Stream authorisation policies

ESDB has access control lists (ACLs) as the primary method to achieve granular (per stream) authorisation. However, ACLs need to be set up per stream, which is a burden for developers. Also, if the auth rules change, all the streams need to get their ACLs updated, and there could be millions of streams that require an update. In addition, stream-level ACL requires reading stream metadata for authorisation, which slows down reads.

Authorisation policies is a good alternative. For example, by setting a policy to allow reads of ShoppingCart-* for a specific user, it will apply to all the shopping cart streams. Changing the policy will apply to all those streams at once. Because policies cover collections of streams, they don't require so much space and, therefore, can be cached, so authorisation checks will be very fast.