Current systems that rely on hierarchical role-based access control may use an application server that controls access to documents and a database that maintains explicit group memberships. In order to control access, the application server must know the effective group memberships for a principal when checking their authorization to a resource. In a hierarchical role-based access control system, the hierarchy may be nested to any depth. For example, given the group structure where User 1 is a member of Groups A and B, Group B is a member of Groups D and E, and Group E is a member of Group F, then User 1 may be effectively in Groups D, E and F. In this case, membership of User 1 in Group B implies effective membership in Group D and Group E and effective membership in Group E implies effective membership in Group F.
In some systems, each thread of an application server may cache a user rights list that provides effective group memberships. In this case, there is a separate user rights list cache per thread on the application server. There may be many application servers, each running many threads, which leads to very low cache hit rates. The low cache hit rate forces excessive re-computation of user rights lists, which is very CPU (central processing unit) intensive. Moreover, transfer of membership lists or user rights lists (which may contain hundreds of thousands of entries) between the database server, and the application server is very slow.