Modeling Fast Permission Checks with Redis
How Redis sets, cached effective permissions, and bitmaps can support low-latency authorization flows.
Authors: Orcaq Team
Authorization checks sit on the hot path of almost every API request. If each check has to join multiple relational tables, permission logic can become one of the quiet sources of latency in an application.
Redis is a useful fit when the permission model is simple enough to precompute or cache, but still needs to stay fast under request load.
Model Roles as Sets
Role-based access control maps cleanly to Redis sets. Each role owns a set of permissions:
SADD role:admin read write delete manage_users
SADD role:editor read write
SADD role:viewer read
Users can then hold one or more roles:
SADD user:101:roles admin
SADD user:102:roles editor viewer
SADD user:103:roles viewer
This keeps the model easy to inspect. If you need to know why a user has access, you can read the role membership and role definitions directly.
Cache Effective Permissions
When users can have multiple roles, compute the combined permission set and cache it with a short TTL:
SUNIONSTORE user:102:effective_permissions role:editor role:viewer
EXPIRE user:102:effective_permissions 300
SMEMBERS user:102:effective_permissions
The TTL gives you a practical balance: reads are fast, and role changes do not stay stale for long. For sensitive changes, you can also delete the effective-permissions key immediately after updating role membership.
Add Resource-Level ACLs
Some applications need both role-level permissions and resource-specific access. Redis can represent those access control lists with scoped keys:
SADD resource:doc:500:acl:102 read write
SADD resource:doc:500:acl:103 read
SISMEMBER resource:doc:500:acl:102 write
This works well for document-level collaboration, dashboard sharing, and short-lived access grants.
Use Bitmaps for Compact Checks
For large fleets of objects or users, bitmaps can reduce memory overhead. Assign each permission a bit position:
# 0 = read, 1 = write, 2 = delete, 3 = manage
SETBIT perm:user:101 0 1
SETBIT perm:user:101 1 1
SETBIT perm:user:101 2 1
SETBIT perm:user:101 3 1
GETBIT perm:user:101 2
Bitmaps trade readability for density. Use them where scale makes the tradeoff worthwhile, and keep a clear mapping of bit positions in code.
Keep the Source of Truth Clear
Redis can make authorization checks fast, but teams still need a durable source of truth. A common pattern is:
- Store authoritative role assignments in the primary database.
- Mirror or cache computed permissions in Redis.
- Invalidate Redis keys when roles or grants change.
- Log permission changes in the database, not only in Redis.
Fast authorization is useful only when it remains understandable during incidents.
Sources
- OneUptime: How to Model Permission Systems in Redis