The efficiency of OPA

[xwzbupt]

Consider this application scenario. If the granularity of access control is fine enough, a large number of access control policies are required. I would like to ask the following questions:

1. If there are too many policies, does it take a lot of time to traverse the policies?
2. If Rego is used to describe the policy, how to optimize the traversal strategy? If I use sequential structure with some optimization algorithms or tree structure.
3. Does the scenario of many access control policies really exist？

[anderseknert]

Hi @xwzbupt 👋

I don't think you'll necessarily need a large number of policies for fine grained access control.

OPA uses both policy and data to make policy decisions, and the common pattern is to try and push as much of the dynamic data (i.e. things that are likely to change over time) into data and not policy rules. Granted, there are situations where you'd actually want to have a large number of rules, but those are rare.

1. Thanks to indexing and other performance optimizations, this is normally dealt with rather quickly.
2. See the docs on performance optimization for some pointers.
3. Sure! Although I'd recomend considering upfront what should be policy/rules and what should be treated as data.

[xwzbupt]

Thanks for your answer!
I have seen some methods to optimize the efficeincy of ABAC policies by some algorithms or tree-structures in some papers. When it comes to these papers, there will be lots of pilocies to make sure the security in some IoT systems or some cloud computing system. Or maybe it is different from industy to academic.

[anderseknert]

Yeah, I think in general it's pretty hard to discuss these things as abstract concepts. There are many ways of modeling both policy and data depending on requirements, and you'll need to consider which ones apply to your particular case.