Suppose we have a folder with a large number of documents, that is continuously updated with other documents.
We set permission on the folder so everyone can see the folder, but set permission on every document so that only specific users can see the document inside the folder.
I have 2 questions about the above scenario:
- How much will this impact the performance of Nuxeo
- Is there a limit on the number of documents with specific ACL on each folder? (for example sharepoint has a limit of 50 000 for this use case. See here security scope)
Having a large number of documents in a folder is not a problem, although as pointed out you have to adapt the UI as page-based navigation isn't user-friendly in that case.
Having different ACLs on each of those documents is not a problem either, although of course some ACL-based tables will grow bigger as a result.
As asked in a comment above, when you list a folder at any time a filter is done using the aforementioned tables but again that's normal behavior.
Maybe you can read this : http://doc.nuxeo.com/x/uAAt
and this : http://doc.nuxeo.com/x/xgwz (part “Capacity and Sizing”)
- set permissions on folders (default) or documents (see http://doc.nuxeo.com/x/xgQz) : it doesn't change the perf
- there is no limit for number of childs on a document (cf “you can have folders with several thousands of child documents” on the first link of my answer) -> but it could be not user-friendly if your users see 6382 pages of docs in a folder
- if you set a very large number of ACL on the same document (folder or file) then adapt the size for the pre-computed ACLs (search about “aclOptimizations” and “readAclMaxSize” … it can be configured in your nuxeo.conf file) -> again, think it's not user-friendly to manage a rights page with 394 ACL entries (furthermore, there is no pagination on rigths management page)
I also have custom programmatic security for individual documents and I haven't seen any negative performance issues (assuming of course you have sufficient hardware and have tuned your database config).
i don't think we will have a large number of ACLs per document , but we may have a large number of documents, more than 5000 for sure. I was wondering about the performance also for another reason, say i have a folder with 10000 docs, and have set ACLs on each of them so only the authorized users can see certain docs.
When the user opens the folder, there certainly happens a calculation of permission in order to show the user the docs he has permission on. Could this impact the systems performance?
If you're still afraid. Use JMeter, Funkload, or any other tool to objectively validate that Nuxeo can be performant in your case.
Samples of Nuxeo's benchmarks : http://public.dev.nuxeo.com/~ben/bench-10m/ http://public.dev.nuxeo.com/~ben/bench-navigation-3m/