm 3
  • Algorithm 4

These algorithms vary in aspects such as making fewer complex SQL queries vs more simple SQL queries. There is no hard rule for choosing one or the other. The most appropriate will be determined by factors such as the latency of the access to the db, the ability to optimize queries of your database or the number of users, organizations, ... of your installation. It is recommended to perform real load tests to determine which algorithm is best for your case.

Questions & Answers #

Is it possible to switch from one algorithm to another? #

In general the answer is no. But there are some exceptions:

  • You can safely switch algorithms 1 to 4 at any point in time
  • A converter is being developed to change from algorithms 1 to 4 towards algorithm 5.

How do I select the algorithm I want to use? #

Through a configuration property of portal.properties:

    permissions.user.check.algorithm=5
0 Attachments
27828 Views
Average (1 Vote)
The average rating is 4.0 stars out of 5.
Comments
Threaded Replies Author Date
What happens if am in algorithm 2 and switch to... Daniel Polistchuck April 12, 2009 6:24 PM
Is the converter REALLY being developed? How... Dana Oredson April 16, 2009 12:11 PM
Where are the details of algorithm 5... Ralph Goers January 26, 2010 7:37 PM
"A converter is being developed to change from... Richard Kovacs August 24, 2010 6:58 AM
does anyone know if the converter was developed... mirko bordigoni December 7, 2011 7:05 AM

What happens if am in algorithm 2 and switch to 5? Will I corrupt something or would it only be a matter of manually applying permissions?
(Great product, btw!)

Regards,

Daniel
Posted on 4/12/09 6:24 PM.
Is the converter REALLY being developed? How hard can it be to write? I am more than willing to contribute, either in testing or attempting to write something, if anyone is willing to share what has been developed so far.

It's been quite a while since the RBAC algorithm was introduced, but I haven't seen any upgrade tools so far.

Anyone?
Posted on 4/16/09 12:11 PM.
Where are the details of algorithm 5 documented? The link in LPS-2793 does a good job of documenting how the data is structured, but I haven't seen anything that documents how these algorithms work.
Posted on 1/26/10 7:37 PM.
"A converter is being developed to change from algorithms 1 to 4 towards algorithm 5." maybe when it will be finished, please link here the converter. It's easier to find here.
Posted on 8/24/10 6:58 AM.
does anyone know if the converter was developed and where is?thanks
Posted on 12/7/11 7:05 AM in reply to Richard Kovacs.