User groups and restricted access to data

I’m looking to use Strapi to group user accounts together (ex. users belonging to companies). Each company will have the same collections/model of data as the other but obviously I don’t want users from one company to be able to see the data from another company. Ideally I would also get to control what users within a company can see/do whatever.

Effectively the data itself is federated by users/groups but the model is common across my installation.

How have others solved this problem?

Hi @simontam

This is a common use-case and we haven’t totally implemented multi-tenancy yet (see: https://portal.productboard.com/strapi/1-roadmap/c/36-multi-tenancy) but it can roughly be accomplished with some well written policies. I’ll leave you with our policy documentation but also with a bit of an older example of this in testing.

You are more than welcome to test out my rough example I made a few months back, but it may require some customization and I don’t generally recommend throwing a bunch of checks in a single policy and instead break them out into their own. This example was written for a user while I was twitch streaming one day.

Repo: https://github.com/derrickmehaffy/testing-strapi-policies

Main policy for testing:

Applied to a content-type:

There is lot there to digest but the examples I gave kind give two ways to handle the requests, either by forcefully moving the request to the proper query param or to return an error. The key take-away though is where you put the code in the policy (before the await next() or after the await next()) and if your goal is to reject/return an error/secure the route you will want to make sure it’s before the await next()

Let me know if you have questions :slight_smile: