For an app I'm working on, permissions ACL is stored in a string, in the form:
Both users and documents have an ACL string.
The number represents the access level for that category. Bigger numbers mean higher access.
In the previous Lucene-based iteration, to perform permission filtering, I just loaded the entire field into memory and did quick in-memory lookups. In this current iteration, I'm trying something different.
I'm creating a one field per category level, and populating the field values accordingly. Then when searching, I need to search for all the possible categories using range queries, including specifying empty fields where applicable. Works pretty well. The main drawback (and its a severe one), is that I need to know a priori all the categories. This is not a problem for this app, but might be for other folks.
Here's an example of how it looks.
Document A: user=300|moderator=100 maps to acl_user:300 acl_moderator:100 User A: moderator=300
Filter Query to determine if User A can access Document A:
-acl_user:[* TO *] acl_moderator:[0 T0 300]