I'm trying to index data in a system that implements some rather nasty access controls on the data.
Basically, there are users, and communities, and users are members of the communities. Potentially a user could be a member of hundreds or even thousands of communities (there's no enforced upper limit). Now I'm trying for a solution such that a user only gets documents that are either "public" or belong to a community that they're a member of. I figure there are two approaches (if there are other/better ones, please let me know). 1) For each document in the index, I store userid in a multivalued field. I simply store every single userid that IS allowed access to the document. This has the advantage of the query being quite simple (e.g. useracecss:MYUSERID) but I will have to store HEAPS of data, and potentially have to do many more updates (as users join/leave communities). 2) For each document in the index, store the community id that it belongs to. The obvious advantage here is less updates, and less storage. HOWEVER, this means queries get bigger and bigger as users are in more and more communities (e.g. communityid:(myCID1 OR myCID2 OR myCID3 ....) Does anyone have any thoughts on this?, are there blindingly obvious options I'm missing that would take all this complication away?, what performance implications do each of these methods have? Many thanks in advance for any comments or helpful suggestions :) -- Martyn
