Installation and Administration

Read ACLs

Updated: October 16, 2020

ACL Management Modes

Two modes are available to configure the management of ACLs in the Nuxeo Platform. They are activated using the aclOptimization parameter in the repository configuration.

  • ReadACL OFF (aclOptimization to false) only writes the permissions in the ACL table: this mode is costless at the write time (document creation, permissions changes) but has an important cost at read time, when filtering the results of a search.
  • ReadACL ON (aclOptimization to true) is the default one in the Nuxeo Platform. It computes the READ ACLs for every document at document creation or permission settings: not only permissions are written in the ACL table, but other tables are updated to provide an efficient cache when launching queries. So this mode is fast at read time, but may be expensive at write time.

ReadACL ON is the default choice because in most cases people would prefer to promote better search performances rather that document update performances. Quick search results are usually considered as more critical.

Potential Issues

  • A technical consequence of this trade-off is a case where the Nuxeo Platform may encounter problems: setting new permission on a big folder (like a domain) may result in a timeout when saving the changes in the Access rights tab.
  • There is an ACL cache at the database level for each user that logins, this cache is flushed when Nuxeo starts. For long running instance with lots of different users the size of the cache can impact the write operations.

Possible solutions

  • The main solution is to:
    1. Use groups dedicated to these big folders.
    2. Add users and subgroups to these groups instead of changing the permissions on these big folders.
  • For long running instance with lots of users, you can call periodically a vacuum procedure at the database level, this should be done preferably when the application load is low:

    -- For PostgreSQL
    SELECT nx_vacuum_read_acls();
    -- For Oracle
    CALL nx_vacuum_read_acls();
    -- For MsSQL
    EXEC dbo.nx_vacuum_read_acls

Another solution if you need both write and read high performance is to disable the ReadACL and move slow queries from the database to Elasticsearch.