So, I was trying to build IAM service like Amazon IAM, but simpler. Company has users, groups, and policies. As you can imagine users, groups, and policies has many-to-many relation between each other. Actions:
- Policies can be added to groups
- User can be added to groups or policies
Now the issue is, if User try to login then I have to make 3 request:
- Get group and policies from user partition
- Get all policies form group in that list
- Get all policies
Then I have to do 3 roundtrip for every login. Is there a better way to do this? or design the relations differently.
I would denormalize this.
The effective policy of the user should be an attribute in the user document.
The effective policy should be recalculated async after the user is added or removed from a group or a policy is attached/detached to/from the user.