Role-based access control in Elasticsearch - Time & Space Complexity

When using role-based access control in Elasticsearch, it is important to understand how the system checks permissions as the number of roles and users grows.

We want to know how the time to verify access changes when more roles or permissions are added.

Analyze the time complexity of the following role check query.

POST /_security/user/_has_privileges
{
  "username": "alice",
  "privileges": {
    "cluster": ["monitor"],
    "index": [
      {
        "names": ["sales-data"],
        "privileges": ["read"]
      }
    ]
  }
}
    

This request checks if user "alice" has the specified cluster and index privileges based on her assigned roles.

When Elasticsearch checks privileges, it:

• Primary operation: Iterates over all roles assigned to the user.
• How many times: Once per role, checking each role's permissions.

The dominant work is checking each role's permissions against requested privileges.

As the number of roles assigned to a user increases, the time to check privileges grows roughly in proportion.

Input Size (number of roles)	Approx. Operations
10	10 permission checks
100	100 permission checks
1000	1000 permission checks

Pattern observation: The time grows linearly as more roles are checked.

Time Complexity: O(n)

This means the time to verify access grows linearly with the number of roles assigned to the user.

[X] Wrong: "Checking user privileges is always constant time regardless of roles."

[OK] Correct: The system must check each role's permissions, so more roles mean more checks and longer time.

Understanding how role checks scale helps you explain system performance and design better access control in real projects.

What if we changed from checking roles one by one to caching combined permissions? How would the time complexity change?