ABAC Role delete / re-create optimization question

Hi All

I have a Node/Express API that follows the component pattern, and a handful of ABAC roles that cover those components/collections. This is in a single, multi-tenant DB, and said roles are created programmatically at startup.

In this startup procedure I delete all existing roles and then recreate them from the definitions in my code. In other words, currently during development even a save of a .js file with nodemon triggers a restart of my server, meaning roles get deleted and recreated. (This is done primarily because the roles evolve quite rapidly along with the components of the API)

Now I haven’t run into any issues yet, and the above happens almost instantly, so it’s not an issue at present, but I’m cautious about going to production with this mechanism, because I’m uncertain if the internal optimizations that Fauna does for my roles will also get wiped along with the role itself, and then at scale this will slow things down each time I restart a server container. Also I’m not sure what this will do with multiple containers being orchestrated outside of my direct control (I actually only thought of this just now… -_- )

An alternative might be to compare the current roles with the codebase ones at startup and only delete and recreate the ones that have been changed?

Anyone have a smart solution or advice on this topic? Is this a valid concern or am I overthinking this?


Fauna is a shared service, so there is no special containerization around just your account. Fauna’s query coordinator keeps resources in a cache to re-use when possible. This includes Roles. Making changes to a Role will invalidate the current cache, for example by deleting a Role, or writing to one with Update or Replace.

In practice, it is unlikely that you will see much performance impact, unless you are constantly making changes.

The thing I would suggest you consider most for production would be avoiding downtime. If you Delete the Role, there will be a period of time (small though it may be) where any tokens which should have that Role will produce unauthorized errors, until you can create the new one.

One thing that you can do to prevent this is to edit the Role in place if it already exists. This will ensure no downtime in your app between the different versions of the Role.

For example:

    role: Role("logged_in"),
    exists:  Exists(Var("role")),
    Replace(Var("role"), { /* ... */ }),
    CreateRole({ /* ... */ })