Performance impact of Roles and Best Practice.
16 July 2020 01:47 AM
Performance of MarkLogic Server query evaluation can be impacted by user and roles the user inherits running the query.
Impact of Number of Roles inherited by User on Query evaluation.
When application users are assigned necessary application roles, security evaluation for each user comes into play. By design, query performance is inversely proportional to the number of roles inherited by the user executing the query. Meaning, each new Role user inherits, Query run by that user will take little longer to evaluate Security schema.
Question: How does number of Roles inherited by user increase query evaluation time?
For each role that a user has, MarkLogic Server adds an index term to every query the user executes.
For example, if a user inherits ten roles, MarkLogic Server adds ten terms to every query the user executes; One hundred roles adds one hundred terms to every query; One thousand roles adds one thousand terms to every query that specific user runs.
If your testing shows that the performance of queries with hundreds of terms is acceptable, then having a user inherit hundreds of roles may also be acceptable. However, if a query with hundreds of terms is too slow, then a user inheriting hundred of Roles will also be too slow.
Question: Does a large number of new roles for different users, but not all roles inherited by single user, have impact on query performance ?
You can have thousands of roles defined and not have your query performance affected by the security evaluation overhead, as long as those roles are not inherited by same user. It is only when those roles are all inherited by a single user, do they increase the security evaluation overhead for queries run by that particular user.
Query performance is not correlated with the total number of roles, but there is performance degradation with the number of roles per user. MarkLogic can easily handle tens of thousands of total roles, but cannot easily handle more than tens of roles per user.
It is unlikely that thousands of roles inherited by user will give acceptable performance to query run by that specific user. Unless absolute necessary and role evaluation performance overhead considered, we recommend against using thousands of roles for user.