Multiple rows vs multiple columns vs array in PostgreSQL

Question

I am creating a granular permissions system and am having trouble deciding the best way to go about it. The database I am using is Postgres.

Basically, I will have 3 tables:

permissions
-----------
p_id, name, description

permissions_groups
------------------
pg_id, name, description

permissions_users
-----------------
pu_id, user_id

Anything ending in '_id' will be an integer, the rest will be varchar or text.

The permissions system will be a part of a greater system where I rely on the user ID from another table.

Heres where I am stuck. I have two ideas:

Idea 1

permissions_group will have a column called permissions which will be an integer array. This will contain all p_ids for that permissions group.

permissions_users will have a column called pg_ids which will be an integer array containing all permission groups a user has, and a column called permissions (int array) which have all p_ids of assigned permissions which do not belong in a group.

Sample data:

permissions
-----------
1, add_user, Can create a user
2, delete_user, Can delete a user
3, view_users, Can view all users
4, random_perm, Some example permission

permissions_groups
-----------------
1, user_management, User management, [1,2,3]
// This group contains permissions 1,2, and 3

permissions_users
-----------------
1, 1, [1], [4]
// This user links to user with id of 1, has permissions group 1 and permission 4

Idea 2

The second idea is more classic SQL. The 3 tables will stay the same. There will be 2 new tables:

permissions_groups_link
-----------------------
pgl_id, pg_id, p_id

permissions_users_link
----------------------
pul_id, pu_id, p_id, pg_id

Now it will work like this:

permissions_users[pu_id]
  |
  V
permissions_users_link[pu_id]
  |
  V
p_id        OR        pg_id
  |                     |
  V                     V
permissions[p_id] <- permissions_groups[pg_id]

Sample data:

permissions
-----------
1, add_user, Can create a user
2, delete_user, Can delete a user
3, view_users, Can view all users
4, random_perm, Some example permission

permissions_groups
-----------------
1, user_management, User management

permissions_groups_link
-----------------------
1, 1, 1
2, 1, 2
3, 1, 3
// Assign permissions 1,2, and 3 to group 1

permissions_users
-----------------
1, 1

permissions_users_link
----------------------
1, 1, 4, NULL
2, 1, NULL, 1
// Assign permission 4 to user 1
// Assign group 1 to user 1

Summary

In the end, all this data will be aggregated into a list containing all permissions a user has, regardless of group. So with the above examples, the server-side code will aggregate all of that into:

Permissions for user 1:
1 => add_user
2 => delete_user
3 => view_users
4 => random_perm

The groups will serve only for visual distinction and easy application of permissions per user.

My questions

Which one of those ideas would scale best and be the fastest? Assume that in a live environment, there are 10000 users and 1000 permissions and each user has on average 500 permissions.

Or are both ideas really bad and have I overlooked some fundamental RDBMS concepts that would make it easier?

Answer 1

I would not use array columns to store these permissions, especially not if you're going to have 500 permissions per user. Array columns won't allow you to have any foreign key constraints on permissions/group and permissions/user relations

Of the 3 options I would pick the last option;

User N:N Permission Group N:N Permission User N:N Group

If permissions are not updated regularly, you may consider to use a 'NESTED' or MPTT table to store the permissions, which would allow setting permissions on several levels, e.g. a user has 'all' permissions on users and/or having groups inherit permissions from other groups.

You may find this explanation on ACL's interesting: http://book.cakephp.org/2.0/en/core-libraries/components/access-control-lists.html