I’m looking to use Strapi to group user accounts together (ex. users belonging to companies). Each company will have the same collections/model of data as the other but obviously I don’t want users from one company to be able to see the data from another company. Ideally I would also get to control what users within a company can see/do whatever.
Effectively the data itself is federated by users/groups but the model is common across my installation.
How have others solved this problem?
Hi @simontam
This is a common use-case and we haven’t totally implemented multi-tenancy yet (see: Multi-tenancy - Roadmap | Product Roadmap) but it can roughly be accomplished with some well written policies. I’ll leave you with our policy documentation but also with a bit of an older example of this in testing.
You are more than welcome to test out my rough example I made a few months back, but it may require some customization and I don’t generally recommend throwing a bunch of checks in a single policy and instead break them out into their own. This example was written for a user while I was twitch streaming one day.
Repo: GitHub - derrickmehaffy/testing-strapi-policies
Main policy for testing:
Applied to a content-type:
There is lot there to digest but the examples I gave kind give two ways to handle the requests, either by forcefully moving the request to the proper query param or to return an error. The key take-away though is where you put the code in the policy (before the await next() or after the await next()) and if your goal is to reject/return an error/secure the route you will want to make sure it’s before the await next()
Let me know if you have questions 
The link “policy documentation” you put up there leads to a error 404. May you update the URL?