Forum | Appery.io

I'm building an application which will be used by multiple Companies. Each Company will have multiple users, each with their own login credentials (username / password). What is the best way to apply security so users will only be able to see their Company's data. The data for each Company will be sensitive and must be kept confidential.

Some options considered:
1) Create a separate database for each company (may have significant overhead for initial provisioning)
2) Use one database, add acl restrictions to records in the database
2a) If using acl, how can I manage the adding / removing of users for a company efficiently, without having to batch update acl values?
2b) Should some CompanyKey be used in combination with Users collection? If so, does Secure Proxy offer some additional value?

Additional Info: I expect to have approximately 5,000 Companies, each with 2 to 3 user credentials.

I have read many postings, but have not found a clear solution for this. This seems like it would be a common need, for many applications. Any suggestions or advice is appreciated.

Hello,

You can use Server code for that. E.g. add one more column to the collection "Users" with a pointer to the company, and use companyId in the server code request

Can you elaborate on what the Server Code would do and how it would relate to the database ACL?

Thanks!

Server code can read any data without ACL.
So you can do it with next steps:

• add a pointer to the company for each user
• user sends company's id to the Server code
• Server code reads all items, which contain that ID and returns them to the user