Hi @ptpaterson,
The database does its best to optimize for the most common access pattern. There is a single permission table for the set of overlapping roles. The permission lookup is a tuple of
(resource_id, action_name)
the result is a set of permissions composed by all configured actions among the overlapping roles.
While building the permission table, if one of the actions for a lookup key is trivially true, we don’t evaluate all roles but rather just grant the permission on lookup. However, if all actions for a given lookup key are predicates, we evaluate them sequentially until one of them returns true, or we deny access otherwise.
In that case, the system keeps track of the predicates that are most successful (returns true) and evaluate them first.
So, in the case all overlapping role’s actions are predicates, make sure they are as much efficient as possible.
Lastly, there is a maximum number of roles per resource. Currently, it’s 64.
Hope this help.
Luigi