...
Turning caching off
For certain usecases use cases where caching of security policies may not be acceptable even at the cost of a significant performance hit, a configuration knob should be provided to turn caching off. By default though, caching will be enabled.
Intercepting Dataset calls
Since authorization policies must be applied to custom datasets as well, it is non-trivial to decide where dataset calls should be intercepted to add authorization checks. The right approach for this would depend on the design of the new Dataset APIs in Datasets Revamp. One option for doing this is to only intercept the getDataset call, which would get a dataset for READ, WRITE, READ_WRITE, etc, and then apply the corresponding authorization policy. With this approach, the actual read/write calls would not be intercepted. This approach has the obvious drawback that getDataset calls may be cached, but even if they aren't, what happens if a principal's privilege on a dataset is revoked after he has executed a getDataset call successfully.
Note: The approach here is TBD, it would depend on the new Dataset APIs and will be finalized during implementation.
Authorizing Service Requests
...