Data Access Securty Design

I have an application with about 150 entities and 10 modules with a fair amount of integration between each entity. I have multiple role based permissions and now have a need for restricting the data based upon who the users is. Data access should be restricted based upon the Project.   I use an Entity called Account for logging into the system. My thought was create another entity called Access and link it to the account and to the Project entity.    I would to know if this approach is viable or do I need to do something different. I looked at the (Path to User) option, however I have multiple users who need access to the same data. What I try to achieve is a way to exclude certain data depending on the user and user role.    
1 answers

Hi Martin,

At first glance the "path to user" is the way to go for your requirements. It makes sure that only those users have access who are associated to a specific object via the path you configured. Make sure there is an association between the users and the projects and use that to manage access.

A warning however: this pattern is called multi-tenancy and it may be complex to manage.


I would recommend against introducing an "access" entity or other customized access control in most cases, because multi-tenancy is hard enough by itself and the complexity of extra customizations on top of this may be too much to handle.


I hope this helps.