When authorizing items such as forms or presentations, the algorithm used can be very inefficient. The WorksiteAwareAuthorizationFacade checks every site to which the viewer belongs by retrieving them from the AuthzGroupService individually. The entire set is retrieved from the database on each check, incurring a large penalty for users who belong to many sites.
There is a kernel issue recorded as
KNL-488 to offer a new method to check the user's roles more efficiently. There is a dependent patch required to OSP to take advantage of this method.