Data Access Securty Design

0
I have an application with about 150 entities and 10 modules with a fair amount of integration between each entity. I have multiple role based permissions and now have a need for restricting the data based upon who the users is. Data access should be restricted based upon the Project.   I use an Entity called Account for logging into the system. My thought was create another entity called Access and link it to the account and to the Project entity.    I would to know if this approach is viable or do I need to do something different. I looked at the (Path to User) option, however I have multiple users who need access to the same data. What I try to achieve is a way to exclude certain data depending on the user and user role.    
asked
1 answers
1

Hi Martin,

At first glance the "path to user" is the way to go for your requirements. It makes sure that only those users have access who are associated to a specific object via the path you configured. Make sure there is an association between the users and the projects and use that to manage access.

A warning however: this pattern is called multi-tenancy and it may be complex to manage.

 

I would recommend against introducing an "access" entity or other customized access control in most cases, because multi-tenancy is hard enough by itself and the complexity of extra customizations on top of this may be too much to handle.

 

I hope this helps.

answered