TL;DR
Simple, read-time permission checks with recursive queries work at small scale but become slow as data and nesting grow. Pre-computing permissions at write-time (RBAC) speeds reads but shifts complexity to writes and risks drift; ABAC is flexible for single-resource checks but struggles when listing many objects. Techniques like materialized paths can reduce recursive traversal costs.
What happened
The piece examines common approaches to access control in enterprise SaaS, using a folders-and-files example to show how naive, on-demand permission queries generate many recursive database calls and degrade performance as usage grows. It contrasts that with a Role-Based Access Control (RBAC) pattern that stores precomputed user-to-resource permissions in a dedicated table, enabling simple, fast joins at read-time while requiring extra work and careful updates on each write (resource creation, sharing). The article cites PostHog’s AccessControl model as a real-world instance of storing precomputed permissions and caching them during requests to avoid repeated lookups. It also reviews Attribute-Based Access Control (ABAC), which expresses rules declaratively and works well for single resource authorization checks but complicates bulk listings because policies must be evaluated per object. Finally, the write-up highlights approaches to remove recursive hierarchy traversal—such as materialized paths—so descendant and ancestor queries become prefix searches rather than recursive joins.
Why it matters
- Read-time recursive permission checks can become a scalability bottleneck for enterprise customers with large datasets and deep hierarchies.
- Precomputing permissions speeds reads but increases write-time cost and raises the risk of the permissions store drifting out of sync with primary data.
- Different access-control models (RBAC vs ABAC) have trade-offs: RBAC optimizes listing, ABAC offers expressive policies for single-item decisions.
- Choosing a hierarchy representation (e.g., materialized paths) can eliminate expensive recursive queries and improve list performance.
Key facts
- A naive read-time approach queries the database on every request and issues recursive queries to fetch ancestors and descendants for shared or owned folders.
- Recursive queries over deeply nested folder structures slow down as the number and depth of resources increase.
- RBAC can store precomputed permissions in a permissions table (user_id, resource_id, access_type) to make reads simple joins instead of recursive traversals.
- Maintaining a permissions table requires updating it on writes (resource creation, sharing) and can introduce complexity and a potential point of failure if it gets out of sync.
- The author found the same precomputed-permissions pattern in PostHog’s codebase via an AccessControl model that includes access_level, resource, and resource_id fields.
- PostHog examples cache access-control records during a request to avoid repeated database lookups, then filter result sets by allowed resource IDs.
- ABAC expresses authorization rules declaratively and is well suited to single-resource checks but is less efficient when evaluating lists because policies must be applied per object.
- Materialized paths store a resource’s full path as a string, allowing descendant/ancestor queries to be performed with prefix searches rather than recursive queries.
What to watch next
- The operational risk of permissions tables drifting out of sync with primary data and the processes needed to detect and repair inconsistencies.
- Write-time performance and latency as systems add automated updates to permissions on resource creation and sharing events.
- How commonly used open-source projects and enterprise platforms (e.g., PostHog) evolve their access-control implementations and caching strategies.
Quick glossary
- RBAC (Role-Based Access Control): An approach that assigns users roles or precomputed permissions tied to resources, enabling fast permission checks via simple database joins.
- ABAC (Attribute-Based Access Control): A policy-driven model where rules evaluate attributes of users, resources and environment to determine access, often expressed declaratively.
- Materialized path: A pattern that stores the full hierarchical path as a string on each node so descendant or ancestor queries become prefix or substring searches.
- Recursive query: A database query that iteratively traverses hierarchical relationships (e.g., parent/child) to retrieve descendants or ancestors.
- Permission cache: A temporary store of computed or retrieved permission records used to avoid repeated lookups during a request or operation.
Reader FAQ
Is precomputing permissions always the best choice?
Precomputing improves read performance for listings but incurs write-time overhead and a maintenance burden; whether it’s best depends on read/write patterns.
Does ABAC replace the need for precomputed permissions?
ABAC provides expressive rule evaluation for single-resource checks but, according to the source, it struggles with efficient listing of many resources.
Did the author find real-world use of the precomputed approach?
Yes — the article references PostHog’s AccessControl model as an example that stores precomputed access controls and caches them per request.
Are there techniques to avoid recursive hierarchy queries?
Yes — the source discusses materialized paths as a way to convert hierarchical traversals into prefix searches, reducing recursion overhead.
Permission Systems for Enterprise that Scale December 12, 2025 Many startups eventually gravitate towards enterprise customers for bigger tickets and long-term contracts. As enterprise customers start using your product, they…
Sources
- Permission Systems for Enterprise That Scale
- Mastering SaaS User Permission Management: A Full Guide
- SaaS Scalability Strategies: Executive Guide for Scaling to …
- How to Build Scalable Multi-Tenant SaaS Architectures
Related posts
- Avoid Mini-Frameworks: Why Small Internal Frameworks Cause Lasting Pain
- How compilers turn simple loops into closed-form math: a surprising optimization
- Popular Mario and Yoshi Games May Foster Childlike Wonder, Lower Burnout