Arvados

The incremental permission updates presently operates on the principal that for each target_uuid included in the result, it returns every user with permission to that target_uuid. Because it is exhaustive, permissions are removed for any user/target combination not in the result set.

When a permission link is being added, this strategy can lead to unnecessary work, because it returns permission rows for users that already had permission. It should be possible for "permission added" operations to compute only new permissions and merge the results.

When a permission is changed or removed, we don't know if some or all users still have permission via some other path, so we probably have to continue the current behavior which recomputes permissions for users of the selected targets.

When a permission link originates at a user, the permission change can only affect permissions for that specific user. In this case, the update should recompute permissions for only that user.