This is a typical architecture scenario for a 3-tier design:
UI-tier
Has Graphical User Interface components
Middle-tier
Has business logic including the following layers:
- Data Access Layer (DAL)
- Access Control
Data-tier
Typically your database or physical data storage
What is the best way to implement Access Control when performance is top of priority list?
- Should the DAL return ALL data and have the UI layer worry about Access Control?
- Should the DAL perform Access Control, i.e. decide with data to return, so that the UI does not worry about Access Control?
What are your thoughts on this, and what guides you when making such design decisions?
Best Answer
I would definitely put AccessControl on the DAL.
Here's some reasons I can think of:
Quite often you will have multiple UI forms for the same data, and you would have to code your AccessControls into all of them. Making updates would also be more time consuming and prone to errors as you'd have to remember to update every form that references that data when a change occurs.
If you decide to make another version of the application in another framework, such as a web version of a desktop app, you would have to re-create all your AccessControls for the new UI. If the AccessControls were in the DAL, you just need to hookup to your DAL and create your UI.
Without AccessControls on the DAL you open up a bunch of security holes. If someone can bypass your UI they have access to all your data