Michael Lewis <mlewis@xxxxxxxxxxx> writes: > On Fri, Sep 20, 2019 at 8:19 AM Tom Lane <tgl@xxxxxxxxxxxxx> wrote: >> There is a restriction on how many distinct GRANTs you can >> issue against any one object --- performance will get bad if the ACL >> list gets too large. > Any ballpark numbers here? Are we talking 50 or 8000? More like the former. aclitems are 12 bytes each, so once you get past ~100 items in an object's ACL list, the array is going to get large enough to be subject to toasting, greatly increasing the time to access it. That's not even counting the question of whether scanning lots of items to determine access privileges is expensive. The code that deals with ACL lists isn't terribly well optimized. I'm not aware that anyone's done formal performance testing, but if you want to have a lot of roles in the system, my expectation is that you'd be better off granting privileges to a small number of group roles and then granting group role membership as appropriate. regards, tom lane
