Is there a limit on the number of Parse "Role" objects I can/should have?

Question

I develop a privat chat app using Parse (JavaScript), where "Message" objects are exchanged within groups of two users. (This could be increased later to allow for more users in a group.) A user can only be part of one group.

I see the following options to secure the access to the messages:

Use Parse Roles and ACLs - Create a Parse Role object for each group, assign the two users to this group, and set an ACL on each new Message object to restrict read/write access for this group only.

This would mean that if I have 100k users, there would be 50k role objects. I'm not sure whether this is the intended use case, or if this would have serious performance implications?

Use Parse ACLs - For each new message, create an ACL that includes read-access for both users in the group.

Manage security by myself - Set class permissions to disable access to "Message", write a CloudCode function to retrieve message objects created by the current user, or any other member of the current group. I could store the group members in a "buddies" 1:n relation for each user, or create a separate "Group" class.

Are there any other scenarios? What are pro/cons to each?

Answer 1

There used to be a limit on roles (IIRC just 1 for the free account and only a few for paid accounts), not sure there is any more, it doesn't look like it.

Having the messages related to the group and querying and limiting access based on the group object is likely a better approach (from a query performance point of view - though this would really need to be load tested).

Technically, anyone scraping your keys and accessing the API directly would still be able to see all messages, so adding the role to each message is still prudent. Parse have some recent sample code which encourages creating lots of roles, though again this should be tested.